<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi - <br>
<br>
I took a look and this probably isn't the correct way to fix this.
<br>
<br>
A simpler change might be to specify the sun provider when
requesting the certificate factory. I hesitate to say that
definitively as modularization guidance may restrict that
approach?<br>
<br>
The belt and suspenders approach is to catch the bad certificate
exception and return null. That appears to be the correct
contract for KeyStore.getCertificate(String alias). (e.g. "if
(certChain.length == 0) return null;")<br>
<br>
Mike<br>
<br>
<br>
On 10/12/2015 5:04 PM, Langer, Christoph wrote:<br>
</div>
<blockquote
cite="mid:0DFD2E72402C9243A8630A7759B27E4338F21D7B@DEWDFEMB12B.global.corp.sap"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">please review a change
proposal regarding an issue in the Microsoft Security API
(mscapi).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Bug: <a
moz-do-not-send="true"
href="https://bugs.openjdk.java.net/browse/JDK-8139436">
<a class="moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8139436">https://bugs.openjdk.java.net/browse/JDK-8139436</a></a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Webrev: <a
moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Eclanger/webrevs/8139436.0/">
<a class="moz-txt-link-freetext" href="http://cr.openjdk.java.net/~clanger/webrevs/8139436.0/">http://cr.openjdk.java.net/~clanger/webrevs/8139436.0/</a></a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I stumbled over the
issue when using an old IAIK security provider. It would
throw java.security.cert.CertificateException upon parsing
ECC based certificates when generating Certificate objects.
The way it is right now, such exceptions are silently caught
and the Windows Keystore is created with incomplete data.
Upon accessing such ECC certificates from the Keystore
object, e.g. when iterating over it, you’ll get exceptions
like:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Exception in thread
"main" java.lang.ArrayIndexOutOfBoundsException: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore.engineGetCertificate(KeyStore.java:313)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore$ROOT.engineGetCertificate(KeyStore.java:60)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.security.KeyStore.getCertificate(KeyStore.java:1095)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">At that point it is not
obvious what the real root cause for that is.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">With my change, loading
of the keystore would already throw like this:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">java.io.IOException:
java.security.KeyStoreException: Exception occurred
generating certificate object for alias DigiCert Assured ID
Root G3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:780)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore$ROOT.engineLoad(KeyStore.java:60)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.security.KeyStore.load(KeyStore.java:1459)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
WindowsCertificateReaderTest.main(WindowsCertificateReaderTest.java:18)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Caused by:
java.security.KeyStoreException: Exception occurred
generating certificate object for alias DigiCert Assured ID
Root G3<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore.loadKeysOrCertificateChains(Native
Method)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:777)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ... 3 more<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Caused by:
java.security.cert.CertificateException: Error parsing
certificates! iaik.asn1.DerInputException: Next ASN.1 object
is no OBJECT IDENTIFIER!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
iaik.x509.CertificateFactory.engineGenerateCertificates(Unknown
Source)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.mscapi.KeyStore.generateCertificate(KeyStore.java:869)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ... 5 more<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This is more obvious
when it comes to analyzing such an issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Also, I added a property
“sun.security.mscapi.ignoreFailingCertificates” which, when
set to true, will cause skipping of certificates that failed
with Exception. That might be a nice workaround option if
one is not particularly interested in a failing certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">You can reproduce all
this with the test coding in the OpenJDK Bug, the IAIK
provider 3.15 which is downloadable here:
<a moz-do-not-send="true"
href="http://jcewww.iaik.tu-graz.ac.at/sic/Download">http://jcewww.iaik.tu-graz.ac.at/sic/Download</a>
(educational/research version, needs registration) and ECC
certificates in the Windows Root certificate store.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Would you think this
change is reasonable and worthwile?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks & Best
regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Christoph<o:p></o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>