Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4452165

empty friendly name and MAC iteration count in PKCS12 files

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 1.4.0
    • 1.0.2
    • security-libs
    • beta2
    • generic
    • generic



      Name: krC82822 Date: 04/29/2001


      29 Apr 2001, eval1127@eng -- see also #'s 4299592, 4272015
      -------
      java version "1.3.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
      Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

      Using JSSE 1.0.2, I wrote a simple class to import a PKCS12 file into a JKS
      keystore.

      The purpose of the operation is to import in Java environment certificates and private
      keys that were generated with OpenSSL (or other packages).

      Part of my code looks like this:

      public class pkcs12tojks {
          public static void main(String args[])
          {
      try
      {
      ...
      23 char[] passphrase = args[1].toCharArray();
      24 KeyStore kin;
      25 KeyStore kout;
      26 kin = KeyStore.getInstance("PKCS12");
      27 kout = KeyStore.getInstance("JKS");
      28 kout.load(null, passphrase);
      29 kin.load(new FileInputStream(args[0]), passphrase);
      ...

      I found two problems:

      1/ When the "friendly name" in a PKCS12 file is an empty string, the
      KeyStore.load() method fails with the following error message:

      N:\java\sign>java pkcs12tojks test.p12 test
      java.lang.NullPointerException
              at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a([DashoPro-V1.2-120198])
              at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad([DashoPro-V1.2-120198])
              at java.security.KeyStore.load(Unknown Source)
              at pkcs12tojks.main(pkcs12tojks.java:29)

      My feeling is that the "friendly name" field can be left empty, and that an exception
      should not be thrown in that case.

      2/ So I put a non-empty friendly name and find another problem.
      The error message is (very explicit as usual...):

      java.io.IOException: toDerInputStream rejects tag type 2
              at com.sun.net.ssl.internal.ssl.DerValue.toDerInputStream([DashoPro-V1.2-120198])
              at com.sun.net.ssl.internal.ssl.MacData.<init>([DashoPro-V1.2-120198])
              at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad([DashoPro-V1.2-120198])
              at java.security.KeyStore.load(Unknown Source)
              at pkcs12tojks.main(pkcs12tojks.java:29)


      The problem is that, by default, OpenSSL sets the MAC iteration counts to 2048
      when generating a .p12 file and it seems that the current implementation of
      PKCS12KeyStore does not support that number of iterations.
      I made a third attempt setting the MAC iteration count to 1, and it works!
      Nonetheless, I feel that MAC iteration counts in PKCS12 file should be better
      supported in Java classes or a more clear exception message be thrown.

      I'll be happy to be explained what I am doing wrong if what I report is the
      normal behavior of Java classes.

      (Review ID: 120571)
      ======================================================================

            smalkanisunw Seema Malkani (Inactive)
            kryansunw Kevin Ryan (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: