Stricter Public Key checking corrupts JKS

Bernd ecki at zusammenkunft.net
Sat Jun 10 02:18:59 UTC 2017 

I noticed there is a bug (8177657,etc) about stricter DER checking on JDK
Certificate code. I have an JKS Keystore which no longer can be opened
because of that.

I understand that the strict parsing has to stay for public keys, however I
wonder if anything can be done about loading the other keys from the
keystore or at least reporting the alias of the unparseable entry.

The Problem was introduced with 8u121, 8u112 can open the file and it
exists in 7u131 as well.

Exception in thread "main" java.security.cert.CertificateParsingException:
java.io.IOException: subject key, java.security.InvalidKeyException:
Invalid RSA public key
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
    at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
    at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:755)
    at
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
    at
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at
net.eckenfels.test.certpath.KeystoreImport.main(KeystoreImport.java:29)
Caused by: java.io.IOException: subject key,
java.security.InvalidKeyException: Invalid RSA public key
    at sun.security.x509.X509Key.parse(X509Key.java:174)
    at
sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
    at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667)
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167)
    ... 10 more
Caused by: java.security.InvalidKeyException:
java.security.InvalidKeyException: Invalid RSA public key
    at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
    at sun.security.x509.X509Key.parse(X509Key.java:170)
    ... 13 more
Caused by: java.security.spec.InvalidKeySpecException:
java.security.InvalidKeyException: Invalid RSA public key
    at
sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
    at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
    at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
    ... 14 more
Caused by: java.security.InvalidKeyException: Invalid RSA public key
    at
sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyImpl.java:120)
    at sun.security.x509.X509Key.decode(X509Key.java:391)
    at sun.security.x509.X509Key.decode(X509Key.java:403)
    at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:84)
    at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
    at
sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
    ... 16 more
Caused by: java.io.IOException: Invalid encoding: redundant leading 0s
    at
sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:152)
    at
sun.security.util.DerInputStream.getBigInteger(DerInputStream.java:207)
    at
sun.security.rsa.RSAPrivateCrtKeyImpl.getBigInteger(RSAPrivateCrtKeyImpl.java:214)
    at
sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyImpl.java:115)
    ... 21 more
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170610/f079bf66/attachment.htm>

More information about the security-dev mailing list