RFR: JDK-8311892: TrustManagerFactory loading an invalid keystore yield vague exception
Craig Andrews
duke at openjdk.org
Fri Jul 14 20:40:13 UTC 2023
On Tue, 11 Jul 2023 18:09:26 GMT, Craig Andrews <duke at openjdk.org> wrote:
> When loading the default JVM trust store, if the JVM trust store contains an invalid certificate, the exception contains insufficient information to determine which certificate is invalid, making it very difficult to fix the problem.
>
> To reproduce the issue:
> 1. Modify the default JVM trust store to contain invalid information. A very easy way to do this on openjdk / red hat systems is to edit /etc/pki/ca-trust/extracted/java/cacerts and add garbage text to the file.
> 2. Run this code:
>
> TrustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> // initializing the trust store with a null KeyStore will load the default JVM trust store
> tmf.init((KeyStore) null);
>
>
> This stack trace results:
>
> Caused by: java.security.KeyStoreException: problem accessing trust store
> at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
> at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
> ... 81 common frames omitted
> Caused by: java.io.IOException: toDerInputStream rejects tag type 97
> at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
> at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2013)
> at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
> at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
> at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
> at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
> ... 83 common frames omitted
>
>
> Throwing an exception with a more detailed error message facilitates debugging and ultimately fixing such problems.
Excellent point, thank you for your thoughtful review and for linking the documentation :)
It would be really nice to give the user some information to help them along without requiring a JVM argument, though... What if we just included the file name (but not the path) in the exception message, something like:
throw new KeyStoreException("Failed to load key store with file name: " + descriptor.storeFile.getName(), e);
Would that be acceptable? Or is there something else we could do to provide a little more helpful of a message?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14834#issuecomment-1636412000
More information about the security-dev
mailing list