-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
1.4.0
-
x86
-
linux
3
.s...H@q..,.....
0070: 7F 6E 3B 04 CD 09 FB 0A C2 2E 8A 5E E1 AD 67 C1
.n;........^..g.
]
com.sun.net.ssl.internal.ssl.JSA_RSAPrivateKey@ece65
RSA
Done
bash-2.01$ diff -u goosedog.sh ogoosedog.sh
--- goosedog.sh Thu Aug 15 07:30:35 2002
+++ ogoosedog.sh Thu Aug 15 08:47:37 2002
@@ -5,7 +5,7 @@
rm -f *.pem
rm -f *.p12
-SAN=URI:im://###@###.###,URI:pres://###@###.###
+SAN=URI:im:###@###.###,URI:pres:###@###.###
export SAN
sh CA.sh -newca <<EOF
bash-2.01$ sh ogoosedog.sh
+ rm -rf demoCA
+ rm -f newcert.pem newreq.pem
+ rm -f goosedog.p12
+ SAN=URI:im:###@###.###,URI:pres:###@###.###
+ export SAN
+ sh CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:+ sh CA.sh -newreq
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.............................................................++++++
...................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Request
(and private key) is in newreq.pem
+ sh CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:kato
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MA'
localityName :PRINTABLE:'Bedford'
organizationName :PRINTABLE:'The MITRE Corporation'
commonName :PRINTABLE:'Kato the Goose Dog'
emailAddress :IA5STRING:'###@###.###'
Certificate is to be certified until Aug 15 12:52:39 2003
GMT (365 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit?
[y/n]Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 12:52:39 2002 GMT
Not After : Aug 15 12:52:39 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:15:fe:1e:28:80:92:50:02:67:4d:31:bd:a9:
25:48:dd:b5:a4:6b:48:ca:6e:9d:eb:66:e0:55:51:
64:08:72:b9:74:3f:c6:88:96:50:32:41:3f:89:be:
61:22:99:c1:ed:27:41:f0:75:d0:7b:32:cf:b2:11:
54:0a:87:dd:3b:c8:b8:26:1e:4a:c6:08:af:d4:94:
c1:2d:f3:ad:03:07:f1:e7:b0:3e:7d:a7:99:fa:7b:
ae:b3:45:ff:23:30:1b:27:82:ee:a8:b7:55:7e:b0:
b8:c7:8c:75:a6:fc:75:4e:59:c8:f7:93:86:b0:5d:
be:45:1e:8d:ed:7c:7b:92:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:28:46:D0:BF:7D:FD:71:FF:AC:81:FB:58:A9:C4:DA:2F:E6:02:64
X509v3 Authority Key Identifier:
keyid:FD:D2:85:33:23:A1:02:47:AD:FD:03:10:2F:08:0A:89:94:D8:6C:53
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im:###@###.###,
URI:pres:###@###.###
Signature Algorithm: md5WithRSAEncryption
57:bc:7d:00:f9:e4:60:44:50:f2:22:35:4e:ef:47:bb:ac:db:
7a:2e:7e:05:c8:62:b8:c8:a9:d5:b5:31:08:c8:2a:f4:36:11:
75:b1:d9:27:b6:0d:df:08:2d:1c:09:0e:31:59:63:2f:e6:aa:
dc:f3:a6:ac:04:62:69:77:68:b6:9a:7e:c0:39:88:58:b7:d2:
e1:a3:01:8b:27:70:2e:26:c6:f7:65:18:54:b1:71:c0:76:42:
6c:63:c9:ac:94:e3:ae:49:7a:c1:a6:0a:c6:28:c7:86:89:53:
af:0a:84:6c:02:60:2e:ea:0b:61:48:75:7b:96:7e:7f:59:17:
e2:65
-----BEGIN CERTIFICATE-----
MIIDqzCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNVBAoTFVRoZSBNSVRS
RSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDIwODE1MTI1MjM5WhcNMDMwODE1MTI1MjM5WjCBjDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdCZWRmb3JkMR4wHAYDVQQKExVUaGUg
TUlUUkUgQ29ycG9yYXRpb24xGzAZBgNVBAMTEkthdG8gdGhlIEdvb3NlIERvZzEh
MB8GCSqGSIb3DQEJARYSZ29vc2Vkb2dAbWl0cmUub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC2Ff4eKICSUAJnTTG9qSVI3bWka0jKbp3rZuBVUWQIcrl0
P8aIllAyQT+JvmEimcHtJ0HwddB7Ms+yEVQKh907yLgmHkrGCK/UlMEt860DB/Hn
sD59p5n6e66zRf8jMBsngu6ot1V+sLjHjHWm/HVOWcj3k4awXb5FHo3tfHuSYwID
AQABo4IBNTCCATEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOwoRtC/ff1x/6yB+1ipxNov
5gJkMIGbBgNVHSMEgZMwgZCAFP3ShTMjoQJHrf0DEC8IComU2GxToXWkczBxMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNV
BAoTFVRoZSBNSVRSRSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHmCAQAwOQYDVR0RBDIwMIYVaW06Z29vc2Vkb2dAbWl0cmUu
b3JnhhdwcmVzOmdvb3NlZG9nQG1pdHJlLm9yZzANBgkqhkiG9w0BAQQFAAOBgQBX
vH0A+eRgRFDyIjVO70e7rNt6Ln4FyGK4yKnVtTEIyCr0NhF1sdkntg3fCC0cCQ4x
WWMv5qrc86asBGJpd2i2mn7AOYhYt9LhowGLJ3AuJsb3ZRhUsXHAdkJsY8mslOOu
SXrBpgrGKMeGiVOvCoRsAmAu6gthSHV7ln5/WRfiZQ==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
+ openssl x509 -in newcert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 12:52:39 2002 GMT
Not After : Aug 15 12:52:39 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:15:fe:1e:28:80:92:50:02:67:4d:31:bd:a9:
25:48:dd:b5:a4:6b:48:ca:6e:9d:eb:66:e0:55:51:
64:08:72:b9:74:3f:c6:88:96:50:32:41:3f:89:be:
61:22:99:c1:ed:27:41:f0:75:d0:7b:32:cf:b2:11:
54:0a:87:dd:3b:c8:b8:26:1e:4a:c6:08:af:d4:94:
c1:2d:f3:ad:03:07:f1:e7:b0:3e:7d:a7:99:fa:7b:
ae:b3:45:ff:23:30:1b:27:82:ee:a8:b7:55:7e:b0:
b8:c7:8c:75:a6:fc:75:4e:59:c8:f7:93:86:b0:5d:
be:45:1e:8d:ed:7c:7b:92:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:28:46:D0:BF:7D:FD:71:FF:AC:81:FB:58:A9:C4:DA:2F:E6:02:64
X509v3 Authority Key Identifier:
keyid:FD:D2:85:33:23:A1:02:47:AD:FD:03:10:2F:08:0A:89:94:D8:6C:53
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im:###@###.###,
URI:pres:###@###.###
Signature Algorithm: md5WithRSAEncryption
57:bc:7d:00:f9:e4:60:44:50:f2:22:35:4e:ef:47:bb:ac:db:
7a:2e:7e:05:c8:62:b8:c8:a9:d5:b5:31:08:c8:2a:f4:36:11:
75:b1:d9:27:b6:0d:df:08:2d:1c:09:0e:31:59:63:2f:e6:aa:
dc:f3:a6:ac:04:62:69:77:68:b6:9a:7e:c0:39:88:58:b7:d2:
e1:a3:01:8b:27:70:2e:26:c6:f7:65:18:54:b1:71:c0:76:42:
6c:63:c9:ac:94:e3:ae:49:7a:c1:a6:0a:c6:28:c7:86:89:53:
af:0a:84:6c:02:60:2e:ea:0b:61:48:75:7b:96:7e:7f:59:17:
e2:65
+ openssl pkcs12 -export -out goosedog.p12 -in newcert.pem
-inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
Enter PEM pass phrase:kato
Enter Export Password:kato
Verifying password - Enter Export Password:kato
bash-2.01$ java KS
java.security.cert.CertificateParsingException:
java.io.IOException: java.io.IOException: name does not
include scheme-specific portion starting with host
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1590)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA6275)
at
com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA6275)
at java.security.KeyStore.load(KeyStore.java:652)
at KS.main(KS.java:12)
Caused by: java.io.IOException: java.io.IOException: name
does not include scheme-specific portion starting with host
at
sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:110)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:78)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:725)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 8 more
bash-2.01$
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.
2.
3.See Description
EXPECTED VERSUS ACTUAL BEHAVIOR :
No exception thrown
ERROR MESSAGES/STACK TRACES THAT OCCUR :
see description
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<** see attachments **>
---------- END SOURCE ----------
CUSTOMER WORKAROUND :
Use server-based URIs.
(Review ID: 160809)
======================================================================
Name: nt126004 Date: 03/19/2003
FULL PRODUCT VERSION :
bash-2.01$ java -version
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)
FULL OPERATING SYSTEM VERSION :
Linux divan.mitre.org 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001
i686 unknown
A DESCRIPTION OF THE PROBLEM :
It appears that loading a Certificate with Subject
Alternative Names
that include opaque URIs, such as im:###@###.###,
causes an
exception. Using server-based URIs seems to work fine.
John
bash-2.01$ date
Thu Aug 15 07:42:18 EDT 2002
bash-2.01$ uname -a
Linux divan.mitre.org 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001
i686 unknown
bash-2.01$ dir
total 1
-rw-r--r-- 1 ramsdell air 524 Aug 15 07:30
goosedog.sh
bash-2.01$ cat goosedog.sh
#!/bin/sh
set -x
rm -rf demoCA
rm -f *.pem
rm -f *.p12
SAN=URI:im://###@###.###,URI:pres://###@###.###
export SAN
sh CA.sh -newca <<EOF
US
MA
Bedford
The MITRE Corporation
Test Certificate Authority
EOF
sh CA.sh -newreq <<EOF
US
MA
Bedford
The MITRE Corporation
Kato the Goose Dog
###@###.###
EOF
sh CA.sh -sign <<EOF
y
y
EOF
openssl x509 -in newcert.pem -noout -text
openssl pkcs12 -export -out goosedog.p12 -in newcert.pem -inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
bash-2.01$ pushd $OPENSSL_HOME
/usr/local/ssl ~/cpim
bash-2.01$ diff -u openssl__00.cnf openssl.cnf
--- openssl__00.cnf Mon Aug 12 09:25:19 2002
+++ openssl.cnf Thu Aug 15 07:16:19 2002
@@ -180,6 +180,7 @@
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=${ENV::SAN}
# Copy subject details
# issuerAltName=issuer:copy
bash-2.01$ popd
~/cpim
bash-2.01$ cp -p $OPENSSL_HOME/misc/CA.sh .
bash-2.01$ sh goosedog.sh
+ rm -rf demoCA
+ rm -f '*.pem'
+ rm -f '*.p12'
+ SAN=URI:im://###@###.###,URI:pres://###@###.###
+ export SAN
+ sh CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
................................................................++++++
.................................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:+ sh CA.sh -newreq
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.......++++++
..................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Request
(and private key) is in newreq.pem
+ sh CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:kato
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MA'
localityName :PRINTABLE:'Bedford'
organizationName :PRINTABLE:'The MITRE Corporation'
commonName :PRINTABLE:'Kato the Goose Dog'
emailAddress :IA5STRING:'###@###.###'
Certificate is to be certified until Aug 15 11:43:51 2003
GMT (365 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit?
[y/n]Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 11:43:51 2002 GMT
Not After : Aug 15 11:43:51 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:9e:0d:34:4e:b5:3f:76:a2:41:c4:fe:42:77:
b8:f6:d3:0b:df:4b:80:41:05:f4:7a:54:43:21:a8:
ee:21:9f:0b:0d:cc:6d:18:bc:10:f8:b2:07:dc:6f:
02:fc:c8:95:38:fb:43:8d:5f:58:c3:cb:81:64:91:
ef:52:64:ab:18:5c:8d:a8:79:82:74:86:4d:7f:11:
1b:8e:82:48:58:97:f1:b3:1c:19:6b:67:ed:5f:35:
65:05:64:6d:74:e5:0c:42:1b:c5:82:94:62:ef:ab:
c5:6d:0e:39:72:69:98:55:0a:3c:83:45:d6:08:1e:
1c:0f:da:5c:18:7a:bb:7f:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:FD:70:C1:95:95:53:F3:F8:7F:E2:7B:6E:D6:F0:67:60:84:FA:ED
X509v3 Authority Key Identifier:
keyid:E1:6C:B0:4F:C0:65:DF:4B:49:D6:DE:68:03:6E:4A:85:93:84:23:A5
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im://###@###.###,
URI:pres://###@###.###
Signature Algorithm: md5WithRSAEncryption
5d:e6:7e:71:02:0c:1d:6b:2c:e8:a0:72:c3:3d:ab:03:9c:7e:
7d:a0:98:da:39:6e:16:9c:cb:3f:7e:ae:75:99:75:99:a0:4b:
0a:41:bf:64:0a:ca:0e:1d:d5:99:b1:8b:81:26:c6:c6:ca:b1:
e5:ce:48:14:a2:76:54:41:51:0f:c6:73:f2:fd:d0:41:9d:ab:
27:e1:28:ec:a1:b0:f1:a0:b6:70:0f:8b:2c:15:ed:4b:ea:6e:
bc:4c:f3:37:ea:b0:0e:73:88:8c:a3:48:40:71:9f:dd:2c:1a:
97:8b:a1:13:7f:6e:3b:04:cd:09:fb:0a:c2:2e:8a:5e:e1:ad:
67:c1
-----BEGIN CERTIFICATE-----
MIIDrzCCAxigAwIBAgIBATANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNVBAoTFVRoZSBNSVRS
RSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDIwODE1MTE0MzUxWhcNMDMwODE1MTE0MzUxWjCBjDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdCZWRmb3JkMR4wHAYDVQQKExVUaGUg
TUlUUkUgQ29ycG9yYXRpb24xGzAZBgNVBAMTEkthdG8gdGhlIEdvb3NlIERvZzEh
MB8GCSqGSIb3DQEJARYSZ29vc2Vkb2dAbWl0cmUub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDWng00TrU/dqJBxP5Cd7j20wvfS4BBBfR6VEMhqO4hnwsN
zG0YvBD4sgfcbwL8yJU4+0ONX1jDy4Fkke9SZKsYXI2oeYJ0hk1/ERuOgkhYl/Gz
HBlrZ+1fNWUFZG105QxCG8WClGLvq8VtDjlyaZhVCjyDRdYIHhwP2lwYert/qwID
AQABo4IBOTCCATUwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBn9cMGVlVPz+H/ie27W8Gdg
hPrtMIGbBgNVHSMEgZMwgZCAFOFssE/AZd9LSdbeaANuSoWThCOloXWkczBxMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNV
BAoTFVRoZSBNSVRSRSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHmCAQAwPQYDVR0RBDYwNIYXaW06Ly9nb29zZWRvZ0BtaXRy
ZS5vcmeGGXByZXM6Ly9nb29zZWRvZ0BtaXRyZS5vcmcwDQYJKoZIhvcNAQEEBQAD
gYEAXeZ+cQIMHWss6KBywz2rA5x+faCY2jluFpzLP36udZl1maBLCkG/ZArKDh3V
mbGLgSbGxsqx5c5IFKJ2VEFRD8Zz8v3QQZ2rJ+Eo7KGw8aC2cA+LLBXtS+puvEzz
N+qwDnOIjKNIQHGf3Swal4uhE39uOwTNCfsKwi6KXuGtZ8E=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
+ openssl x509 -in newcert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 11:43:51 2002 GMT
Not After : Aug 15 11:43:51 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:9e:0d:34:4e:b5:3f:76:a2:41:c4:fe:42:77:
b8:f6:d3:0b:df:4b:80:41:05:f4:7a:54:43:21:a8:
ee:21:9f:0b:0d:cc:6d:18:bc:10:f8:b2:07:dc:6f:
02:fc:c8:95:38:fb:43:8d:5f:58:c3:cb:81:64:91:
ef:52:64:ab:18:5c:8d:a8:79:82:74:86:4d:7f:11:
1b:8e:82:48:58:97:f1:b3:1c:19:6b:67:ed:5f:35:
65:05:64:6d:74:e5:0c:42:1b:c5:82:94:62:ef:ab:
c5:6d:0e:39:72:69:98:55:0a:3c:83:45:d6:08:1e:
1c:0f:da:5c:18:7a:bb:7f:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:FD:70:C1:95:95:53:F3:F8:7F:E2:7B:6E:D6:F0:67:60:84:FA:ED
X509v3 Authority Key Identifier:
keyid:E1:6C:B0:4F:C0:65:DF:4B:49:D6:DE:68:03:6E:4A:85:93:84:23:A5
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im://###@###.###,
URI:pres://###@###.###
Signature Algorithm: md5WithRSAEncryption
5d:e6:7e:71:02:0c:1d:6b:2c:e8:a0:72:c3:3d:ab:03:9c:7e:
7d:a0:98:da:39:6e:16:9c:cb:3f:7e:ae:75:99:75:99:a0:4b:
0a:41:bf:64:0a:ca:0e:1d:d5:99:b1:8b:81:26:c6:c6:ca:b1:
e5:ce:48:14:a2:76:54:41:51:0f:c6:73:f2:fd:d0:41:9d:ab:
27:e1:28:ec:a1:b0:f1:a0:b6:70:0f:8b:2c:15:ed:4b:ea:6e:
bc:4c:f3:37:ea:b0:0e:73:88:8c:a3:48:40:71:9f:dd:2c:1a:
97:8b:a1:13:7f:6e:3b:04:cd:09:fb:0a:c2:2e:8a:5e:e1:ad:
67:c1
+ openssl pkcs12 -export -out goosedog.p12 -in newcert.pem
-inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
Enter PEM pass phrase:kato
Enter Export Password:kato
Verifying password - Enter Export Password:kato
bash-2.01$ dir
total 15
-rwxr-xr-x 1 ramsdell air 3505 Aug 12 09:25 CA.sh
drwxr-xr-x 6 ramsdell air 512 Aug 15 07:43 demoCA
-rw-r--r-- 1 ramsdell air 2886 Aug 15 07:43
goosedog.p12
-rw-r--r-- 1 ramsdell air 524 Aug 15 07:30
goosedog.sh
-rw-r--r-- 1 ramsdell air 3728 Aug 15 07:43
newcert.pem
-rw-r--r-- 1 ramsdell air 1663 Aug 15 07:43
newreq.pem
bash-2.01$ keytool -list -storetype pkcs12 -keystore
goosedog.p12
Enter keystore password: kato
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
goosedog, Aug 15, 2002, keyEntry,
Certificate fingerprint (MD5):
34:BE:E4:71:FA:37:B6:ED:9B:37:D1:38:2B:10:2B:90
bash-2.01$ cat KS.java
import java.security.cert.*;
import java.security.*;
import java.io.*;
import java.util.*;
class KS
{
public static void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("pkcs12");
InputStream in = new FileInputStream("goosedog.p12");
ks.load(in, new char[] { 'k', 'a', 't', 'o'});
in.close();
Enumeration aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = (String)aliases.nextElement();
System.out.println(alias + " trusted? "
+ ks.isCertificateEntry(alias));
java.security.cert.Certificate cert = ks.getCertificate(alias);
System.out.println(cert);
Key key = ks.getKey(alias, new char[] { 'k', 'a', 't', 'o'});
System.out.println(key);
System.out.println(key.getAlgorithm());
}
}
catch (Throwable t) {
t.printStackTrace();
return;
}
System.out.println("Done");
}
}
bash-2.01$ javac KS.java
bash-2.01$ java KS
goosedog trusted? false
[
[
Version: V3
Subject: EMAILADDRESS=###@###.###, CN=Kato the
Goose Dog, O=The MITRE Corporation, L=Bedford, ST=MA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@df503
Validity: [From: Thu Aug 15 07:43:51 EDT 2002,
To: Fri Aug 15 07:43:51 EDT 2003]
Issuer: OU=Test Certificate Authority, O=The MITRE
Corporation, L=Bedford, ST=MA, C=US
SerialNumber: [ 01]
Certificate Extensions: 5
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65
....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74
rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 19 FD 70 C1 95 95 53 F3 F8 7F E2 7B 6E D6 F0 67
..p...S.....n..g
0010: 60 84 FA ED `...
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E1 6C B0 4F C0 65 DF 4B 49 D6 DE 68 03 6E 4A 85
.l.O.e.KI..h.nJ.
0010: 93 84 23 A5 ..#.
]
[OU=Test Certificate Authority, O=The MITRE Corporation,
L=Bedford, ST=MA, C=US]
SerialNumber: [ 0 ]
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[URIName: im://###@###.###, URIName:
pres://###@###.###]
[5]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 5D E6 7E 71 02 0C 1D 6B 2C E8 A0 72 C3 3D AB 03
]..q...k,..r.=..
0010: 9C 7E 7D A0 98 DA 39 6E 16 9C CB 3F 7E AE 75 99
......9n...?..u.
0020: 75 99 A0 4B 0A 41 BF 64 0A CA 0E 1D D5 99 B1 8B
u..K.A.d........
0030: 81 26 C6 C6 CA B1 E5 CE 48 14 A2 76 54 41 51 0F
.&......H..vTAQ.
0040: C6 73 F2 FD D0 41 9D AB 27 E1 28 EC A1 B0 F1 A0
.s...A..'.(.....
0050: B6 70 0F 8B 2C 15 ED 4B EA 6E BC 4C F3 37 EA B0
.p..,..K.n.L.7..
0060: 0E 73 88 8C A3 48 40 71 9F DD 2C 1A 97 8B A1 1
.s...H@q..,.....
0070: 7F 6E 3B 04 CD 09 FB 0A C2 2E 8A 5E E1 AD 67 C1
.n;........^..g.
]
com.sun.net.ssl.internal.ssl.JSA_RSAPrivateKey@ece65
RSA
Done
bash-2.01$ diff -u goosedog.sh ogoosedog.sh
--- goosedog.sh Thu Aug 15 07:30:35 2002
+++ ogoosedog.sh Thu Aug 15 08:47:37 2002
@@ -5,7 +5,7 @@
rm -f *.pem
rm -f *.p12
-SAN=URI:im://###@###.###,URI:pres://###@###.###
+SAN=URI:im:###@###.###,URI:pres:###@###.###
export SAN
sh CA.sh -newca <<EOF
bash-2.01$ sh ogoosedog.sh
+ rm -rf demoCA
+ rm -f newcert.pem newreq.pem
+ rm -f goosedog.p12
+ SAN=URI:im:###@###.###,URI:pres:###@###.###
+ export SAN
+ sh CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:+ sh CA.sh -newreq
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.............................................................++++++
...................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Request
(and private key) is in newreq.pem
+ sh CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:kato
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MA'
localityName :PRINTABLE:'Bedford'
organizationName :PRINTABLE:'The MITRE Corporation'
commonName :PRINTABLE:'Kato the Goose Dog'
emailAddress :IA5STRING:'###@###.###'
Certificate is to be certified until Aug 15 12:52:39 2003
GMT (365 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit?
[y/n]Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 12:52:39 2002 GMT
Not After : Aug 15 12:52:39 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:15:fe:1e:28:80:92:50:02:67:4d:31:bd:a9:
25:48:dd:b5:a4:6b:48:ca:6e:9d:eb:66:e0:55:51:
64:08:72:b9:74:3f:c6:88:96:50:32:41:3f:89:be:
61:22:99:c1:ed:27:41:f0:75:d0:7b:32:cf:b2:11:
54:0a:87:dd:3b:c8:b8:26:1e:4a:c6:08:af:d4:94:
c1:2d:f3:ad:03:07:f1:e7:b0:3e:7d:a7:99:fa:7b:
ae:b3:45:ff:23:30:1b:27:82:ee:a8:b7:55:7e:b0:
b8:c7:8c:75:a6:fc:75:4e:59:c8:f7:93:86:b0:5d:
be:45:1e:8d:ed:7c:7b:92:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:28:46:D0:BF:7D:FD:71:FF:AC:81:FB:58:A9:C4:DA:2F:E6:02:64
X509v3 Authority Key Identifier:
keyid:FD:D2:85:33:23:A1:02:47:AD:FD:03:10:2F:08:0A:89:94:D8:6C:53
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im:###@###.###,
URI:pres:###@###.###
Signature Algorithm: md5WithRSAEncryption
57:bc:7d:00:f9:e4:60:44:50:f2:22:35:4e:ef:47:bb:ac:db:
7a:2e:7e:05:c8:62:b8:c8:a9:d5:b5:31:08:c8:2a:f4:36:11:
75:b1:d9:27:b6:0d:df:08:2d:1c:09:0e:31:59:63:2f:e6:aa:
dc:f3:a6:ac:04:62:69:77:68:b6:9a:7e:c0:39:88:58:b7:d2:
e1:a3:01:8b:27:70:2e:26:c6:f7:65:18:54:b1:71:c0:76:42:
6c:63:c9:ac:94:e3:ae:49:7a:c1:a6:0a:c6:28:c7:86:89:53:
af:0a:84:6c:02:60:2e:ea:0b:61:48:75:7b:96:7e:7f:59:17:
e2:65
-----BEGIN CERTIFICATE-----
MIIDqzCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNVBAoTFVRoZSBNSVRS
RSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDIwODE1MTI1MjM5WhcNMDMwODE1MTI1MjM5WjCBjDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdCZWRmb3JkMR4wHAYDVQQKExVUaGUg
TUlUUkUgQ29ycG9yYXRpb24xGzAZBgNVBAMTEkthdG8gdGhlIEdvb3NlIERvZzEh
MB8GCSqGSIb3DQEJARYSZ29vc2Vkb2dAbWl0cmUub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC2Ff4eKICSUAJnTTG9qSVI3bWka0jKbp3rZuBVUWQIcrl0
P8aIllAyQT+JvmEimcHtJ0HwddB7Ms+yEVQKh907yLgmHkrGCK/UlMEt860DB/Hn
sD59p5n6e66zRf8jMBsngu6ot1V+sLjHjHWm/HVOWcj3k4awXb5FHo3tfHuSYwID
AQABo4IBNTCCATEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFOwoRtC/ff1x/6yB+1ipxNov
5gJkMIGbBgNVHSMEgZMwgZCAFP3ShTMjoQJHrf0DEC8IComU2GxToXWkczBxMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNV
BAoTFVRoZSBNSVRSRSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHmCAQAwOQYDVR0RBDIwMIYVaW06Z29vc2Vkb2dAbWl0cmUu
b3JnhhdwcmVzOmdvb3NlZG9nQG1pdHJlLm9yZzANBgkqhkiG9w0BAQQFAAOBgQBX
vH0A+eRgRFDyIjVO70e7rNt6Ln4FyGK4yKnVtTEIyCr0NhF1sdkntg3fCC0cCQ4x
WWMv5qrc86asBGJpd2i2mn7AOYhYt9LhowGLJ3AuJsb3ZRhUsXHAdkJsY8mslOOu
SXrBpgrGKMeGiVOvCoRsAmAu6gthSHV7ln5/WRfiZQ==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
+ openssl x509 -in newcert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 12:52:39 2002 GMT
Not After : Aug 15 12:52:39 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:15:fe:1e:28:80:92:50:02:67:4d:31:bd:a9:
25:48:dd:b5:a4:6b:48:ca:6e:9d:eb:66:e0:55:51:
64:08:72:b9:74:3f:c6:88:96:50:32:41:3f:89:be:
61:22:99:c1:ed:27:41:f0:75:d0:7b:32:cf:b2:11:
54:0a:87:dd:3b:c8:b8:26:1e:4a:c6:08:af:d4:94:
c1:2d:f3:ad:03:07:f1:e7:b0:3e:7d:a7:99:fa:7b:
ae:b3:45:ff:23:30:1b:27:82:ee:a8:b7:55:7e:b0:
b8:c7:8c:75:a6:fc:75:4e:59:c8:f7:93:86:b0:5d:
be:45:1e:8d:ed:7c:7b:92:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:28:46:D0:BF:7D:FD:71:FF:AC:81:FB:58:A9:C4:DA:2F:E6:02:64
X509v3 Authority Key Identifier:
keyid:FD:D2:85:33:23:A1:02:47:AD:FD:03:10:2F:08:0A:89:94:D8:6C:53
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im:###@###.###,
URI:pres:###@###.###
Signature Algorithm: md5WithRSAEncryption
57:bc:7d:00:f9:e4:60:44:50:f2:22:35:4e:ef:47:bb:ac:db:
7a:2e:7e:05:c8:62:b8:c8:a9:d5:b5:31:08:c8:2a:f4:36:11:
75:b1:d9:27:b6:0d:df:08:2d:1c:09:0e:31:59:63:2f:e6:aa:
dc:f3:a6:ac:04:62:69:77:68:b6:9a:7e:c0:39:88:58:b7:d2:
e1:a3:01:8b:27:70:2e:26:c6:f7:65:18:54:b1:71:c0:76:42:
6c:63:c9:ac:94:e3:ae:49:7a:c1:a6:0a:c6:28:c7:86:89:53:
af:0a:84:6c:02:60:2e:ea:0b:61:48:75:7b:96:7e:7f:59:17:
e2:65
+ openssl pkcs12 -export -out goosedog.p12 -in newcert.pem
-inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
Enter PEM pass phrase:kato
Enter Export Password:kato
Verifying password - Enter Export Password:kato
bash-2.01$ java KS
java.security.cert.CertificateParsingException:
java.io.IOException: java.io.IOException: name does not
include scheme-specific portion starting with host
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1590)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA6275)
at
com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA6275)
at java.security.KeyStore.load(KeyStore.java:652)
at KS.main(KS.java:12)
Caused by: java.io.IOException: java.io.IOException: name
does not include scheme-specific portion starting with host
at
sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:110)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:78)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:725)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 8 more
bash-2.01$
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.
2.
3.See Description
EXPECTED VERSUS ACTUAL BEHAVIOR :
No exception thrown
ERROR MESSAGES/STACK TRACES THAT OCCUR :
see description
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<** see attachments **>
---------- END SOURCE ----------
CUSTOMER WORKAROUND :
Use server-based URIs.
(Review ID: 160809)
======================================================================
Name: nt126004 Date: 03/19/2003
FULL PRODUCT VERSION :
bash-2.01$ java -version
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)
FULL OPERATING SYSTEM VERSION :
Linux divan.mitre.org 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001
i686 unknown
A DESCRIPTION OF THE PROBLEM :
It appears that loading a Certificate with Subject
Alternative Names
that include opaque URIs, such as im:###@###.###,
causes an
exception. Using server-based URIs seems to work fine.
John
bash-2.01$ date
Thu Aug 15 07:42:18 EDT 2002
bash-2.01$ uname -a
Linux divan.mitre.org 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001
i686 unknown
bash-2.01$ dir
total 1
-rw-r--r-- 1 ramsdell air 524 Aug 15 07:30
goosedog.sh
bash-2.01$ cat goosedog.sh
#!/bin/sh
set -x
rm -rf demoCA
rm -f *.pem
rm -f *.p12
SAN=URI:im://###@###.###,URI:pres://###@###.###
export SAN
sh CA.sh -newca <<EOF
US
MA
Bedford
The MITRE Corporation
Test Certificate Authority
EOF
sh CA.sh -newreq <<EOF
US
MA
Bedford
The MITRE Corporation
Kato the Goose Dog
###@###.###
EOF
sh CA.sh -sign <<EOF
y
y
EOF
openssl x509 -in newcert.pem -noout -text
openssl pkcs12 -export -out goosedog.p12 -in newcert.pem -inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
bash-2.01$ pushd $OPENSSL_HOME
/usr/local/ssl ~/cpim
bash-2.01$ diff -u openssl__00.cnf openssl.cnf
--- openssl__00.cnf Mon Aug 12 09:25:19 2002
+++ openssl.cnf Thu Aug 15 07:16:19 2002
@@ -180,6 +180,7 @@
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=${ENV::SAN}
# Copy subject details
# issuerAltName=issuer:copy
bash-2.01$ popd
~/cpim
bash-2.01$ cp -p $OPENSSL_HOME/misc/CA.sh .
bash-2.01$ sh goosedog.sh
+ rm -rf demoCA
+ rm -f '*.pem'
+ rm -f '*.p12'
+ SAN=URI:im://###@###.###,URI:pres://###@###.###
+ export SAN
+ sh CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
................................................................++++++
.................................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:+ sh CA.sh -newreq
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.......++++++
..................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:kato
Verifying password - Enter PEM pass phrase:kato
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name
(full name) [Some-State]:Locality Name (eg, city)
[]:Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Organizational Unit Name (eg, section) []:Common Name
(eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:An optional company name []:Request
(and private key) is in newreq.pem
+ sh CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:kato
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MA'
localityName :PRINTABLE:'Bedford'
organizationName :PRINTABLE:'The MITRE Corporation'
commonName :PRINTABLE:'Kato the Goose Dog'
emailAddress :IA5STRING:'###@###.###'
Certificate is to be certified until Aug 15 11:43:51 2003
GMT (365 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit?
[y/n]Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 11:43:51 2002 GMT
Not After : Aug 15 11:43:51 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:9e:0d:34:4e:b5:3f:76:a2:41:c4:fe:42:77:
b8:f6:d3:0b:df:4b:80:41:05:f4:7a:54:43:21:a8:
ee:21:9f:0b:0d:cc:6d:18:bc:10:f8:b2:07:dc:6f:
02:fc:c8:95:38:fb:43:8d:5f:58:c3:cb:81:64:91:
ef:52:64:ab:18:5c:8d:a8:79:82:74:86:4d:7f:11:
1b:8e:82:48:58:97:f1:b3:1c:19:6b:67:ed:5f:35:
65:05:64:6d:74:e5:0c:42:1b:c5:82:94:62:ef:ab:
c5:6d:0e:39:72:69:98:55:0a:3c:83:45:d6:08:1e:
1c:0f:da:5c:18:7a:bb:7f:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:FD:70:C1:95:95:53:F3:F8:7F:E2:7B:6E:D6:F0:67:60:84:FA:ED
X509v3 Authority Key Identifier:
keyid:E1:6C:B0:4F:C0:65:DF:4B:49:D6:DE:68:03:6E:4A:85:93:84:23:A5
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im://###@###.###,
URI:pres://###@###.###
Signature Algorithm: md5WithRSAEncryption
5d:e6:7e:71:02:0c:1d:6b:2c:e8:a0:72:c3:3d:ab:03:9c:7e:
7d:a0:98:da:39:6e:16:9c:cb:3f:7e:ae:75:99:75:99:a0:4b:
0a:41:bf:64:0a:ca:0e:1d:d5:99:b1:8b:81:26:c6:c6:ca:b1:
e5:ce:48:14:a2:76:54:41:51:0f:c6:73:f2:fd:d0:41:9d:ab:
27:e1:28:ec:a1:b0:f1:a0:b6:70:0f:8b:2c:15:ed:4b:ea:6e:
bc:4c:f3:37:ea:b0:0e:73:88:8c:a3:48:40:71:9f:dd:2c:1a:
97:8b:a1:13:7f:6e:3b:04:cd:09:fb:0a:c2:2e:8a:5e:e1:ad:
67:c1
-----BEGIN CERTIFICATE-----
MIIDrzCCAxigAwIBAgIBATANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNVBAoTFVRoZSBNSVRS
RSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDIwODE1MTE0MzUxWhcNMDMwODE1MTE0MzUxWjCBjDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdCZWRmb3JkMR4wHAYDVQQKExVUaGUg
TUlUUkUgQ29ycG9yYXRpb24xGzAZBgNVBAMTEkthdG8gdGhlIEdvb3NlIERvZzEh
MB8GCSqGSIb3DQEJARYSZ29vc2Vkb2dAbWl0cmUub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDWng00TrU/dqJBxP5Cd7j20wvfS4BBBfR6VEMhqO4hnwsN
zG0YvBD4sgfcbwL8yJU4+0ONX1jDy4Fkke9SZKsYXI2oeYJ0hk1/ERuOgkhYl/Gz
HBlrZ+1fNWUFZG105QxCG8WClGLvq8VtDjlyaZhVCjyDRdYIHhwP2lwYert/qwID
AQABo4IBOTCCATUwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBn9cMGVlVPz+H/ie27W8Gdg
hPrtMIGbBgNVHSMEgZMwgZCAFOFssE/AZd9LSdbeaANuSoWThCOloXWkczBxMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUExEDAOBgNVBAcTB0JlZGZvcmQxHjAcBgNV
BAoTFVRoZSBNSVRSRSBDb3Jwb3JhdGlvbjEjMCEGA1UECxMaVGVzdCBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHmCAQAwPQYDVR0RBDYwNIYXaW06Ly9nb29zZWRvZ0BtaXRy
ZS5vcmeGGXByZXM6Ly9nb29zZWRvZ0BtaXRyZS5vcmcwDQYJKoZIhvcNAQEEBQAD
gYEAXeZ+cQIMHWss6KBywz2rA5x+faCY2jluFpzLP36udZl1maBLCkG/ZArKDh3V
mbGLgSbGxsqx5c5IFKJ2VEFRD8Zz8v3QQZ2rJ+Eo7KGw8aC2cA+LLBXtS+puvEzz
N+qwDnOIjKNIQHGf3Swal4uhE39uOwTNCfsKwi6KXuGtZ8E=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
+ openssl x509 -in newcert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, OU=Test Certificate Authority
Validity
Not Before: Aug 15 11:43:51 2002 GMT
Not After : Aug 15 11:43:51 2003 GMT
Subject: C=US, ST=MA, L=Bedford, O=The MITRE
Corporation, CN=Kato the Goose Dog/Email=###@###.###
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:9e:0d:34:4e:b5:3f:76:a2:41:c4:fe:42:77:
b8:f6:d3:0b:df:4b:80:41:05:f4:7a:54:43:21:a8:
ee:21:9f:0b:0d:cc:6d:18:bc:10:f8:b2:07:dc:6f:
02:fc:c8:95:38:fb:43:8d:5f:58:c3:cb:81:64:91:
ef:52:64:ab:18:5c:8d:a8:79:82:74:86:4d:7f:11:
1b:8e:82:48:58:97:f1:b3:1c:19:6b:67:ed:5f:35:
65:05:64:6d:74:e5:0c:42:1b:c5:82:94:62:ef:ab:
c5:6d:0e:39:72:69:98:55:0a:3c:83:45:d6:08:1e:
1c:0f:da:5c:18:7a:bb:7f:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:FD:70:C1:95:95:53:F3:F8:7F:E2:7B:6E:D6:F0:67:60:84:FA:ED
X509v3 Authority Key Identifier:
keyid:E1:6C:B0:4F:C0:65:DF:4B:49:D6:DE:68:03:6E:4A:85:93:84:23:A5
DirName:/C=US/ST=MA/L=Bedford/O=The MITRE
Corporation/OU=Test Certificate Authority
serial:00
X509v3 Subject Alternative Name:
URI:im://###@###.###,
URI:pres://###@###.###
Signature Algorithm: md5WithRSAEncryption
5d:e6:7e:71:02:0c:1d:6b:2c:e8:a0:72:c3:3d:ab:03:9c:7e:
7d:a0:98:da:39:6e:16:9c:cb:3f:7e:ae:75:99:75:99:a0:4b:
0a:41:bf:64:0a:ca:0e:1d:d5:99:b1:8b:81:26:c6:c6:ca:b1:
e5:ce:48:14:a2:76:54:41:51:0f:c6:73:f2:fd:d0:41:9d:ab:
27:e1:28:ec:a1:b0:f1:a0:b6:70:0f:8b:2c:15:ed:4b:ea:6e:
bc:4c:f3:37:ea:b0:0e:73:88:8c:a3:48:40:71:9f:dd:2c:1a:
97:8b:a1:13:7f:6e:3b:04:cd:09:fb:0a:c2:2e:8a:5e:e1:ad:
67:c1
+ openssl pkcs12 -export -out goosedog.p12 -in newcert.pem
-inkey newreq.pem -name goosedog -certfile demoCA/cacert.pem
Enter PEM pass phrase:kato
Enter Export Password:kato
Verifying password - Enter Export Password:kato
bash-2.01$ dir
total 15
-rwxr-xr-x 1 ramsdell air 3505 Aug 12 09:25 CA.sh
drwxr-xr-x 6 ramsdell air 512 Aug 15 07:43 demoCA
-rw-r--r-- 1 ramsdell air 2886 Aug 15 07:43
goosedog.p12
-rw-r--r-- 1 ramsdell air 524 Aug 15 07:30
goosedog.sh
-rw-r--r-- 1 ramsdell air 3728 Aug 15 07:43
newcert.pem
-rw-r--r-- 1 ramsdell air 1663 Aug 15 07:43
newreq.pem
bash-2.01$ keytool -list -storetype pkcs12 -keystore
goosedog.p12
Enter keystore password: kato
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
goosedog, Aug 15, 2002, keyEntry,
Certificate fingerprint (MD5):
34:BE:E4:71:FA:37:B6:ED:9B:37:D1:38:2B:10:2B:90
bash-2.01$ cat KS.java
import java.security.cert.*;
import java.security.*;
import java.io.*;
import java.util.*;
class KS
{
public static void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("pkcs12");
InputStream in = new FileInputStream("goosedog.p12");
ks.load(in, new char[] { 'k', 'a', 't', 'o'});
in.close();
Enumeration aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = (String)aliases.nextElement();
System.out.println(alias + " trusted? "
+ ks.isCertificateEntry(alias));
java.security.cert.Certificate cert = ks.getCertificate(alias);
System.out.println(cert);
Key key = ks.getKey(alias, new char[] { 'k', 'a', 't', 'o'});
System.out.println(key);
System.out.println(key.getAlgorithm());
}
}
catch (Throwable t) {
t.printStackTrace();
return;
}
System.out.println("Done");
}
}
bash-2.01$ javac KS.java
bash-2.01$ java KS
goosedog trusted? false
[
[
Version: V3
Subject: EMAILADDRESS=###@###.###, CN=Kato the
Goose Dog, O=The MITRE Corporation, L=Bedford, ST=MA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@df503
Validity: [From: Thu Aug 15 07:43:51 EDT 2002,
To: Fri Aug 15 07:43:51 EDT 2003]
Issuer: OU=Test Certificate Authority, O=The MITRE
Corporation, L=Bedford, ST=MA, C=US
SerialNumber: [ 01]
Certificate Extensions: 5
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65
....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74
rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 19 FD 70 C1 95 95 53 F3 F8 7F E2 7B 6E D6 F0 67
..p...S.....n..g
0010: 60 84 FA ED `...
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E1 6C B0 4F C0 65 DF 4B 49 D6 DE 68 03 6E 4A 85
.l.O.e.KI..h.nJ.
0010: 93 84 23 A5 ..#.
]
[OU=Test Certificate Authority, O=The MITRE Corporation,
L=Bedford, ST=MA, C=US]
SerialNumber: [ 0 ]
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[URIName: im://###@###.###, URIName:
pres://###@###.###]
[5]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 5D E6 7E 71 02 0C 1D 6B 2C E8 A0 72 C3 3D AB 03
]..q...k,..r.=..
0010: 9C 7E 7D A0 98 DA 39 6E 16 9C CB 3F 7E AE 75 99
......9n...?..u.
0020: 75 99 A0 4B 0A 41 BF 64 0A CA 0E 1D D5 99 B1 8B
u..K.A.d........
0030: 81 26 C6 C6 CA B1 E5 CE 48 14 A2 76 54 41 51 0F
.&......H..vTAQ.
0040: C6 73 F2 FD D0 41 9D AB 27 E1 28 EC A1 B0 F1 A0
.s...A..'.(.....
0050: B6 70 0F 8B 2C 15 ED 4B EA 6E BC 4C F3 37 EA B0
.p..,..K.n.L.7..
0060: 0E 73 88 8C A3 48 40 71 9F DD 2C 1A 97 8B A1 1
- duplicates
-
-
- Resolved
-
- relates to
-
-
- Closed
-