JDK-8180819 No installed provider supports this key: sun.security.pkcs.PKCS8Key

Florian Bruckner (3kraft) florian.bruckner at 3kraft.com
Mon Nov 13 19:20:42 UTC 2017


Hi,

have just stumbled upon a quite strange behavior in a SSL connection with a client certificate. It 
looks like something introduced between JDK 8u111 and JDK 8u121; JDK9 (all Oracle) and OpenJDK 8u151 
are affected as well. There is already a ticket for this (JDK-8180819) but this has been closed due 
to no response from the original reporter.

This is the exception (with 8u121):

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport 
error: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
     at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
     at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
     at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
     at 
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)
     at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
     at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
     at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
     at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
     at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
     at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
     at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
     at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
     at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
     at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1113)
     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
     at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
     at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
     at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)
     ... 14 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: 
sun.security.pkcs.PKCS8Key
     at java.security.Signature$Delegate.chooseProvider(Signature.java:1135)
     at java.security.Signature$Delegate.engineInitSign(Signature.java:1185)
     at java.security.Signature.initSign(Signature.java:550)
     at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1587)
     at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1110)
     ... 27 more


When using PKCS12 instead of JKS for the identity keystore, the trace is different (this trace is 
from a JDK 8u151):

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport 
error: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing 
implementation (algorithm: Default, provider: SunJSSE, class: 
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
         at 
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)
         at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
         at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
         at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
         at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
         at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
         at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
         at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
         at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
         at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing 
implementation (algorithm: Default, provider: SunJSSE, class: 
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
         at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:255)
         at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:405)
         at sun.net.NetworkClient.doConnect(NetworkClient.java:162)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
         at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
         at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
         at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
         at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1199)
         at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050)
         at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
         at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)
         ... 14 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: 
Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at java.security.Provider$Service.newInstance(Provider.java:1617)
         at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
         at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
         at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
         at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
         at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
         at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332)
         at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:289)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:94)
         at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
         at java.net.URL.openConnection(URL.java:1028)
         at com.sun.xml.internal.ws.api.EndpointAddress.openConnection(EndpointAddress.java:217)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.createHttpConnection(HttpClientTransport.java:242)
         at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:101)
         ... 14 more
Caused by: java.security.UnrecoverableKeyException: Get Key failed: 
java.security.InvalidKeyException: Invalid RSA private key
         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:435)
         at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
         at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
         at java.security.KeyStore.getKey(KeyStore.java:1023)
         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
         at 
sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:873)
         at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(SSLContextImpl.java:758)
         at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:913)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
         at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
         at java.security.Provider$Service.newInstance(Provider.java:1595)
         ... 27 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid 
RSA private key
         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
         at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:399)
         ... 41 more
Caused by: java.security.InvalidKeyException: Invalid RSA private key
         at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:214)
         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343)
         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
         at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
         ... 43 more
Caused by: java.io.IOException: DerInputStream.getLength(): Redundant length bytes found
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:606)
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:569)
         at sun.security.util.DerInputStream.getPositiveBigInteger(DerInputStream.java:220)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:205)
         ... 49 more

The keystores as JKS and PKCS#12 have been verified to be working with Java 8u60, so they seem to be 
fine. Activating unlimited jurisdiction does not solve the problem. Restricting the client to TLSv1 
or TLSv1.1 (via jdk.tls.client.protocols) has not changed behavior. While the client is under my 
control, the server isn't. There are no client properties for SSL set except truststore and keystore.

I need to discuss with my client whether I can share -Djavax.net.debug=ssl, but before I do this: Is 
this list the right place to work on this and is someone willing to approach this issue?

Regards,

Florian





More information about the security-dev mailing list