Stricter Public Key checking corrupts JKS

Bernd ecki at zusammenkunft.net
Wed Jun 14 16:38:23 UTC 2017 

Hello Sean,

I tried now 1.8.0_152ea b04 (May 2017) and using the keytool works now
again to open the JKS with this broken certificate. It is also possible to
use CertificateFactory.getInstance("X.509").getenrateCertificate(in) with
the questionalble certs.

This is great! From the look of JDK-8175251 it seems it also will show up
in the next CPU.

The same bug also claims its fixed in 131, however it talks about b33 where
the public version is b11. So maybe thats the reason for 131 beeing still
affected?

I suspect the broken certificates will not be useable in a certificate
chain, I will test that later on.

Gruss
Bernd


2017-06-12 13:29 GMT+02:00 Sean Mullan <sean.mullan at oracle.com>:

> Hi Bernd,
>
> This issue should be fixed in 8u131. Can you try that and let us know?
>
> --Sean
>
>
> On 6/9/17 10:18 PM, Bernd wrote:
>
>> I noticed there is a bug (8177657,etc) about stricter DER checking on JDK
>> Certificate code. I have an JKS Keystore which no longer can be opened
>> because of that.
>>
>> I understand that the strict parsing has to stay for public keys, however
>> I wonder if anything can be done about loading the other keys from the
>> keystore or at least reporting the alias of the unparseable entry.
>>
>> The Problem was introduced with 8u121, 8u112 can open the file and it
>> exists in 7u131 as well.
>>
>> Exception in thread "main" java.security.cert.CertificateParsingException:
>> java.io.IOException: subject key, java.security.InvalidKeyException:
>> Invalid RSA public key
>>      at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
>>      at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
>>      at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
>>      at sun.security.provider.X509Factory.engineGenerateCertificate(
>> X509Factory.java:102)
>>      at java.security.cert.CertificateFactory.generateCertificate(Ce
>> rtificateFactory.java:339)
>>      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
>> java:755)
>>      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeySto
>> re.java:56)
>>      at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreD
>> elegator.java:224)
>>      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(
>> JavaKeyStore.java:70)
>>      at java.security.KeyStore.load(KeyStore.java:1445)
>>      at net.eckenfels.test.certpath.KeystoreImport.main(KeystoreImpo
>> rt.java:29)
>> Caused by: java.io.IOException: subject key,
>> java.security.InvalidKeyException: Invalid RSA public key
>>      at sun.security.x509.X509Key.parse(X509Key.java:174)
>>      at sun.security.x509.CertificateX509Key.<init>(CertificateX509K
>> ey.java:75)
>>      at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667)
>>      at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167)
>>      ... 10 more
>> Caused by: java.security.InvalidKeyException:
>> java.security.InvalidKeyException: Invalid RSA public key
>>      at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
>>      at sun.security.x509.X509Key.parse(X509Key.java:170)
>>      ... 13 more
>> Caused by: java.security.spec.InvalidKeySpecException:
>> java.security.InvalidKeyException: Invalid RSA public key
>>      at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFa
>> ctory.java:205)
>>      at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
>>      at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
>>      ... 14 more
>> Caused by: java.security.InvalidKeyException: Invalid RSA public key
>>      at sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyI
>> mpl.java:120)
>>      at sun.security.x509.X509Key.decode(X509Key.java:391)
>>      at sun.security.x509.X509Key.decode(X509Key.java:403)
>>      at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.
>> java:84)
>>      at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.
>> java:298)
>>      at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFa
>> ctory.java:201)
>>      ... 16 more
>> Caused by: java.io.IOException: Invalid encoding: redundant leading 0s
>>      at sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffe
>> r.java:152)
>>      at sun.security.util.DerInputStream.getBigInteger(DerInputStrea
>> m.java:207)
>>      at sun.security.rsa.RSAPrivateCrtKeyImpl.getBigInteger(RSAPriva
>> teCrtKeyImpl.java:214)
>>      at sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyI
>> mpl.java:115)
>>      ... 21 more
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170614/d855b83a/attachment.htm>

More information about the security-dev mailing list