<div dir="ltr">Dear OpenJDK team.<br><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br></span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt">I would like to kindly request that Issue ID </span><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt">JDK-8213363 [1]</span><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"> be backported to OpenJDK 11. Please find below additional details regarding this request.</span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt">(This issue has already been submitted to Oracle JDK and has been marked as a backport candidate to JDK 11 by “Oracle’s release, development” team ) <br></span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt">Thank you for your time and assistance.</span></p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><br>Best regards, <br></span>Joze Rihtarsic</p><p style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background:transparent;margin-top:0pt;margin-bottom:0pt">[1] <a href="https://bugs.openjdk.org/browse/JDK-8213363">https://bugs.openjdk.org/browse/JDK-8213363</a></span></p><div><br></div><div><div><span style="letter-spacing:normal;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:black;font-weight:400">Issue description:<br></span></div><div><span style="letter-spacing:normal;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:black;font-weight:400"><br></span><p style="direction:ltr">Component: Security Libraries<br>
Subcomponent: java.crypto<br>
Operation system: Generic<br>
Release JDK 11.0.22</p>
<p style="direction:ltr">Subject:<br>
X25519, X448 private key PKCS#8 decoding is incorrect for JDK11<br>
<br>
-------------------------------------------------------------------<br>
Description:</p>
<p style="direction:ltr">X509Certificates containing XDH private keys
generated with the Key Tool (JDK17) or other tools cannot be used with
JDK 11. The issue was fixed in<br>
<a href="https://urldefense.com/v3/__https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8213363__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtG0jy5AxV$" id="m_1958175244099557160OWA7c7f6756-419d-338a-f4cc-288970b50f5f" style="margin-top:0px;margin-bottom:0px" target="_blank">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8213363</a><br>
but it was not back-ported to JDK 11.<br>
Can be also the JDK 11 updated with mentioned fix, so that it can READ the correctly PKCS#8 encoded XDH keys<br>
<br>
-------------------------------------------------------------------<br>
Environment:<br>- the OpenJDK 11 (<a href="https://wiki.openjdk.org/display/JDKUpdates/JDK11u" id="m_1958175244099557160OWA85adfb4a-9ff9-2615-14ee-6a23fa8fb442" target="_blank">https://wiki.openjdk.org/display/JDKUpdates/JDK11u</a>):<span style="letter-spacing:normal;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:black;font-weight:400"><br>
</span>openjdk version "11.0.22" 2024-01-16<br>
OpenJDK Runtime Environment Temurin-11.0.22+7 (build 11.0.22+7)<br>
OpenJDK 64-Bit Server VM Temurin-11.0.22+7 (build 11.0.22+7, mixed mode)<br>
<br>
and the Oracle JDK 11 (<a href="https://www.oracle.com/java/technologies/downloads/#java11" id="m_1958175244099557160OWAf3313eac-f1af-eec2-b50f-37aef89df1d9" target="_blank">https://www.oracle.com/java/technologies/downloads/#java11</a>)<span style="letter-spacing:normal;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:black;font-weight:400"><br>
</span>java version "11.0.22" 2024-01-16 LTS<br>
Java(TM) SE Runtime Environment 18.9 (build 11.0.22+9-LTS-219)<br>
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.22+9-LTS-219, mixed mode)<br>
<br>
-------------------------------------------------------------------</p>
<p style="direction:ltr">Steps to reproduce:<br>
1. Generate keystore with JDK 17 containing X25519 and X448 certificates/keys <br>
<br>
${JDK17_HOME}/bin/keytool -genkeypair -keystore wss-ecdh.p12 -alias issuer-ca -keyalg ED25519 -sigalg ED25519 \<br>
-storepass security -keypass security \<br>
-ext bc:c,ca:true,pathlen:2 \<br>
-dname "CN=issuer-ca,OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \<br>
-validity 3651<br>
<br>
${JDK17_HOME}/bin/keytool -genkeypair -keystore wss-ecdh.p12 -alias x25519 -keyalg X25519 \<br>
-sigalg ED25519 -signer issuer-ca -signerkeypass security \<br>
-storepass security -keypass security \<br>
-dname "CN=x25519, OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \<br>
-validity 3650<br>
<br>
${JDK17_HOME}/bin/keytool -genkeypair -keystore wss-ecdh.p12 -alias x448 -keyalg X448 \<br>
-sigalg ED25519 -signer issuer-ca -signerkeypass security \<br>
-storepass security -keypass security \<br>
-dname "CN=x448, OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \<br>
-validity 3650<br>
<br>
<br>
2. Use generated keystore with Java 11<br>
<br>
String password = "security";<br>
String alias = "x25519";<br>
// String alias = "x448";<br>
KeyStore keystore = KeyStore.getInstance("PKCS12");<br>
keystore.load(<br>
Files.newInputStream(Path.of("wss-ecdh.p12")),<br>
"security".toCharArray()<br>
);<br>
Key key = keystore.getKey(alias, password.toCharArray());<br>
<br>
<br>
</p>
<p style="direction:ltr">------------------------------------------------------------------</p>
<p style="direction:ltr">Expected results :</p>
<p style="direction:ltr"><br>
The key is successfully retrieved from the truststore<br>
------------------------------------------------------------------<br>
<br>
Actual Result<br>
<br>
The exception is thrown:<br>
<br>
java.security.UnrecoverableKeyException: Get Key failed: java.security.InvalidKeyException: key length must be 32<br>
<br>
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:421)<br>
at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)<br>
at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)<br>
at org.apache.wss4j.dom.message.EncryptionTest.testCerts(EncryptionTest.java:340)<br>
at java.base/java.lang.reflect.Method.invoke(Method.java:566)<br>
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)<br>
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)<br>
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: key length must be 32<br>
at <a href="https://urldefense.com/v3/__http://jdk.crypto.ec/sun.security.ec.XDHKeyFactory.engineGeneratePrivate(XDHKeyFactory.java:136)__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtG2FLxlPu$" id="m_1958175244099557160OWA8735028f-6e7d-061b-8ab9-f842aa387b5c" style="margin-top:0px;margin-bottom:0px" target="_blank">
jdk.crypto.ec/sun.security.ec.XDHKeyFactory.engineGeneratePrivate(XDHKeyFactory.java:136)</a><br>
at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)<br>
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:381)<br>
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:251)<br>
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:356)<br>
... 6 more<br>
Caused by: java.security.InvalidKeyException: key length must be 32<br>
at <a href="https://urldefense.com/v3/__http://jdk.crypto.ec/sun.security.ec.XDHPrivateKeyImpl.checkLength(XDHPrivateKeyImpl.java:71)__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtG25NPm7j$" id="m_1958175244099557160OWA7cd2fa52-07ce-f0ec-d08c-bbe9cbef396d" style="margin-top:0px;margin-bottom:0px" target="_blank">
jdk.crypto.ec/sun.security.ec.XDHPrivateKeyImpl.checkLength(XDHPrivateKeyImpl.java:71)</a><br>
at <a href="https://urldefense.com/v3/__http://jdk.crypto.ec/sun.security.ec.XDHPrivateKeyImpl__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtGyHiSHAE$" id="m_1958175244099557160OWA5e7ad12d-4b36-834e-cc92-68a8d670a077" style="margin-top:0px;margin-bottom:0px" target="_blank">
jdk.crypto.ec/sun.security.ec.XDHPrivateKeyImpl</a>.<init>(XDHPrivateKeyImpl.java:64)<br>
at <a href="https://urldefense.com/v3/__http://jdk.crypto.ec/sun.security.ec.XDHKeyFactory.generatePrivateImpl(XDHKeyFactory.java:169)__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtG53FgoUx$" id="m_1958175244099557160OWAdb4c0dc2-008b-f2b8-8493-2cf2fec0e256" style="margin-top:0px;margin-bottom:0px" target="_blank">
jdk.crypto.ec/sun.security.ec.XDHKeyFactory.generatePrivateImpl(XDHKeyFactory.java:169)</a><br>
at <a href="https://urldefense.com/v3/__http://jdk.crypto.ec/sun.security.ec.XDHKeyFactory.engineGeneratePrivate(XDHKeyFactory.java:134)__;!!ACWV5N9M2RV99hQ!KZ8LCdYBd6pH9F61Gq-o7MRYNrM2zVqf776u9bc4anGx56rq-lrZZrgUvEHgbckehW6SFigMSPBtG_3MKiEv$" id="m_1958175244099557160OWAa969f00a-03c8-8f8f-0bbe-a152d8bf5af1" style="margin-top:0px;margin-bottom:0px" target="_blank">
jdk.crypto.ec/sun.security.ec.XDHKeyFactory.engineGeneratePrivate(XDHKeyFactory.java:134)</a></p>
<table>
<tbody>
<tr style="height:23px">
<td style="height:23px;width:155px"><br>
</td>
<td style="height:23px;width:282px"><br></td></tr></tbody></table></div></div></div>