Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4906869

KeyStore requires that private key entries have certificate chains

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Won't Fix
    • Icon: P4 P4
    • None
    • 1.4.1
    • security-libs



      Name: gm110360 Date: 08/14/2003


      FULL PRODUCT VERSION :
      java version "1.4.1"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-b21)
      Java HotSpot(TM) Client VM (build 1.4.1-b21, mixed mode)

      FULL OPERATING SYSTEM VERSION :

      SunOS euthyphro 5.8 Generic_108528-14 sun4u sparc
      SUNW,Ultra-5_10

      A DESCRIPTION OF THE PROBLEM :
      java.security.KeyStore.setKeyEntry does not allow you to
      store a private key without a certificate chain.

      This is wrong, because sometimes you need to store a private
      key without a certificate chain.

      For example, the setup program for a server product will
      generate a private key, and then submit a certificate
      request to a certificate authority. Then the program saves
      the private key to a file and exits. Days later, the
      certificate authority responds (via email) with the
      certificate. Then the setup program is run again, and the
      private key is saved again along with certificate chain.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Compile and run the source code listed below.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      Expected: No error messages.

      Actual: An exception (detailed below) is thrown within both
      try blocks.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      java.lang.IllegalArgumentException: Private key must be accompanied by
      certificate chain
              at java.security.KeyStore.setKeyEntry(KeyStore.java:393)
              at test.main(test.java:17)
      java.lang.IllegalArgumentException: Private key must be accompanied by
      certificate chain
              at java.security.KeyStore.setKeyEntry(KeyStore.java:393)
              at test.main(test.java:25)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.security.*;
      import java.security.cert.Certificate;

      public class test {

          public static void main(String [] args) throws Exception {

              KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
              kpg.initialize(1024);
              KeyPair kp = kpg.genKeyPair();

              KeyStore ks = KeyStore.getInstance("JKS");
              ks.load(null,null);

              // try passing a null cert chain
              try {
                  ks.setKeyEntry("foobar", kp.getPrivate(), null, null);
              } catch(Exception e) {
                  e.printStackTrace();
              }

              // try passing an empty cert chain
              try {
                  Certificate[] chain = new Certificate[0];
                  ks.setKeyEntry("foobar", kp.getPrivate(), null, chain);
              } catch(Exception e) {
                  e.printStackTrace();
              }
          }
      }
      ---------- END SOURCE ----------

      CUSTOMER WORKAROUND :
      Maybe if I generate a bogus certificate somehow and try to
      import that? Not very convenient.
      (Incident Review ID: 165583)
      ======================================================================

            mullan Sean Mullan
            gmanwanisunw Girish Manwani (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: