-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
beta
-
generic
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2160682 | 5.0-pool | Unassigned | P4 | Closed | Won't Fix |
The "NewSunX509" implementation of the X509KeyManager.chooseClientAlias returns DSA key,
even if "RSA" algorithm is most preferable.
The X509KeyManager.chooseClientAlias specification reads:
Choose an alias to authenticate the client side of a secure socket given the public key
type and the list of certificate issuer authorities recognized by the peer (if any).
Parameters:
keyType - the key algorithm type name(s), ordered with the most-preferred key type
first."
I have created keystore with two keys(DSA and RSA keys), and DSA key was created first.
I have invoked chooseClientAlias(new String[] {"RSA", "DSA"}, null, new Socket()) and it
returns DSA key, but keystore contains RSA key, which is more preferable.
To reproduce this bug please use the example below.
Note that this bug is reproducible for NewSunX509 algorithm and is not reproducible
for SunX509 algorithm.
The followng command were used for keystore creation(keystore attached)
%/java/re/jdk/1.5.0_04/archive/fcs/binaries/solaris-sparc/bin/keytool \
-genkey -keystore keystore -keyalg dsa -alias usaduke \
-storepass StorePass -keypass StorePass \
-dname "CN=Maxim Sokolnikov, OU=\"Sun Microsystems, Inc.\", O=JavaSoft, L=Santa Clara Campus SCA-22, ST=CA, C=US"
%/java/re/jdk/1.5.0_04/archive/fcs/binaries/solaris-sparc/bin/keytool \
-genkey -keystore keystore -keyalg rsa -alias rsakey \
-storepass StorePass -keypass StorePass \
-dname "CN=Maxim Sokolnikov, OU=\"Sun Microsystems, Inc.\", O=JavaSoft, L=Santa Clara Campus SCA-22, ST=CA, C=US"
On this keystore the example below produces the following output:
chooseClientAlias() returns alias 1.0.usaduke of type DSA
getClientAliases() returns alias 2.0.rsakey of type RSA
-----------------------Test.java----------------------
package test;
import java.io.*;
import java.net.*;
import java.security.*;
import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;
public class Test {
public static void main(String[] args) {
KeyStore ks = null;
KeyManagerFactory kmf = null;
X500Principal list[] = null;
String word = "StorePass";
char[] password = word.toCharArray();
char[] keyPassword = word.toCharArray();
try {
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), password);
kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(ks, keyPassword);
KeyManager[] managers = kmf.getKeyManagers();
X509KeyManager manager = ((X509KeyManager)managers[0]);
String alias = manager.chooseClientAlias(new String[] {"RSA", "DSA"},
list, new Socket());
String[] aliases = manager.getClientAliases("RSA", list);
System.out.println("chooseClientAlias() returns alias " + alias
+ " of type " + manager.getPrivateKey(alias).getAlgorithm());
for (int i = 0; i < aliases.length; i++) {
System.out.println("getClientAliases() returns alias " + aliases[i]
+ " of type " + manager.getPrivateKey(aliases[i]).getAlgorithm());
}
} catch (NoSuchAlgorithmException nsae) {
nsae.printStackTrace();
System.out.println("Failed: Unexpected " + nsae);
return;
} catch (Exception nspe) {
nspe.printStackTrace();
System.out.println("Failed: Unexpected " + nspe);
return;
}
}
}
---------------------------------------------------------------
even if "RSA" algorithm is most preferable.
The X509KeyManager.chooseClientAlias specification reads:
Choose an alias to authenticate the client side of a secure socket given the public key
type and the list of certificate issuer authorities recognized by the peer (if any).
Parameters:
keyType - the key algorithm type name(s), ordered with the most-preferred key type
first."
I have created keystore with two keys(DSA and RSA keys), and DSA key was created first.
I have invoked chooseClientAlias(new String[] {"RSA", "DSA"}, null, new Socket()) and it
returns DSA key, but keystore contains RSA key, which is more preferable.
To reproduce this bug please use the example below.
Note that this bug is reproducible for NewSunX509 algorithm and is not reproducible
for SunX509 algorithm.
The followng command were used for keystore creation(keystore attached)
%/java/re/jdk/1.5.0_04/archive/fcs/binaries/solaris-sparc/bin/keytool \
-genkey -keystore keystore -keyalg dsa -alias usaduke \
-storepass StorePass -keypass StorePass \
-dname "CN=Maxim Sokolnikov, OU=\"Sun Microsystems, Inc.\", O=JavaSoft, L=Santa Clara Campus SCA-22, ST=CA, C=US"
%/java/re/jdk/1.5.0_04/archive/fcs/binaries/solaris-sparc/bin/keytool \
-genkey -keystore keystore -keyalg rsa -alias rsakey \
-storepass StorePass -keypass StorePass \
-dname "CN=Maxim Sokolnikov, OU=\"Sun Microsystems, Inc.\", O=JavaSoft, L=Santa Clara Campus SCA-22, ST=CA, C=US"
On this keystore the example below produces the following output:
chooseClientAlias() returns alias 1.0.usaduke of type DSA
getClientAliases() returns alias 2.0.rsakey of type RSA
-----------------------Test.java----------------------
package test;
import java.io.*;
import java.net.*;
import java.security.*;
import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;
public class Test {
public static void main(String[] args) {
KeyStore ks = null;
KeyManagerFactory kmf = null;
X500Principal list[] = null;
String word = "StorePass";
char[] password = word.toCharArray();
char[] keyPassword = word.toCharArray();
try {
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), password);
kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(ks, keyPassword);
KeyManager[] managers = kmf.getKeyManagers();
X509KeyManager manager = ((X509KeyManager)managers[0]);
String alias = manager.chooseClientAlias(new String[] {"RSA", "DSA"},
list, new Socket());
String[] aliases = manager.getClientAliases("RSA", list);
System.out.println("chooseClientAlias() returns alias " + alias
+ " of type " + manager.getPrivateKey(alias).getAlgorithm());
for (int i = 0; i < aliases.length; i++) {
System.out.println("getClientAliases() returns alias " + aliases[i]
+ " of type " + manager.getPrivateKey(aliases[i]).getAlgorithm());
}
} catch (NoSuchAlgorithmException nsae) {
nsae.printStackTrace();
System.out.println("Failed: Unexpected " + nsae);
return;
} catch (Exception nspe) {
nspe.printStackTrace();
System.out.println("Failed: Unexpected " + nspe);
return;
}
}
}
---------------------------------------------------------------
- backported by
-
JDK-2160682 X509KeyManager implementation for NewSunX509 doesn't return most preferable key
-
- Closed
-