Alias internal format leaked to application code?
Xuelei Fan
Xuelei.Fan at Oracle.Com
Mon Jun 1 15:22:52 UTC 2020
Good catch, Simone. It is not expected to parser the alias in application code. Would you like file a bug?
Thanks,
Xuelei
> On Jun 1, 2020, at 2:13 AM, Simone Bordet <simone.bordet at gmail.com> wrote:
>
> Hi,
>
> when using "PKIX" as KeyManagerFactoryAlgorithm, the alias is
> manipulated from what's in the keystore (for example, "jetty") to an
> internal format such as "N.0.jetty", where N is an increasing number
> (in sun.security.ssl.X509KeyManagerImpl.makeAlias()).
>
> The problem is that (especially in case of SNI) the KeyManager could
> be wrapped by a user-written KeyManager that may delegate to the JDK
> one.
>
> When the user-written KeyManager delegates to the JDK instance by
> calling keyManager.getServerAliases(keyType, issuers), an array of
> aliases is returned, but the aliases are of the internal format
> described above.
>
> This makes the user-written code fail any logic that is based on the
> aliases, as comparing these internal formats with the ones present in
> the KeyStore will fail.
>
> Can you please clarify if this is expected behavior and whether
> user-written code should "unwrap" this internal alias format (is it
> defined somewhere?), or if this internal format is wrongly leaked to
> user-written code?
>
> Thanks!
>
> --
> Simone Bordet
> ---
> Finally, no matter how good the architecture and design are,
> to deliver bug-free software with optimal performance and reliability,
> the implementation technique must be flawless. Victoria Livschitz
More information about the security-dev
mailing list