Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6967112

keytool and generateCertificate() fails when user tries to use OCSP respondercertificates in jdk6u22

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: P3 P3
    • None
    • 6u21
    • security-libs

      When a customer application which connects to ActiveDirectory in TLS connection faces with a problem related to X509 certificates.

      PROBLEM :
      The customer plans to adopt OCSP in Windows Server 2008.
      They found some errors when they tried to import OCSP certificates to CertStore of JKS in keytool command.
      Also, they found some exception when they tried to view the certificates in java.security.cert.CertificateFactory.generateCertificate().

      CONFIGURATION:
      OS : Windows Server 2008/Windows Vista Business(Japanese)
      JDK : jdk6u21/u22

      REPRODUCE :
      1. Keytool error
      (1) invoke the comand line (ocspcert_der.cer is attached to this CR file)

      C:\Users\licensees\ocsp-cert-exception> keytool -import -file ocspcert_der.cer
      Input Keystore password :
      Input new password again :
      Keytool Error : java.lang.Exception: Not X509 certificates

      C:\Users\licensees\ocsp-cert-exception> keytool -printcert -file ocspcert_der.cer
      keytool error : java.lang.Exception: fails to parse input

      NOTE:
       The above messages are just translated into English.
       So, those might not be different from the actual message in Windows (English).


      2. Exception in java.security.cert.CertificateFactory.generateCertificate()

      (1) Compile the attached CertView.java and invoke the command line

      C:\Users\licensees\ocsp-cert-exception>java CertView ocspcert_der.cer
      java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
              at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:154)
              at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1729)
              at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:179)
              at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90)
              at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
              at CertView.<init>(CertView.java:23)
              at CertView.main(CertView.java:13)
      Caused by: java.io.IOException: short read on DerValue buffer
              at sun.security.util.DerValue.getOctetString(DerValue.java:459)
              at sun.security.x509.Extension.<init>(Extension.java:73)
              at sun.security.x509.CertificateExtensions.init(CertificateExtensions.ja
      va:69)
              at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.
      java:60)
              at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:723)
              at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:152)
              ... 6 more

      NOTE:
       This problems don't occur in jdk7b99.

            Unassigned Unassigned
            tbaba Tadayuki Baba (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: