code review request: 6958026: Problem with PKCS12 keystore

Weijun Wang Weijun.Wang at Sun.COM
Thu Jun 3 03:47:45 UTC 2010 

Hi All

Please review this code change:

    http://cr.openjdk.java.net/~weijun/6958026/webrev.00/

Two parts included:

1. Major one: match private key and cert using both keyId and friendlyName.

2. Minor one: add keyId and friendlyName to private keys created by setKeyEntry(alias, byte[], cert[]). In fact, this method is used by the test to generate a pkcs12 keystore as fast as possible so that keys' creation times overlap (hence having same keyId). On my Linux, using the other setKeyEntry(alias, key, pass, cert[]) method is slow.

I didn't change the current keyId format to force it to be identical, since the "TIME xxx" format is used to derive creation time.

Thanks
Max


Begin forwarded message:

> *Change Request ID*: 6958026
> *Synopsis*: Problem with PKCS12 keystore
> 
> === *Description* ============================================================
> FULL PRODUCT VERSION :
> java version "1.6.0_18"
> Java (TM) SE Runtime Enviroment (build 1.6.0_18-b07)
> 
> ADDITIONAL OS VERSION INFORMATION :
> Microsoft Windows [Verze 6.1.7600]
> 
> A DESCRIPTION OF THE PROBLEM :
> I have this code :
> .....
> KeyStore kspkcs12 = null;
> kspkcs12.load(new FileInputStream(keystorePath), password.toCharArray());
>                KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) kspkcs12.getEntry(alias, new KeyStore.PasswordProtection(password
>                        .toCharArray()));
> X509Certificate cert = (X509Certificate) kspkcs12.getCertificate(alias);
> ......
> 
> I have pfx file with two aliases alias1 and alias2. Alias1 has certificate chain with 2 SHA1 certificates. Alias2 has one SHA2 certificate.
> But when i load that pfx file with code above, in KeyStore there are 2 records (one for each alias) but both records has the same certificate loaded. To all aliases is loaded last added certificate to pfx file.
> Is it bug or feature ?
> 
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> Create pfx file. Insert first certificate with alias. Insert second certificate with another alias.
> Try load in using KeyStore class.
> Check first entry if there is right certificate.
> 
> 
> REPRODUCIBILITY :
> This bug can be reproduced always.
> 
> SUPPORT :
> YES
> 
> *** (#1 of 1): 2010-06-02 23:45:21 GMT+00:00 weijun.wang at sun.com
> 
> === *Evaluation* =============================================================
> Customer provided a pkcs12 file and it contains:
> 
> Private Key #1:
>   localKeyId: 01 00 00 00
>   friendlyName: p1
> Private Key #2:
>   localKeyId: 01 00 00 00
>   friendlyName: p2
> Cert #1:
>   localKeyId: 01 00 00 00
>   friendlyName: p1
> Cert #2:
>   localKeyId: 01 00 00 00
>   friendlyName: p2
> Cert #3:
>   # No recognized attribute
> 
> Currently, JDK uses localKeyId to match private key with its corresponding certificate (and only fallback to friendlyName when localKeyId is missing). Since all localKeyIds have the same value here, it gets confused and always returns the same one for both private keys.
> 
> I'll enhance the PKCS12KeyStore class to match using both localKeyId and friendlyName. However, I do believe the original file is not quite legal. Normally we always regard an attribute called "*Id" to be identical in some scope (here, the file). It seems customer uses a tool that simply glues 2 blocks of info into one without reassigning the id values.
> 
> The dicussion below is interesting:
> http://www.mail-archive.com/openssl-users@openssl.org/msg27030.html
> 
> *** (#1 of 1): 2010-06-02 23:54:14 GMT+00:00 weijun.wang at sun.com

More information about the security-dev mailing list