Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8220734

java.security.KeyStore should support PKCS#12 files with AES

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      Windows 10 (1803)
      Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
      Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

      and

      Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
      Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)


      A DESCRIPTION OF THE PROBLEM :
      The PowerShell function "Export-PfxCertificate" supports exporting a certificate using either TripleDES_SHA1 or AES256_SHA256. I can open the exported PFX using java.security.keystore when I use TripleDES_SHA1, but not if I use AES256_SHA256.

      Steps to reproduce the behavior:
      $Cert = dir Cert:\LocalMachine\My | Where-Object -Filter { $_.Thumbprint -eq "0141F6F8D22D8227595D52820D91AEB213725AF7" }
      $PFXPassword = Read-Host "Enter password" -AsSecureString
      Export-PfxCertificate -Cert $Cert -Password $PFXPassword -FilePath .\TripleDES.pfx -CryptoAlgorithmOption TripleDES_SHA1
      Export-PfxCertificate -Cert $Cert -Password $PFXPassword -FilePath .\AES256.pfx -CryptoAlgorithmOption AES256_SHA256

      The following code demonstrates the problem:
      import java.io.File;
      import java.io.FileInputStream;
      import java.security.KeyStore;
      import java.util.Enumeration;
      import java.util.Objects;

      public class Main {
      public static void main(String[] args) throws Exception {
      KeyStore keystore;

      File certFile = new File("AES256.pfx");
      String password = new String("Password");

      try {
      keystore = KeyStore.getInstance("pkcs12");
      keystore.load(new FileInputStream(certFile),
      password.toCharArray());
      } catch (Exception e) {
      e.printStackTrace();
      }
      }
      }

      Testing with 1.8.0_202 and 11.0.2 produces the following errors:
      java version "1.8.0_202"
      Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
      Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

      java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
              at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:816)
              at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2018)
              at java.security.KeyStore.load(KeyStore.java:1445)
              at Main.main(Main.java:16)
      Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
              at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257)
              at sun.security.util.DerInputStream.getOID(DerInputStream.java:314)
              at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
              at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
              at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:812)
              ... 3 more

      java version "11.0.2" 2019-01-15 LTS
      Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
      Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)

      java.io.IOException: keystore password was incorrect
              at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2108)
              at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
              at java.base/java.security.KeyStore.load(KeyStore.java:1479)
              at Main.main(Main.java:16)
      Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
              ... 4 more

      The programs works correctly in openjdk 12+33. Can this support be backported to earlier versions?


        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                psonal Pallavi Sonal
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: