<!-- This file has been automatically generated. See web/README.md -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div id="compose-container" style="direction: ltr" itemscope="" itemtype="https://schema.org/EmailMessage">
<span itemprop="creator" itemscope="" itemtype="https://schema.org/Organization"><span itemprop="name" content="Outlook Mobile for iOS"></span></span>
<div>
<div style="direction: ltr;">The keystore I have here (which has leading 0 in Modulus in 1 cert and 0 in serial number in another) does not open in test program or keytool.exe with 8u131 (sorry last mail 7u131 was a typo)</div>
<div class="gmail_quote">
<div dir="ltr">
<div>
<div><br>
This happens before the password query:<br>
<br>
C:\Users> "c:\Program Files\Java\jdk1.8.0_131\bin\keytool.exe" -list -keystore c:\temp\ks\broken.jks<br>
Keytool-Fehler: java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key<br>
<br>
</div>
I think it is OK to barf when the signature if the data is not normallized, but for not loading the whole keystore its a bit painful.<br>
</div>
NB: the extend of this problem seems not big, so far we had one customer with two partners, but not all of them might use the latest java yet.<br>
<div><br>
<div>The stacktrace I posted (repeatet here) is JDK 8U131 (Win64)<br>
</div>
<div><br>
> "c:\Program Files\Java\jdk1.8.0_131\bin\java" -cp \ws\github\javacryptotest\target\classes net.eckenfels.test.certpath.KeystoreExploder c:\temp\ks\broken.jks<br>
Writing c:\temp\ks\broken.jks to C:\Users directory ...<br>
Exception in thread "main" java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key<br>
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)<br>
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)<br>
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)<br>
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)<br>
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)<br>
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:755)<br>
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)<br>
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)<br>
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)<br>
at java.security.KeyStore.load(KeyStore.java:1445)<br>
at net.eckenfels.test.certpath.KeystoreExploder.main(KeystoreExploder.java:66)<br>
...<br>
Caused by: java.io.IOException: Invalid encoding: redundant leading 0s<br>
at sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:152)<br>
at sun.security.util.DerInputStream.getBigInteger(DerInputStream.java:207)<br>
at sun.security.rsa.RSAPrivateCrtKeyImpl.getBigInteger(RSAPrivateCrtKeyImpl.java:214)<br>
at sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(RSAPublicKeyImpl.java:115)<br>
... 21 more<br>
<br>
</div>
<div>I can provide you with the keystore offlist (contains a few comany names which should not be public).<br>
<br>
</div>
<div>BTW: it reads "RSAPrivateCRtKeyImpl but the cert is a TrustedCertEntry.<br>
</div>
<div><br>
</div>
<div>Gruss<br>
</div>
<div>Bernd<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-06-12 13:29 GMT+02:00 Sean Mullan <span dir="ltr"><<a href="mailto:sean.mullan@oracle.com" target="_blank">sean.mullan@oracle.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
Hi Bernd,<br>
<br>
This issue should be fixed in 8u131. Can you try that and let us know?<span class="HOEnZb"><font color="#888888"><br>
<br>
--Sean</font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
On 6/9/17 10:18 PM, Bernd wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
I noticed there is a bug (8177657,etc) about stricter DER checking on JDK Certificate code. I have an JKS Keystore which no longer can be opened because of that.<br>
<br>
I understand that the strict parsing has to stay for public keys, however I wonder if anything can be done about loading the other keys from the keystore or at least reporting the alias of the unparseable entry.<br>
<br>
The Problem was introduced with 8u121, 8u112 can open the file and it exists in 7u131 as well.<br>
<br>
Exception in thread "main" java.security.cert.Certificate<wbr>ParsingException: java.io.IOException: subject key, java.security.InvalidKeyExcept<wbr>ion: Invalid RSA public key<br>
at sun.security.x509.X509CertInfo<wbr>.<init>(X509CertInfo.java:169)<br>
at sun.security.x509.X509CertImpl<wbr>.parse(X509CertImpl.java:1804)<br>
at sun.security.x509.X509CertImpl<wbr>.<init>(X509CertImpl.java:195)<br>
at sun.security.provider.X509Fact<wbr>ory.engineGenerateCertificate(<wbr>X509Factory.java:102)<br>
at java.security.cert.Certificate<wbr>Factory.generateCertificate(Ce<wbr>rtificateFactory.java:339)<br>
at sun.security.provider.JavaKeyS<wbr>tore.engineLoad(JavaKeyStore.<wbr>java:755)<br>
at sun.security.provider.JavaKeyS<wbr>tore$JKS.engineLoad(JavaKeySto<wbr>re.java:56)<br>
at sun.security.provider.KeyStore<wbr>Delegator.engineLoad(KeyStoreD<wbr>elegator.java:224)<br>
at sun.security.provider.JavaKeyS<wbr>tore$DualFormatJKS.engineLoad(<wbr>JavaKeyStore.java:70)<br>
at java.security.KeyStore.load(Ke<wbr>yStore.java:1445)<br>
at <a href="http://net.eckenfels.test.certpath.Ke">net.eckenfels.test.certpath.Ke</a><wbr>ystoreImport.main(KeystoreImpo<wbr>rt.java:29)<br>
Caused by: java.io.IOException: subject key, java.security.InvalidKeyExcept<wbr>ion: Invalid RSA public key<br>
at sun.security.x509.X509Key.pars<wbr>e(X509Key.java:174)<br>
at sun.security.x509.CertificateX<wbr>509Key.<init>(CertificateX509K<wbr>ey.java:75)<br>
at sun.security.x509.X509CertInfo<wbr>.parse(X509CertInfo.java:667)<br>
at sun.security.x509.X509CertInfo<wbr>.<init>(X509CertInfo.java:167)<br>
... 10 more<br>
Caused by: java.security.InvalidKeyExcept<wbr>ion: java.security.InvalidKeyExcept<wbr>ion: Invalid RSA public key<br>
at sun.security.x509.X509Key.buil<wbr>dX509Key(X509Key.java:227)<br>
at sun.security.x509.X509Key.pars<wbr>e(X509Key.java:170)<br>
... 13 more<br>
Caused by: java.security.spec.InvalidKeyS<wbr>pecException: java.security.InvalidKeyExcept<wbr>ion: Invalid RSA public key<br>
at sun.security.rsa.RSAKeyFactory<wbr>.engineGeneratePublic(RSAKeyFa<wbr>ctory.java:205)<br>
at java.security.KeyFactory.gener<wbr>atePublic(KeyFactory.java:334)<br>
at sun.security.x509.X509Key.buil<wbr>dX509Key(X509Key.java:223)<br>
... 14 more<br>
Caused by: java.security.InvalidKeyExcept<wbr>ion: Invalid RSA public key<br>
at sun.security.rsa.RSAPublicKeyI<wbr>mpl.parseKeyBits(RSAPublicKeyI<wbr>mpl.java:120)<br>
at sun.security.x509.X509Key.deco<wbr>de(X509Key.java:391)<br>
at sun.security.x509.X509Key.deco<wbr>de(X509Key.java:403)<br>
at sun.security.rsa.RSAPublicKeyI<wbr>mpl.<init>(RSAPublicKeyImpl.<wbr>java:84)<br>
at sun.security.rsa.RSAKeyFactory<wbr>.generatePublic(RSAKeyFactory.<wbr>java:298)<br>
at sun.security.rsa.RSAKeyFactory<wbr>.engineGeneratePublic(RSAKeyFa<wbr>ctory.java:201)<br>
... 16 more<br>
Caused by: java.io.IOException: Invalid encoding: redundant leading 0s<br>
at sun.security.util.DerInputBuff<wbr>er.getBigInteger(DerInputBuffe<wbr>r.java:152)<br>
at sun.security.util.DerInputStre<wbr>am.getBigInteger(DerInputStrea<wbr>m.java:207)<br>
at sun.security.rsa.RSAPrivateCrt<wbr>KeyImpl.getBigInteger(RSAPriva<wbr>teCrtKeyImpl.java:214)<br>
at sun.security.rsa.RSAPublicKeyI<wbr>mpl.parseKeyBits(RSAPublicKeyI<wbr>mpl.java:115)<br>
... 21 more<br>
<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</body>
</html>