diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java index f77ef239a62..8f60adaa428 100644 --- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java +++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java @@ -388,9 +388,9 @@ public SingleResponse processRequest(Request req) throws Exception { Enumeration caCerts = mCRLs.keys(); + MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); while (caCerts.hasMoreElements()) { X509CertImpl caCert = caCerts.nextElement(); - MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); logger.debug("LDAPStore: processRequest: cert digest name=" + cid.getDigestName()); X509Key key = (X509Key) caCert.getPublicKey(); @@ -400,18 +400,20 @@ public SingleResponse processRequest(Request req) throws Exception { throw new Exception("Missing issuer key"); } - byte digest[] = md.digest(key.getKey()); - byte keyhsh[] = cid.getIssuerKeyHash().toByteArray(); + byte[] digest = md.digest(key.getKey()); + byte[] keyhsh = cid.getIssuerKeyHash().toByteArray(); - if (!Arrays.equals(digest, keyhsh)) { - logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs..."); - continue; - } - theCert = caCert; - incReqCount(caCert.getSubjectDN().toString()); - theCRL = mCRLs.get(caCert); - break; + byte[] name = md.digest(caCert.getSubjectObj().getX500Name().getEncoded()); + byte[] namehash = cid.getIssuerNameHash().toByteArray(); + + if (Arrays.equals(digest, keyhsh) && Arrays.equals(name, namehash)) { + theCert = caCert; + incReqCount(caCert.getSubjectX500Principal().getName()); + theCRL = mCRLs.get(caCert); + break; + } + logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs..."); } if (theCert == null) {