Name: rlT66838 Date: 06/02/2000


java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)


Keytool that is provided with JDK 1.3 cannot import a PKCS#7 certificate
chain. Here are the steps to reproduce:

[1] Get a PKCS#7 certificate chain (call it "cert.p7"). In our case, we got it
from a CA signer (Verisign) as a reply to a certificate signing request. It's
binary-encoded. The keystore to which we want to import the chain has the
corresponding private key entry.
[2] Examine the detail of the certificate chain by using "keytool -printcert -
file cert.p7 -v". It prints out the details of all certificates in the chain.
[3] Try importing the certificate chain by using "keytool -import -alias
my_cert -file cert.p7 -keystore mykeystore -storepass mypassword -v". We
expect it to succeed because that's what's stated in the keytool
documentation. Instead, it immediately fails, printing out the following
message:

java.lang.Exception: Input not an X.509 certificate

I do not believe that the error is real. First, I was able to print out the
details of the chain using the same keytool. If they were not X.509
certificates, I would expect printcert to fail as well. Second, I wrote my own
code to import certs using java.security and java.security.cert classes. I am
able to import the PKCS#7 chain just fine, and they are all valid X.509
certificates.

I tried several different types of PKCS#7 blobs, but every single one fails.
However, this is what the keytool documentation claims:

"A different reply format (defined by the PKCS#7 standard) also includes the
supporting certificate chain, in addition to the issued certificate. Both reply
formats can be handled by keytool."

"-import {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-
trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass
storepass] {-v} {-Jjavaoption}
Reads the certificate or certificate chain (where the latter is supplied in a
PKCS#7 formatted reply) from the file cert_file, and stores it in the keystore
entry identified by alias. If no file is given, the certificate or PKCS#7 reply
is read from stdin. keytool can import X.509 v1, v2, and v3 certificates, and
PKCS#7 formatted certificate chains consisting of certificates of that type.
The data to be imported must be provided either in binary encoding format, or
in printable encoding format (also known as Base64 encoding) as defined by the
Internet RFC 1421 standard. "

I believe this is a bug with keytool. Either that bug needs to be fixed, or if
keytool was not meant to support PKCS#7 the documentation needs to be corrected.
(Review ID: 105609)
======================================================================