Stricter Public Key checking corrupts JKS
Sean Mullan
sean.mullan at oracle.com
Mon Jun 12 11:29:15 UTC 2017
Hi Bernd,
This issue should be fixed in 8u131. Can you try that and let us know?
--Sean
On 6/9/17 10:18 PM, Bernd wrote:
> I noticed there is a bug (8177657,etc) about stricter DER checking on
> JDK Certificate code. I have an JKS Keystore which no longer can be
> opened because of that.
>
> I understand that the strict parsing has to stay for public keys,
> however I wonder if anything can be done about loading the other keys
> from the keystore or at least reporting the alias of the unparseable entry.
>
> The Problem was introduced with 8u121, 8u112 can open the file and it
> exists in 7u131 as well.
>
> Exception in thread "main"
> java.security.cert.CertificateParsingException: java.io.IOException:
> subject key, java.security.InvalidKeyException: Invalid RSA public key
> at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
> at
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
> at
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:755)
> at
> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
> at
> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
> at
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at
> net.eckenfels.test.certpath.KeystoreImport.main(KeystoreImport.java:29)
> Caused by: java.io.IOException: subject key,
> java.security.InvalidKeyException: Invalid RSA public key
> at sun.security.x509.X509Key.parse(X509Key.java:174)
> at
> sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
> at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667)
> at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167)
> ... 10 more
> Caused by: java.security.InvalidKeyException:
> java.security.InvalidKeyException: Invalid RSA public key
> at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
> at sun.security.x509.X509Key.parse(X509Key.java:170)
> ... 13 more
> Caused by: java.security.spec.InvalidKeySpecException:
> java.security.InvalidKeyException: Invalid RSA public key
> at
> sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
> at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
> at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
> ... 14 more
> Caused by: java.security.InvalidKeyException: Invalid RSA public key
> at
> sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyImpl.java:120)
> at sun.security.x509.X509Key.decode(X509Key.java:391)
> at sun.security.x509.X509Key.decode(X509Key.java:403)
> at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:84)
> at
> sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
> at
> sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
> ... 16 more
> Caused by: java.io.IOException: Invalid encoding: redundant leading 0s
> at
> sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:152)
> at
> sun.security.util.DerInputStream.getBigInteger(DerInputStream.java:207)
> at
> sun.security.rsa.RSAPrivateCrtKeyImpl.getBigInteger(RSAPrivateCrtKeyImpl.java:214)
> at
> sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyImpl.java:115)
> ... 21 more
>
More information about the security-dev
mailing list