Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149411

PKCS12KeyStore cannot extract AES Secret Keys

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8u66, 9
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b107
    • Verification:
      Verified

      Backports

        Description

        A PKCS12 KeyStore cannot decrypt and extract an encoded AES SecretKey. The attached program fails with:

        Exception in thread "main" java.security.UnrecoverableKeyException: Get Key failed: AES SecretKeyFactory not available
        at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:419)
        at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1291)
        at sun.security.util.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:166)
        at java.security.KeyStore.getEntry(KeyStore.java:1535)
        at P12SecretKey.run(P12SecretKey.java:47)
        at P12SecretKey.main(P12SecretKey.java:21)
        Caused by: java.security.NoSuchAlgorithmException: AES SecretKeyFactory not available
        at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)
        at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
        at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:396)
        ... 5 more

        The problem is that the PKCS12 KeyStore uses a SecretKeyFactory to decode AES keys, but there is no AES SecretKeyFactory implementation except on Solaris (via the PKCS11 provider). It turns out that for SecretKeyFactory, AES is not an essential requirement, since you can use a generic SecretKeySpec object to create an AES key and don't really need a SecretKeyFactory. Also, in general a SecretKeyFactory should not be used with a SecretKeySpec, since by definition, SecretKeySpec objects contain the raw key in a provider-independent format and do not need to be decoded.

          Activity

          Hide
          mullan Sean Mullan added a comment -
          The following patch fixed the issue for me:

          --- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Mon Feb 08 10:46:42 2016 -0800
          +++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Tue Feb 09 07:10:18 2016 -0500
          @@ -394,19 +394,19 @@
           
                       // decode secret key
                       } else {
          - SecretKeyFactory sKeyFactory =
          - SecretKeyFactory.getInstance(keyAlgo);
                           byte[] keyBytes = in.getOctetString();
                           SecretKeySpec secretKeySpec =
                               new SecretKeySpec(keyBytes, keyAlgo);
           
                           // Special handling required for PBE: needs a PBEKeySpec
                           if (keyAlgo.startsWith("PBE")) {
          + SecretKeyFactory sKeyFactory =
          + SecretKeyFactory.getInstance(keyAlgo);
                               KeySpec pbeKeySpec =
                                   sKeyFactory.getKeySpec(secretKeySpec, PBEKeySpec.class);
                               key = sKeyFactory.generateSecret(pbeKeySpec);
                           } else {
          - key = sKeyFactory.generateSecret(secretKeySpec);
          + key = secretKeySpec;
                           }
           
                           if (debug != null) {
          Show
          mullan Sean Mullan added a comment - The following patch fixed the issue for me: --- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Mon Feb 08 10:46:42 2016 -0800 +++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Tue Feb 09 07:10:18 2016 -0500 @@ -394,19 +394,19 @@                // decode secret key              } else { - SecretKeyFactory sKeyFactory = - SecretKeyFactory.getInstance(keyAlgo);                  byte[] keyBytes = in.getOctetString();                  SecretKeySpec secretKeySpec =                      new SecretKeySpec(keyBytes, keyAlgo);                    // Special handling required for PBE: needs a PBEKeySpec                  if (keyAlgo.startsWith("PBE")) { + SecretKeyFactory sKeyFactory = + SecretKeyFactory.getInstance(keyAlgo);                      KeySpec pbeKeySpec =                          sKeyFactory.getKeySpec(secretKeySpec, PBEKeySpec.class);                      key = sKeyFactory.generateSecret(pbeKeySpec);                  } else { - key = sKeyFactory.generateSecret(secretKeySpec); + key = secretKeySpec;                  }                    if (debug != null) {
          Hide
          hgupdate HG Updates added a comment -
          URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/689c1a6f8768
          User: vinnie
          Date: 2016-02-15 15:52:29 +0000
          Show
          hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/689c1a6f8768 User: vinnie Date: 2016-02-15 15:52:29 +0000
          Hide
          hgupdate HG Updates added a comment -
          URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/689c1a6f8768
          User: lana
          Date: 2016-02-24 20:06:43 +0000
          Show
          hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/689c1a6f8768 User: lana Date: 2016-02-24 20:06:43 +0000

            People

            • Assignee:
              vinnie Vincent Ryan
              Reporter:
              mullan Sean Mullan
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: