Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8074935

jdk8 keytool doesn't validate pem files for RFC 1421 correctness, as jdk7 did

    Details

    • Subcomponent:
    • Resolved In Build:
      b57
    • Verification:
      Verified

      Backports

        Description

        jdk7 keytool used to validate that input pem files were RFC 1421 compliant, but jdk8 keytool no longer does so, which seems like a bug. (but may be intentional; hard to tell)

        See http://en.wikipedia.org/wiki/Base64#Privacy-enhanced_mail

        SSCCE:

         $ (keytool7=$HOME/jdk/jdk7/bin/keytool keytool8=$HOME/jdk/jdk8/bin/keytool; perl -pe 's/^([A-Za-z])/!\1/' ./test/java/security/cert/CertPathValidator/OCSP/RootCert.pem > /tmp/corrupted.pem; echo 7: ; $keytool7 -printcert -file /tmp/corrupted.pem | head; echo 8: ; $keytool8 -printcert -file /tmp/corrupted.pem | head -3;)
        7:
        keytool error: java.lang.Exception: Failed to parse input
        8:
        Owner: CN=Root CA, O=Sun, C=US
        Issuer: CN=Root CA, O=Sun, C=US
        Serial number: 0

          Issue Links

            Activity

            Hide
            weijun Weijun Wang added a comment -
            This is not intended, but jdk8 uses the new Base64.getMimeDecoder() to decode the content and a MIME decoder always ignores characters not found in the base64 alphabet. I suppose this is harmless.
            Show
            weijun Weijun Wang added a comment - This is not intended, but jdk8 uses the new Base64.getMimeDecoder() to decode the content and a MIME decoder always ignores characters not found in the base64 alphabet. I suppose this is harmless.
            Hide
            martin Martin Buchholz added a comment -
            If you compare
            http://en.wikipedia.org/wiki/Base64#Privacy-enhanced_mail
            with
            http://en.wikipedia.org/wiki/Base64#MIME

            you can see that it is explicitly more lenient.

            MIME does not specify a fixed length for Base64-encoded lines, but it does specify a maximum line length of 76 characters. Additionally it specifies that any extra-alphabetic characters must be ignored by a compliant decoder, although most implementations use a CR/LF newline pair to delimit encoded lines.

            A non-lenient form of Base64 decoding would be useful for ahead-of-time validation, which is what we were using keytool for.
            But you surely don't want to write yet another Base64 decoder.

            So this is a regression, but as you say, "mostly harmless".
            Show
            martin Martin Buchholz added a comment - If you compare http://en.wikipedia.org/wiki/Base64#Privacy-enhanced_mail with http://en.wikipedia.org/wiki/Base64#MIME you can see that it is explicitly more lenient. MIME does not specify a fixed length for Base64-encoded lines, but it does specify a maximum line length of 76 characters. Additionally it specifies that any extra-alphabetic characters must be ignored by a compliant decoder, although most implementations use a CR/LF newline pair to delimit encoded lines. A non-lenient form of Base64 decoding would be useful for ahead-of-time validation, which is what we were using keytool for. But you surely don't want to write yet another Base64 decoder. So this is a regression, but as you say, "mostly harmless".
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/cae3b7b19462
            User: weijun
            Date: 2015-03-23 00:52:27 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/cae3b7b19462 User: weijun Date: 2015-03-23 00:52:27 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/cae3b7b19462
            User: lana
            Date: 2015-04-01 19:53:23 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/cae3b7b19462 User: lana Date: 2015-04-01 19:53:23 +0000
            Hide
            wetmore Bradford Wetmore added a comment -
            There is a JIRA tracking problem. The JIRA entry for JDK-8074935 shows that the backport (JDK-8146876) supposedly went into 8u92/8u101, but looking at the mercurial log for 8u76/8u75, it was clearly introduced in 8u76.
            Show
            wetmore Bradford Wetmore added a comment - There is a JIRA tracking problem. The JIRA entry for JDK-8074935 shows that the backport ( JDK-8146876 ) supposedly went into 8u92/8u101, but looking at the mercurial log for 8u76/8u75, it was clearly introduced in 8u76.

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                martin Martin Buchholz
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: