Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8208689

keytool importcert fails with CertificateParsingException if unknown certificate algorithms should be imported

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The command will only try out the user-specific provider if the builtin providers in JDK cannot parse the certificate, so if the command succeeded before this fix it will still succeed with the exact same output. If it failed before now there is a chance it could succeed.
      Show
      The command will only try out the user-specific provider if the builtin providers in JDK cannot parse the certificate, so if the command succeeded before this fix it will still succeed with the exact same output. If it failed before now there is a chance it could succeed.
    • Interface Kind:
      add/remove/modify command line option

      Description

      Summary

      The "keytool -printcert" command will use the security provider specified by the "-providername" option to parse a certificate if it cannot be parsed by the builtin providers of JDK.

      Problem

      Sometimes a user wants to inspect the content of a certificate that is using an algorithm not supported by JDK's builtin providers. We should allow the user to choose another provider if available.

      Solution

      Let "keytool -printcert" recognize the "-providername" option. Other provider-related options ("-addprovider", "-providerclass", and "-providerpath") will also be supported so the user can load providers dynamically from a jar or a module. These options are already supported by other keytool commands.

      Specification

      The difference of "keytool -help -printcert" will be

      keytool -printcert [OPTION]...

       Prints the content of a certificate
      
       Options:
      
        -rfc                        output in RFC style
        -file <file>                input file name
        -sslserver <server[:port]>  SSL server host and port
        -jarfile <file>             signed jar file
      + -providername <name>        provider name
      + -addprovider <name>         add security provider by name (e.g. SunPKCS11)
      +   [-providerarg <arg>]        configure argument for -addprovider
      + -providerclass <class>      add security provider by fully-qualified class name
      +   [-providerarg <arg>]        configure argument for -providerclass
      + -providerpath <list>        provider classpath
        -v                          verbose output
      
       Use "keytool -?, -h, or --help" for this help message

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
                Reviewed By:
                Jamil Nimeh, Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: