Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266293

Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

    XMLWordPrintable

    Details

    • Resolved In Build:
      b22

      Backports

        Description

        Attached is a test that reads the in-memory key and certificate bytes, constructs a key and certificate chain, and attempts to import those onto a PKCS12 keystore. The default execution works well. However, if we run:

        java -Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithMD5AndDES PKCS12Tester

        ---------------------------------------------

        Exception in thread "main" java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Salt must be 8 bytes long
        at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:709)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:589)
        at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
        at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
        at PKCS12Tester.main(PKCS12Tester.java:81)
        Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Salt must be 8 bytes long
        at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:951)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:631)
        ... 4 more
        Caused by: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long
        at java.base/com.sun.crypto.provider.PBES1Core.init(PBES1Core.java:241)
        at java.base/com.sun.crypto.provider.PBES1Core.init(PBES1Core.java:347)
        at java.base/com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(PBEWithMD5AndDESCipher.java:227)
        at java.base/javax.crypto.Cipher.implInit(Cipher.java:875)
        at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:929)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1585)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1516)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:931)
        ... 5 more

        -----------------------------------------------

        In comparison, openssl seems to have no issues with the same algorithm:

        $ openssl version
        OpenSSL 1.0.2k-fips 26 Jan 2017

        $ openssl pkcs12 -export -in rsa.cert.pem -inkey rsa.pkey.pem -name a -passout pass:hello -keypbe PBE-MD5-DES >/dev/null && echo $?
        0

        I went through the PKCS12KeyStore implementation, and have included at the end of the same attached program, what I think is taking place in the implementation, reaching at the exception.

          Attachments

          1. PKCS12Tester.java
            6 kB
          2. rsa.cert.pem
            4 kB
          3. rsa.pkey.pem
            2 kB

            Issue Links

              Activity

                People

                Assignee:
                weijun Weijun Wang
                Reporter:
                tvoniadka Thejasvi Voniadka
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: