Details
-
Bug
-
Resolution: Fixed
-
P3
-
7u21
-
b102
-
windows_7
-
Verified
Description
FULL PRODUCT VERSION :
java version " 1.7.0_21 "
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) Client VM (build 23.21-b01, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
6.1.7601
A DESCRIPTION OF THE PROBLEM :
Executing keytool -printcertreq on a CSR which has requested extension X509v3 Subject Alternative Name of type PrintableString leads to the following error:
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
This is wrong, because according to the RFC 2985, unstructuredName is of type PKCS9String, which can be any either IA5String (supported by keytool) or DirectoryString (which includes PrintableString):
unstructuredName ATTRIBUTE ::= {
WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
ID pkcs-9-at-unstructuredName
}
PKCS9String { INTEGER : maxSize} ::= CHOICE {
ia5String IA5String (SIZE(1..maxSize)),
directoryString DirectoryString {maxSize}
}
Offending code is in PKCS9Attribute class:
300 private static final Byte[][] PKCS9_VALUE_TAGS = {
301 null,
302 {new Byte(DerValue.tag_IA5String)}, // EMailAddress
303 {new Byte(DerValue.tag_IA5String)}, // UnstructuredName
304 {new Byte(DerValue.tag_ObjectId)}, // ContentType
305 {new Byte(DerValue.tag_OctetString)}, // MessageDigest
306 {new Byte(DerValue.tag_UtcTime)}, // SigningTime
307 {new Byte(DerValue.tag_Sequence)}, // Countersignature
308 {new Byte(DerValue.tag_PrintableString),
309 new Byte(DerValue.tag_T61String)}, // ChallengePassword
310 {new Byte(DerValue.tag_PrintableString),
311 new Byte(DerValue.tag_T61String)}, // UnstructuredAddress
312 {new Byte(DerValue.tag_SetOf)}, // ExtendedCertificateAttributes
313 {new Byte(DerValue.tag_Sequence)}, // issuerAndSerialNumber
314 null,
315 null,
316 null,
317 {new Byte(DerValue.tag_Sequence)}, // extensionRequest
318 {new Byte(DerValue.tag_Sequence)}, // SMIMECapability
319 {new Byte(DerValue.tag_Sequence)}, // SigningCertificate
320 {new Byte(DerValue.tag_Sequence)} // SignatureTimestampToken
321 };
492 // check for illegal element tags
493 Byte tag;
494 for (int i=0; i < elems.length; i++) {
495 tag = new Byte(elems[i].tag);
496
497 if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
498 throwTagException(tag);
499 }
820 private void throwTagException(Byte tag)
821 throws IOException {
822 Byte[] expectedTags = PKCS9_VALUE_TAGS[index];
823 StringBuffer msg = new StringBuffer(100);
824 msg.append( " Value of attribute " );
825 msg.append(getOID().toString());
826 msg.append( " ( " );
827 msg.append(getName());
828 msg.append( " ) has wrong tag: " );
829 msg.append(tag.toString());
830 msg.append( " . Expected tags: " );
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run:
keytool -printcertreq -v -file sample.csr
Where sample.csr is:
-----BEGIN CERTIFICATE REQUEST-----
MIIDszCCApsCAQAwgaAxCzAJBgNVBAYTAlBMMQswCQYDVQQIEwJNWjERMA8GA1UE
BxMIV2Fyc3phd2ExCzAJBgNVBAoTAk1GMQswCQYDVQQLEwJESTEnMCUGA1UEAxMe
dGVzdC1icmFta2EuZWRla2xhcmFjamUuZ292LnBsMS4wLAYJKoZIhvcNAQkBFh9p
bmZvLmUtZGVrbGFyYWNqZUBtb2ZuZXQuZ292LnBsMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvML+UgwkE2YQHMazIvPnZSmTJ5tAL/3nP7P2K3ulpzN0
qk7/mutI4AS4KoDJVa9Ty9ruIYvSx0COApOSVOWZ7eKTRaPGrImIfoTnHQxLAvQZ
7HtroJCkNM+i5SZNLE+FLpRHPHYPJ1tyWG+Y3kRZpMhfJfZR94FQTQYJYxaem0PU
TO3uBPAo6UB0jMgfUQiFxhiFstwhpzpDKVUXBH9RSTw4AEu/MO6+lap1I3OUVAU6
xOfHUKLM+589kZP+fKmT8VvOHxogBy7hisx3QMUhcCWXwNs+HLYIggpCPeZZKFVH
45G1moq8/R3jBW7iycJZcNnl35txyRdsA5cxYtD9SQIDAQABoIHMMCEGCSqGSIb3
DQEJAjEUExJyZXF1ZXN0VGVzdFdpdGhFeHQwgaYGCSqGSIb3DQEJDjGBmDCBlTAL
BgNVHQ8EBAMCBkAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMIMC0GA1Ud
EQEB/wQjMCGBH2luZm8uZS1kZWtsYXJhY2plQG1vZm5ldC5nb3YucGwwEQYJYIZI
AYb4QgEBBAQDAgXgMCUGCWCGSAGG+EIBDQQYFhZjZXJ0aWZpY2F0ZVRlc3RXaXRo
RXh0MA0GCSqGSIb3DQEBBQUAA4IBAQCKR3SBvYBPJdC7j/6L0y2Lq1jhnFKAoP0f
2yyWB27WcLNKgYSqlnMB1bMv2nbZwnZAed9xk3KESYaAhSMVD0xc3pwW2Hzqz9NJ
jKGd9YmcEHMqbYhNTg+Yvzz8pnr9QO6vMLqliL53CME2GYBnQwN2Lizlncb7jyNt
jtzEJ3LVgOTfOb0OhYTIEuM5OYE5bvyowz8WmpxBvBCT6uIc5EW6WCeqttwlitoh
PJ9s9XjdJuNs89vjnodmxsDHN/+DjDgy4odCyoe9qErAaIzQ/wdqVjayxqTwKtj+
WpaYAbcmBKkNGjbyat/qnFS/otSo4oiNWSvxeSZp0LX0tItLGutW
-----END CERTIFICATE REQUEST-----
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Attributes:
unstructuredName :requestTestWithExt
Requested Extensions:
X509v3 Key Usage:
Non Repudiation
X509v3 Extended Key Usage:
TLS Web Client Authentication, Time Stamping
X509v3 Subject Alternative Name: critical
email:info.e-deklaracje@mofnet.gov.pl
Netscape Cert Type:
SSL Client, SSL Server, S/MIME
Netscape Comment:
certificateTestWithExt
ACTUAL -
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
at sun.security.pkcs.PKCS9Attribute.throwTagException(Unknown Source)
at sun.security.pkcs.PKCS9Attribute.<init>(Unknown Source)
at sun.security.pkcs.PKCS10Attribute.<init>(Unknown Source)
at sun.security.pkcs.PKCS10Attributes.<init>(Unknown Source)
at sun.security.pkcs.PKCS10.<init>(Unknown Source)
at sun.security.tools.KeyTool.doPrintCertReq(Unknown Source)
at sun.security.tools.KeyTool.doCommands(Unknown Source)
at sun.security.tools.KeyTool.run(Unknown Source)
at sun.security.tools.KeyTool.main(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use openssl.
java version " 1.7.0_21 "
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) Client VM (build 23.21-b01, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
6.1.7601
A DESCRIPTION OF THE PROBLEM :
Executing keytool -printcertreq on a CSR which has requested extension X509v3 Subject Alternative Name of type PrintableString leads to the following error:
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
This is wrong, because according to the RFC 2985, unstructuredName is of type PKCS9String, which can be any either IA5String (supported by keytool) or DirectoryString (which includes PrintableString):
unstructuredName ATTRIBUTE ::= {
WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
ID pkcs-9-at-unstructuredName
}
PKCS9String { INTEGER : maxSize} ::= CHOICE {
ia5String IA5String (SIZE(1..maxSize)),
directoryString DirectoryString {maxSize}
}
Offending code is in PKCS9Attribute class:
300 private static final Byte[][] PKCS9_VALUE_TAGS = {
301 null,
302 {new Byte(DerValue.tag_IA5String)}, // EMailAddress
303 {new Byte(DerValue.tag_IA5String)}, // UnstructuredName
304 {new Byte(DerValue.tag_ObjectId)}, // ContentType
305 {new Byte(DerValue.tag_OctetString)}, // MessageDigest
306 {new Byte(DerValue.tag_UtcTime)}, // SigningTime
307 {new Byte(DerValue.tag_Sequence)}, // Countersignature
308 {new Byte(DerValue.tag_PrintableString),
309 new Byte(DerValue.tag_T61String)}, // ChallengePassword
310 {new Byte(DerValue.tag_PrintableString),
311 new Byte(DerValue.tag_T61String)}, // UnstructuredAddress
312 {new Byte(DerValue.tag_SetOf)}, // ExtendedCertificateAttributes
313 {new Byte(DerValue.tag_Sequence)}, // issuerAndSerialNumber
314 null,
315 null,
316 null,
317 {new Byte(DerValue.tag_Sequence)}, // extensionRequest
318 {new Byte(DerValue.tag_Sequence)}, // SMIMECapability
319 {new Byte(DerValue.tag_Sequence)}, // SigningCertificate
320 {new Byte(DerValue.tag_Sequence)} // SignatureTimestampToken
321 };
492 // check for illegal element tags
493 Byte tag;
494 for (int i=0; i < elems.length; i++) {
495 tag = new Byte(elems[i].tag);
496
497 if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
498 throwTagException(tag);
499 }
820 private void throwTagException(Byte tag)
821 throws IOException {
822 Byte[] expectedTags = PKCS9_VALUE_TAGS[index];
823 StringBuffer msg = new StringBuffer(100);
824 msg.append( " Value of attribute " );
825 msg.append(getOID().toString());
826 msg.append( " ( " );
827 msg.append(getName());
828 msg.append( " ) has wrong tag: " );
829 msg.append(tag.toString());
830 msg.append( " . Expected tags: " );
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run:
keytool -printcertreq -v -file sample.csr
Where sample.csr is:
-----BEGIN CERTIFICATE REQUEST-----
MIIDszCCApsCAQAwgaAxCzAJBgNVBAYTAlBMMQswCQYDVQQIEwJNWjERMA8GA1UE
BxMIV2Fyc3phd2ExCzAJBgNVBAoTAk1GMQswCQYDVQQLEwJESTEnMCUGA1UEAxMe
dGVzdC1icmFta2EuZWRla2xhcmFjamUuZ292LnBsMS4wLAYJKoZIhvcNAQkBFh9p
bmZvLmUtZGVrbGFyYWNqZUBtb2ZuZXQuZ292LnBsMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvML+UgwkE2YQHMazIvPnZSmTJ5tAL/3nP7P2K3ulpzN0
qk7/mutI4AS4KoDJVa9Ty9ruIYvSx0COApOSVOWZ7eKTRaPGrImIfoTnHQxLAvQZ
7HtroJCkNM+i5SZNLE+FLpRHPHYPJ1tyWG+Y3kRZpMhfJfZR94FQTQYJYxaem0PU
TO3uBPAo6UB0jMgfUQiFxhiFstwhpzpDKVUXBH9RSTw4AEu/MO6+lap1I3OUVAU6
xOfHUKLM+589kZP+fKmT8VvOHxogBy7hisx3QMUhcCWXwNs+HLYIggpCPeZZKFVH
45G1moq8/R3jBW7iycJZcNnl35txyRdsA5cxYtD9SQIDAQABoIHMMCEGCSqGSIb3
DQEJAjEUExJyZXF1ZXN0VGVzdFdpdGhFeHQwgaYGCSqGSIb3DQEJDjGBmDCBlTAL
BgNVHQ8EBAMCBkAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMIMC0GA1Ud
EQEB/wQjMCGBH2luZm8uZS1kZWtsYXJhY2plQG1vZm5ldC5nb3YucGwwEQYJYIZI
AYb4QgEBBAQDAgXgMCUGCWCGSAGG+EIBDQQYFhZjZXJ0aWZpY2F0ZVRlc3RXaXRo
RXh0MA0GCSqGSIb3DQEBBQUAA4IBAQCKR3SBvYBPJdC7j/6L0y2Lq1jhnFKAoP0f
2yyWB27WcLNKgYSqlnMB1bMv2nbZwnZAed9xk3KESYaAhSMVD0xc3pwW2Hzqz9NJ
jKGd9YmcEHMqbYhNTg+Yvzz8pnr9QO6vMLqliL53CME2GYBnQwN2Lizlncb7jyNt
jtzEJ3LVgOTfOb0OhYTIEuM5OYE5bvyowz8WmpxBvBCT6uIc5EW6WCeqttwlitoh
PJ9s9XjdJuNs89vjnodmxsDHN/+DjDgy4odCyoe9qErAaIzQ/wdqVjayxqTwKtj+
WpaYAbcmBKkNGjbyat/qnFS/otSo4oiNWSvxeSZp0LX0tItLGutW
-----END CERTIFICATE REQUEST-----
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Attributes:
unstructuredName :requestTestWithExt
Requested Extensions:
X509v3 Key Usage:
Non Repudiation
X509v3 Extended Key Usage:
TLS Web Client Authentication, Time Stamping
X509v3 Subject Alternative Name: critical
email:info.e-deklaracje@mofnet.gov.pl
Netscape Cert Type:
SSL Client, SSL Server, S/MIME
Netscape Comment:
certificateTestWithExt
ACTUAL -
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
at sun.security.pkcs.PKCS9Attribute.throwTagException(Unknown Source)
at sun.security.pkcs.PKCS9Attribute.<init>(Unknown Source)
at sun.security.pkcs.PKCS10Attribute.<init>(Unknown Source)
at sun.security.pkcs.PKCS10Attributes.<init>(Unknown Source)
at sun.security.pkcs.PKCS10.<init>(Unknown Source)
at sun.security.tools.KeyTool.doPrintCertReq(Unknown Source)
at sun.security.tools.KeyTool.doCommands(Unknown Source)
at sun.security.tools.KeyTool.run(Unknown Source)
at sun.security.tools.KeyTool.main(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use openssl.