Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8202893

Invalid Keystore format exception when cacerts file is of a type other than JKS or PKCS12

    Details

      Description

      A DESCRIPTION OF THE PROBLEM :
      sun.security.util.AnchorCertificates assumes that cacerts file is of type JKS.
      This is not necessarily the case.
      If the cacerts file is not of type JKS (or PKCS12), the following exception is sent to console...

      java.io.IOException: Invalid keystore format
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
      at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
      at java.security.KeyStore.load(KeyStore.java:1445)
      at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
      at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
      at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
      at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
      at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
      at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
      at sun.security.validator.Validator.validate(Validator.java:260)
      at sun.security.validator.Validator.validate(Validator.java:236)
      at sun.security.validator.Validator.validate(Validator.java:205)
      at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
      at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
      at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
      at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
      at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
      at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
      at javax.crypto.Cipher.getInstance(Cipher.java:652)
      at javax.crypto.Cipher.getInstance(Cipher.java:595)
      at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)

      The problem code from a decompiled output of the class is as highlighted here...
                      File f = new File(System.getProperty("java.home"),
                              "lib/security/cacerts");
                      KeyStore cacerts;
                      try {
                          cacerts = KeyStore.getInstance("JKS"); <----------------------------------
                          try (FileInputStream fis = new FileInputStream(f)) {
                              .
                              .
                              .
                          }
                      } catch (Exception e) {
                          .
                          .
                          .
                      }
                      return null;

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      - Install a JDK
      - Edit the java.security file in the jre/lib/security folder for the JDK. Set the default keystore to JCEKS.
            #
            # Default keystore type.
            #
            keystore.type=jceks
      - Import a custom certificate into the jre/lib/security/cacerts trust store using keytool.
      - Compile and run a java application that requires encryption. I use the following main method...
            public static void main(String[] args) throws Exception {
                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
                System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
            }

      The exception mentioned above will be sent to the error console.


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The application should run successfully without any errors being shown.
      ACTUAL -
      The application runs successfully, but the following exception stack is sent to the error console
      java.io.IOException: Invalid keystore format
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
      at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
      at java.security.KeyStore.load(KeyStore.java:1445)
      at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
      at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
      at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
      at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
      at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
      at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
      at sun.security.validator.Validator.validate(Validator.java:260)
      at sun.security.validator.Validator.validate(Validator.java:236)
      at sun.security.validator.Validator.validate(Validator.java:205)
      at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
      at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
      at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
      at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
      at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
      at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
      at javax.crypto.Cipher.getInstance(Cipher.java:652)
      at javax.crypto.Cipher.getInstance(Cipher.java:595)
      at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)

      ---------- BEGIN SOURCE ----------
            public static void main(String[] args) throws Exception {
                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
                System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
            }
      ---------- END SOURCE ----------

      FREQUENCY : always


        Attachments

          Activity

            People

            • Assignee:
              pkoppula Prasadarao Koppula
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: