Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8139436

sun.security.mscapi.KeyStore might load incomplete data

    Details

      Backports

        Description

        It is possible that a sun.security.mscapi.KeyStore loaded from the Windows System Key store contains certificate entries with no certificate objects associated. Later, when you try to access the certificate, you get exceptions like this:

        Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
                at sun.security.mscapi.KeyStore.engineGetCertificate(KeyStore.java:313)
                at sun.security.mscapi.KeyStore$ROOT.engineGetCertificate(KeyStore.java:60)
                at java.security.KeyStore.getCertificate(KeyStore.java:1095)
                at WindowsCertificateReaderTest.main(WindowsCertificateReaderTest.java:24)

        The issue can be recreated, using e.g. an old IAIK security provider, for instance version 3.15, when you have elliptic curve certificates in the windows keystore. This is the source code:

        import iaik.security.provider.IAIK;
        import java.io.IOException;
        import java.security.cert.CertificateException;
        import java.security.KeyStore;
        import java.security.KeyStoreException;
        import java.security.NoSuchAlgorithmException;
        import java.security.NoSuchProviderException;
        import java.util.Enumeration;

        public class WindowsCertificateReaderTest {

        public static void main(String[] args) {
        System.out.println("Prepending IAIK as security provider.");
        IAIK.addAsJDK14Provider();
        try {
        System.out.print("Loading Windows-ROOT Certificates...");
        KeyStore ks = KeyStore.getInstance("Windows-ROOT", "SunMSCAPI");
        ks.load(null, null);
        System.out.println(" done.");
        Enumeration iter = ks.aliases();
        while (iter.hasMoreElements()) {
        String alias = (String)iter.nextElement();
        System.out.print("Reading certificate for alias: " + alias + "...");
        ks.getCertificate(alias);
        System.out.println(" ok.");
        }
        } catch (KeyStoreException kse) {
        kse.printStackTrace();
        } catch (NoSuchProviderException nse) {
        nse.printStackTrace();
        } catch (NoSuchAlgorithmException nsae) {
        nsae.printStackTrace();
        } catch (CertificateException ce) {
        ce.printStackTrace();
        } catch (IOException ioe) {
        ioe.printStackTrace();
        }
        }
        }

        The reason is that in method "private void generateCertificate(byte[] data, Collection<Certificate> certCollection)" exceptions are just caught and silently ignored which will lead to the situation that an entry for the certificate alias is added to the certificate collection but no certificate data is associated with it.

          Issue Links

            Activity

            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/05899a336fcd
            User: weijun
            Date: 2015-11-18 00:44:17 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/05899a336fcd User: weijun Date: 2015-11-18 00:44:17 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/05899a336fcd
            User: lana
            Date: 2015-11-25 21:18:22 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/05899a336fcd User: lana Date: 2015-11-25 21:18:22 +0000
            Hide
            afomin Alexander Fomin (Inactive) added a comment -
            Do we have backport to 8 ready?
            Show
            afomin Alexander Fomin (Inactive) added a comment - Do we have backport to 8 ready?
            Hide
            afomin Alexander Fomin (Inactive) added a comment -
            No issues in the recent core-libs PSU nightly. SQE OK to take the fix to PSU16_02
            Show
            afomin Alexander Fomin (Inactive) added a comment - No issues in the recent core-libs PSU nightly. SQE OK to take the fix to PSU16_02

              People

              • Assignee:
                clanger Christoph Langer
                Reporter:
                clanger Christoph Langer
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: