-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
1.4.0
-
x86
-
windows_nt, windows_2000
Name: nt126004 Date: 03/14/2002
FULL PRODUCT VERSION :
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)
FULL OPERATING SYSTEM VERSION :
Windows NT Version 4.0
ADDITIONAL OPERATING SYSTEMS :
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i686
A DESCRIPTION OF THE PROBLEM :
The test program will produce
"Cannot set up certs for trusted CAs"
WHEN the SUN provider is NOT in
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.trustpoint.security.provider.Trustpoint
#security.provider.2=sun.security.provider.Sun
section in jdk\jre\lib\security\java.security.
Same result for both JDK1.2.2 and JDK1.3.1.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Execute the test program as follow:
D:\work\learn>java -Djava.compiler=NONE
-Dtrustpoint.preferred.security.providers=SUN,Trustpoint -classpath
d:\jce1.2.1\lib\jce1_2_1.jar;d:\jce1.2.1\lib\local_policy.jar;
d:\jce1.2.1\lib\US_export_policy.jar;d:\jce1.2.1\lib\sunjce_provider.jar;
d:\work\build\trustpoint\lib\TrustpointProviders.jar;
d:\work\build\trustpoint\lib\ecc_all.jar;.;
d:\work\build\trustpoint\lib\TrustpointAll.jar jceKeyGenTest
2.
3.
EXPECTED VERSUS ACTUAL BEHAVIOR :
==========================
java -Djava.compiler=NONE jceTest <provider> <cipherAlg>
<keyAlg>
default alg:DESede
==========================
alg:DESede
Provider is NOT set
kg from provider:Trustpoint
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.ExceptionInInitializerError: java.lang.Secu
rityException: Cannot set up certs for trusted CAs
at javax.crypto.b.<clinit>([DashoPro-V1.2-120198])
at
at jceKeyGenTest.keyGenTest(jceKeyGenTest.java:28)
at jceKeyGenTest.main(jceKeyGenTest.java:43)
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.Key;
import java.security.AlgorithmParameters;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.KeySpec;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.DESedeKeySpec;
public class jceKeyGenTest {
private static String ALG = "DESede";
private static String CIPHER_ALG = "DESede/CBC/NoPadding";
private static String KEY_ALG = "DESede";
static public void keyGenTest(String alg, String provider) {
try {
System.out.println("==========================");
System.out.println("alg:" + alg);
KeyGenerator kg;
if (provider != null) {
System.out.println("Provider:" + provider);
kg = KeyGenerator.getInstance(alg, provider);
} else {
System.out.println("Provider is NOT set");
kg = KeyGenerator.getInstance(alg);
}
System.out.println("kg from provider:" + kg.getProvider().getName());
} catch (Exception e) {
e.printStackTrace();
}
}
static public void main(String[] args) {
System.out.println("==========================");
System.out.println("java -Djava.compiler=NONE jceTest <provider> <cipherAlg>
<keyAlg>");
System.out.println("default alg:" + ALG);
try {
if (args.length == 0) {
keyGenTest(ALG, null);
} else if (args.length == 1) {
keyGenTest(ALG, args[0]);
} else if (args.length == 2) {
keyGenTest(args[1], args[0]);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
---------- END SOURCE ----------
CUSTOMER WORKAROUND :
Add the SUN provider in java.security file.
(Review ID: 139539)
======================================================================
Name: nt126004 Date: 03/15/2002
FULL PRODUCT VERSION :
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)
FULL OPERATING SYSTEM VERSION :Microsoft Windows 2000
[Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
When installing a new Security provider, if you change the
ordering so that the default security provider is not Sun,
when you try to initialize a javax.crypto.KeyGenerator
object the VM throws the following Exception:
java.lang.ExceptionInInitializerError
at javax.crypto.KeyGenerator.getInstance(DashoA6275)
at
org.aowms.core.security.CryptographyManager.main(CryptographyManager.java:78)
Caused by: java.lang.SecurityException: Cannot set up certs
for trusted CAs: java.security.InvalidKeyException: Public
key presented not for certificate signature
at javax.crypto.SunJCE_b.<clinit>(DashoA6275)
... 2 more
This works:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
This does not work:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.Add a new Security provider to the java.security file
2.Change the security provider preferences so that the new
Security Provider is first
3.Try to create an instance of javax.crypto.KeyGenerator
EXPECTED VERSUS ACTUAL BEHAVIOR :
I didn't expect the VM to get fussy about which Provider
comes first. The logic behind having a numbering scheme is
to allow you to set a default provider and add additional
providers as necessary without explicit coding. This
simplifies coding because I don't have to manually code in
which provider I wan't to default to. I don't want the Sun
provider to be my default provider and I should be able to
specify that via the java.security file without writing more
code.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.ExceptionInInitializerError
at javax.crypto.KeyGenerator.getInstance(DashoA6275)
at org.aowms.core.security.CryptographyManager.main(CryptographyManager.java:78)
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs:
java.security.InvalidKeyException: Public key presented not for certificate
signature
at javax.crypto.SunJCE_b.<clinit>(DashoA6275)
... 2 mor
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import javax.crypto.*;
/**
Note: The main method of this test case class is the exact same method of the
CryptographyManager class listed in the StackTrace of the 'Error Messages' field.
line 78 of the CryptographyManager class is line 3 of this test case class.
*/
public class CyrptoCrash
{
public static void main( String[] args ) throws Exception
{
KeyGenerator keyGenerator = KeyGenerator.getInstance( "Blowfish", "BC" );
keyGenerator.init( 128 );
SecretKey key = keyGenerator.generateKey();
System.out.println( keyGenerator.getProvider().getName() );
}
}
---------- END SOURCE ----------
CUSTOMER WORKAROUND :
Don't re-order the security providers if adding a new one.
Add the new one to the end.
(Review ID: 144089)
======================================================================