Details

    • Subcomponent:
    • Resolved In Build:
      b102
    • CPU:
      x86
    • OS:
      windows_7
    • Verification:
      Verified

      Description

      FULL PRODUCT VERSION :
      java version "1.6.0_18"
      Java (TM) SE Runtime Enviroment (build 1.6.0_18-b07)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Verze 6.1.7600]

      A DESCRIPTION OF THE PROBLEM :
      I have this code :
      .....
      KeyStore kspkcs12 = null;
      kspkcs12.load(new FileInputStream(keystorePath), password.toCharArray());
                      KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) kspkcs12.getEntry(alias, new KeyStore.PasswordProtection(password
                              .toCharArray()));
      X509Certificate cert = (X509Certificate) kspkcs12.getCertificate(alias);
      ......

      I have pfx file with two aliases alias1 and alias2. Alias1 has certificate chain with 2 SHA1 certificates. Alias2 has one SHA2 certificate.
      But when i load that pfx file with code above, in KeyStore there are 2 records (one for each alias) but both records has the same certificate loaded. To all aliases is loaded last added certificate to pfx file.
      Is it bug or feature ?

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Create pfx file. Insert first certificate with alias. Insert second certificate with another alias.
      Try load in using KeyStore class.
      Check first entry if there is right certificate.


      REPRODUCIBILITY :
      This bug can be reproduced always.

      SUPPORT :
      YES

        Issue Links

          Activity

          Hide
          weijun Weijun Wang added a comment -
          BT2:EVALUATION

          Customer provided a pkcs12 file and it contains:

          Private Key #1:
             localKeyId: 01 00 00 00
             friendlyName: p1
          Private Key #2:
             localKeyId: 01 00 00 00
             friendlyName: p2
          Cert #1:
             localKeyId: 01 00 00 00
             friendlyName: p1
          Cert #2:
             localKeyId: 01 00 00 00
             friendlyName: p2
          Cert #3:
             # No recognized attribute

          Currently, JDK uses localKeyId to match private key with its corresponding certificate (and only fallback to friendlyName when localKeyId is missing). Since all localKeyIds have the same value here, it gets confused and always returns the same one for both private keys.

          I'll enhance the PKCS12KeyStore class to match using both localKeyId and friendlyName. However, I do believe the original file is not quite legal. Normally we always regard an attribute called "*Id" to be identical in some scope (here, the file). It seems customer uses a tool that simply glues 2 blocks of info into one without reassigning the id values.

          The dicussion below is interesting:
          http://www.mail-archive.com/###@###.###/msg27030.html
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION Customer provided a pkcs12 file and it contains: Private Key #1:    localKeyId: 01 00 00 00    friendlyName: p1 Private Key #2:    localKeyId: 01 00 00 00    friendlyName: p2 Cert #1:    localKeyId: 01 00 00 00    friendlyName: p1 Cert #2:    localKeyId: 01 00 00 00    friendlyName: p2 Cert #3:    # No recognized attribute Currently, JDK uses localKeyId to match private key with its corresponding certificate (and only fallback to friendlyName when localKeyId is missing). Since all localKeyIds have the same value here, it gets confused and always returns the same one for both private keys. I'll enhance the PKCS12KeyStore class to match using both localKeyId and friendlyName. However, I do believe the original file is not quite legal. Normally we always regard an attribute called "*Id" to be identical in some scope (here, the file). It seems customer uses a tool that simply glues 2 blocks of info into one without reassigning the id values. The dicussion below is interesting: http://www.mail-archive.com/###@###.###/msg27030.html
          Hide
          weijun Weijun Wang added a comment -
          BT2:EVALUATION

          Firefox cannot deal with pkcs12 files with same keyids. IE and OS X keychain can.
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION Firefox cannot deal with pkcs12 files with same keyids. IE and OS X keychain can.
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/706e2d1fc378

            People

            • Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: