diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java index ca6246a7c66..f82028becd4 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -329,13 +329,32 @@ public void execute(IRequest request) // fake key replaced; // need to compute/replace SKI as well if present - Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); + SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); if (ext != null) { logger.debug(method + "found SubjectKey_Id extension"); + KeyIdentifier old_ski = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID); + byte[] old_ski_val = old_ski.getIdentifier(); + int old_ski_len = old_ski_val.length; + + // determine message digest algorithm: + // the "old_ski" was generated based on the profile + // so we could use it's length to determine the size + // of the new hash + String messageDigest = "SHA-1"; // default; len==20 + if (old_ski_len == 32) { + messageDigest = "SHA-256"; + } else if (old_ski_len == 48) { + messageDigest = "SHA-384"; + } else if (old_ski_len == 64) { + messageDigest = "SHA-512"; + } + logger.debug(method + "ServerSideKeygen message digest alg == " + messageDigest); // compute keyId X509Key realkey = (X509Key) certKey.get(CertificateX509Key.KEY); - byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey()); + byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey(), messageDigest); + int new_ski_len = hash.length; + logger.debug(method + "ServerSideKeygen hash len = " + new_ski_len); KeyIdentifier id = new KeyIdentifier(hash); SubjectKeyIdentifierExtension skiExt = new SubjectKeyIdentifierExtension(id.getIdentifier());