RFR 8139436: sun.security.mscapi.KeyStore might load incomplete data

Mike StJohns mstjohns at comcast.net
Tue Nov 10 22:39:48 UTC 2015


On 11/10/2015 4:12 PM, Langer, Christoph wrote:
>
> Hi folks,
>
> is there any feedback/review for this change?
>

I missed the 4 Nov message when it came past.  No further objections.  
But still unclear if modularization will permit this.

Mike

> Thanks
>
> Christoph
>
> *From:*Langer, Christoph
> *Sent:* Mittwoch, 4. November 2015 12:11
> *To:* 'Michael StJohns' <mstjohns at comcast.net>
> *Cc:* security-dev at openjdk.java.net
> *Subject:* RE: RFR 8139436: sun.security.mscapi.KeyStore might load 
> incomplete data
>
> Hi Mike,
>
> eventually I’ve made a new webrev implementing your suggestion for a 
> simpler patch:
>
> http://cr.openjdk.java.net/~clanger/webrevs/8139436.1/ 
> <http://cr.openjdk.java.net/%7Eclanger/webrevs/8139436.1/>
>
> @All: Is that a valid fix for this issue? Would anyone mind to 
> review/sponsor this?
>
> Thanks
>
> Christoph
>
> *From:*Michael StJohns [mailto:mstjohns at comcast.net]
> *Sent:* Donnerstag, 15. Oktober 2015 02:09
> *To:* Langer, Christoph <christoph.langer at sap.com 
> <mailto:christoph.langer at sap.com>>
> *Cc:* security-dev at openjdk.java.net <mailto:security-dev at openjdk.java.net>
> *Subject:* Re: RFR 8139436: sun.security.mscapi.KeyStore might load 
> incomplete data
>
> Sorry for the top post, I'm wring this on an iPad on a plane.
>
> It's perfectly acceptable for a provider to prefer its version of 
> stuff over even something early in the provider list.   Usually, that 
> has more to do with key material ( for example pkcs11 instantiations), 
> but there's no reason why it shouldn't apply to certificates.
>
> Mike
>
>
> Sent from my iPad
>
>
> On Oct 14, 2015, at 18:35, Langer, Christoph <christoph.langer at sap.com 
> <mailto:christoph.langer at sap.com>> wrote:
>
>     Hi Mike,
>
>     thanks for your comments on this.
>
>     I agree that the change is quite critical and my approach might
>     not be good. However, as for your suggestion to specify the sun
>     provider for the certificate factory, I’d say this is not quite
>     right, too. Because, if you have loaded a different provider on
>     top of the providers list, you’ll intend to use its facilities by
>     default. Maybe the idea would be to use the sun provider as
>     fallback in case of an exception?
>
>     The other suggestion to check for certChain.length in
>     KeyStore.getCertificate and return null would be an improvement
>     compared to throwing an ArrayIndexOutOfBoundsException – however,
>     it would still be difficult to find the root cause why a
>     certificate could not be loaded.
>
>     What do you think?
>
>     @all: Are there other opinions?
>
>     Thanks and best regards
>
>     Christoph
>
>     *From:*security-dev [mailto:security-dev-bounces at openjdk.java.net]
>     *On Behalf Of *Mike StJohns
>     *Sent:* Mittwoch, 14. Oktober 2015 02:17
>     *To:* security-dev at openjdk.java.net
>     <mailto:security-dev at openjdk.java.net>
>     *Subject:* Re: RFR 8139436: sun.security.mscapi.KeyStore might
>     load incomplete data
>
>     Hi -
>
>     I took a look and this probably isn't the correct way to fix this.
>
>     A simpler change might be to specify the sun provider when
>     requesting the certificate factory.    I hesitate to say that
>     definitively as modularization guidance may restrict that approach?
>
>     The belt and suspenders approach is to catch the bad certificate
>     exception and return null.  That appears to be the correct
>     contract for KeyStore.getCertificate(String alias).   (e.g. "if
>     (certChain.length == 0) return null;")
>
>     Mike
>
>
>     On 10/12/2015 5:04 PM, Langer, Christoph wrote:
>
>         Hi,
>
>         please review a change proposal regarding an issue in the
>         Microsoft Security API (mscapi).
>
>         Bug: https://bugs.openjdk.java.net/browse/JDK-8139436
>         <https://bugs.openjdk.java.net/browse/JDK-8139436>
>
>         Webrev: http://cr.openjdk.java.net/~clanger/webrevs/8139436.0/
>         <http://cr.openjdk.java.net/%7Eclanger/webrevs/8139436.0/>
>
>         I stumbled over the issue when using an old IAIK security
>         provider. It would throw
>         java.security.cert.CertificateException upon parsing ECC based
>         certificates when generating Certificate objects. The way it
>         is right now, such exceptions are silently caught and the
>         Windows Keystore is created with incomplete data. Upon
>         accessing such ECC certificates from the Keystore object, e.g.
>         when iterating over it, you’ll get exceptions like:
>
>         Exception in thread "main"
>         java.lang.ArrayIndexOutOfBoundsException: 0
>
>                 at
>         sun.security.mscapi.KeyStore.engineGetCertificate(KeyStore.java:313)
>
>                 at
>         sun.security.mscapi.KeyStore$ROOT.engineGetCertificate(KeyStore.java:60)
>
>                 at
>         java.security.KeyStore.getCertificate(KeyStore.java:1095)
>
>         At that point it is not obvious what the real root cause for
>         that is.
>
>         With my change, loading of the keystore would already throw
>         like this:
>
>         java.io.IOException: java.security.KeyStoreException:
>         Exception occurred generating certificate object for alias
>         DigiCert Assured ID Root G3
>
>                 at
>         sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:780)
>
>                 at
>         sun.security.mscapi.KeyStore$ROOT.engineLoad(KeyStore.java:60)
>
>                 at java.security.KeyStore.load(KeyStore.java:1459)
>
>                 at
>         WindowsCertificateReaderTest.main(WindowsCertificateReaderTest.java:18)
>
>         Caused by: java.security.KeyStoreException: Exception occurred
>         generating certificate object for alias DigiCert Assured ID
>         Root G3
>
>                 at
>         sun.security.mscapi.KeyStore.loadKeysOrCertificateChains(Native Method)
>
>                 at
>         sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:777)
>
>                 ... 3 more
>
>         Caused by: java.security.cert.CertificateException: Error
>         parsing certificates! iaik.asn1.DerInputException: Next ASN.1
>         object is no OBJECT IDENTIFIER!
>
>                 at
>         iaik.x509.CertificateFactory.engineGenerateCertificates(Unknown Source)
>
>                 at
>         java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
>
>                 at
>         sun.security.mscapi.KeyStore.generateCertificate(KeyStore.java:869)
>
>                 ... 5 more
>
>         This is more obvious when it comes to analyzing such an issue.
>
>         Also, I added a property
>         “sun.security.mscapi.ignoreFailingCertificates” which, when
>         set to true, will cause skipping of certificates that failed
>         with Exception. That might be a nice workaround option if one
>         is not particularly interested in a failing certificate.
>
>         You can reproduce all this with the test coding in the OpenJDK
>         Bug, the IAIK provider 3.15 which is downloadable here:
>         http://jcewww.iaik.tu-graz.ac.at/sic/Download
>         (educational/research version, needs registration) and ECC
>         certificates in the Windows Root certificate store.
>
>         Would you think this change is reasonable and worthwile?
>
>         Thanks & Best regards
>
>         Christoph
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20151110/af64fed9/attachment.htm>


More information about the security-dev mailing list