Alias internal format leaked to application code?

Simone Bordet simone.bordet at gmail.com
Mon Jun 1 09:13:55 UTC 2020


Hi,

when using "PKIX" as KeyManagerFactoryAlgorithm, the alias is
manipulated from what's in the keystore (for example, "jetty") to an
internal format such as "N.0.jetty", where N is an increasing number
(in sun.security.ssl.X509KeyManagerImpl.makeAlias()).

The problem is that (especially in case of SNI) the KeyManager could
be wrapped by a user-written KeyManager that may delegate to the JDK
one.

When the user-written KeyManager delegates to the JDK instance by
calling keyManager.getServerAliases(keyType, issuers), an array of
aliases is returned, but the aliases are of the internal format
described above.

This makes the user-written code fail any logic that is based on the
aliases, as comparing these internal formats with the ones present in
the KeyStore will fail.

Can you please clarify if this is expected behavior and whether
user-written code should "unwrap" this internal alias format (is it
defined somewhere?), or if this internal format is wrongly leaked to
user-written code?

Thanks!

-- 
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz



More information about the security-dev mailing list