Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4877508

setKeyEntry in normal order fails

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 5.0
    • Fix Version/s: 5.0
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      tiger
    • CPU:
      generic
    • OS:
      generic

      Description

      Plugin has valid certs they are using for JSSE client auth, using normal
      JKS keytstore. They are trying to copy to a PKCS 12 keystore using code below.

      c[0] = client cert
      c[1] = ca cert

      Getting the following exception in engineSetKeyEntry.

      wetmore@summer] 221 >java template
      Exception in thread "main" java.security.KeyStoreException: Key protection algorithm not foundjava.security.KeyStoreException: Certificate chain is not validate
              at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:409)
              at java.security.KeyStore.setKeyEntry(KeyStore.java:397)
              at template.main(template.java:34)
      Caused by: java.security.KeyStoreException: Certificate chain is not validate
              at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:396)
              ... 2 more

      Code is trying to match subject of c[0] and issuer c[1], which don't match.
      If certs were in reverse order, this would work fine.

      import java.io.*;
      import java.util.*;
      import java.security.Key;
      import java.security.KeyStore;
      import java.security.cert.*;

      public class template {
          public static void main(String args[]) throws Exception {
              KeyStore jks = KeyStore.getInstance("JKS");
              FileInputStream fis = new FileInputStream("clientAuthStore");
              jks.load(fis, "changeit".toCharArray());

              Certificate[] certChain = jks.getCertificateChain("gu_client");
              Key outKey = jks.getKey("gu_client", "changeit".toCharArray());

              System.out.println(certChain[0]);
              System.out.println(certChain[1]);

              Certificate [] revCertChain = new Certificate [] {
                  certChain[1], certChain[0]};

              FileOutputStream fos = new FileOutputStream("pkcs12");
              KeyStore pkcs_rev = KeyStore.getInstance("PKCS12");
              pkcs_rev.load(null, "changeit".toCharArray());
              pkcs_rev.setKeyEntry("changeit", outKey,
                     "changeit".toCharArray(), revCertChain);
              pkcs_rev.store(fos, "changeit".toCharArray());

              // Now try using original order

              FileOutputStream fos2 = new FileOutputStream("pkcs12.try");
              KeyStore pkcs = KeyStore.getInstance("PKCS12");
              pkcs.load(null, "changeit".toCharArray());
              pkcs.setKeyEntry("changeit", outKey,
                     "changeit".toCharArray(), certChain);
              pkcs.store(fos2, "changeit".toCharArray());

           }
      }

      This should be more flexible in allowing either order. Or
      if there is an ordering required by the methods, it's not in the API.

      The API probably needs updating in either case. Neither setKeyEntry
      method talk about this.

      ###@###.### 2003-06-11

        Attachments

          Activity

            People

            • Assignee:
              smalkanisunw Seema Malkani (Inactive)
              Reporter:
              wetmore Bradford Wetmore
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: