Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8271369

Regression: keytool and java.security.KeyStore create invalid MAC in PKCS12

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Withdrawn
    • Affects Version/s: 16, 17
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Introduced In Version:
      16
    • CPU:
      x86_64
    • OS:
      os_x

      Description

      When using java.security.KeyStore, I noticed that the created .p12 file can't be opened by macOS' Keychain Access.

      Doing some experiments, I could show that this is a regression. The file is undamaged when created with JDK 15 and below.

      Test case:
      ```
      ${JAVA_HOME}/bin/keytool -genkey -keystore foo.p12 -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=Self Signed" -validity 730
      security import foo.p12 -k login.keychain
      ```

      Expected Result: Output "1 identity imported." (as in JDK 15)

      Actual Result: Output "security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)" (JDK 16+)

      Additional Info: Running `openssl pkcs12 -info -in foo.p12` can read both and shows different PBE metadata:

      <=15:
      ```
      MAC Iteration 100000
      MAC verified OK
      PKCS7 Data
      Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
      Bag Attributes
          friendlyName: mykey
          localKeyID: 54 69 6D 65 20 31 36 32 37 34 35 34 36 38 33 37 38 33
      Key Attributes: <No Attributes>
      ```

      >=16:
      ```
      MAC Iteration 10000
      MAC verified OK
      PKCS7 Data
      Shrouded Keybag: Bag Attributes
          friendlyName: mykey
          localKeyID: 54 69 6D 65 20 31 36 32 37 34 35 35 32 32 32 30 33 30
      ```

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              sstenzel Sebastian Stenzel
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: