RFR: JDK-8311892: TrustManagerFactory loading an invalid keystore yield vague exception
Craig Andrews
duke at openjdk.org
Fri Jul 14 02:05:15 UTC 2023
On Tue, 11 Jul 2023 18:09:26 GMT, Craig Andrews <duke at openjdk.org> wrote:
> When loading the default JVM trust store, if the JVM trust store contains an invalid certificate, the exception contains insufficient information to determine which certificate is invalid, making it very difficult to fix the problem.
>
> To reproduce the issue:
> 1. Modify the default JVM trust store to contain invalid information. A very easy way to do this on openjdk / red hat systems is to edit /etc/pki/ca-trust/extracted/java/cacerts and add garbage text to the file.
> 2. Run this code:
>
> TrustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> // initializing the trust store with a null KeyStore will load the default JVM trust store
> tmf.init((KeyStore) null);
>
>
> This stack trace results:
>
> Caused by: java.security.KeyStoreException: problem accessing trust store
> at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
> at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
> ... 81 common frames omitted
> Caused by: java.io.IOException: toDerInputStream rejects tag type 97
> at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
> at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2013)
> at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
> at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
> at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
> at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
> ... 83 common frames omitted
>
>
> Throwing an exception with a more detailed error message facilitates debugging and ultimately fixing such problems.
Caused by: java.security.KeyStoreException: problem accessing trust store
at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
... 73 common frames omitted
Caused by: java.security.KeyStoreException: Failed to load key store: /usr/lib/jvm/java-17-openjdk-17.0.7.0.7-5.fc38.x86_64/lib/security/cacerts
at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
... 79 common frames omitted
Caused by: java.io.IOException: toDerInputStream rejects tag type 97
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engine(PKCS12KeyStore.java:2013)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
... 83 common frames omitted
The `KeyStoreException` inside `KeyStoreException` could be eliminated by adding a `catch` clause at https://github.com/openjdk/jdk/blob/257bc1745cf275d691db1801f8dd270b9ff1b324/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L67 like this:
} catch (KeyStoreException ke) {
throw ke;
Please let me know if you'd like me to include that change.
Thanks!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14834#issuecomment-1635157558
More information about the security-dev
mailing list