-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
7u55
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
ADDITIONAL OS VERSION INFORMATION :
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) Client VM (build 24.55-b03, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
SSL Handshake fails because of wrong certificate chain added to SSLContext when aliases contain dots in their names.
Smart card has several certificates with aliases containing dots, like
found key for : signing key for john.smith
found key for : encryption key for john.smith
found key for : Identity Key for john.smith
When using NewSunX509 KeyManagerFactory algorithm, class X509KeyManagerImpl correctly finds Client Authentication certificate ("Identity Key"), but certificate chain was taken from the "signing key". The root cause seems to be in the following method of the class X509KeyManagerImpl
private PrivateKeyEntry getEntry(String alias)
that parses internally modified alias name
// parse the alias
int firstDot = alias.indexOf('.');
int secondDot = alias.indexOf('.', firstDot + 1);
if ((firstDot == -1) || (secondDot == firstDot)) {
// invalid alias
return null;
}
try {
238
int builderIndex = Integer.parseInt
(alias.substring(firstDot + 1, secondDot));
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Configure a smart card with several certificates with Identity certificate not the first one.
2. Use dots in alias names.
3. Configure KeyManagerFactory algorithm to use the only relatively decent option NewSunX509
4. Try to establish SSL handshake
5. Verify that during handshake certification chain was taken from the first certificate, not from Identity:
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
ssl: KeyMgr: choosing key: Identity Key for john.smith (verified: OK)
*** Certificate chain
chain [0] = [
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Certificate chain matches the selected alias
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
- Do not use dots in alias names
- Have certificate with "Client Authentication" first on the card
ADDITIONAL OS VERSION INFORMATION :
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) Client VM (build 24.55-b03, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
SSL Handshake fails because of wrong certificate chain added to SSLContext when aliases contain dots in their names.
Smart card has several certificates with aliases containing dots, like
found key for : signing key for john.smith
found key for : encryption key for john.smith
found key for : Identity Key for john.smith
When using NewSunX509 KeyManagerFactory algorithm, class X509KeyManagerImpl correctly finds Client Authentication certificate ("Identity Key"), but certificate chain was taken from the "signing key". The root cause seems to be in the following method of the class X509KeyManagerImpl
private PrivateKeyEntry getEntry(String alias)
that parses internally modified alias name
// parse the alias
int firstDot = alias.indexOf('.');
int secondDot = alias.indexOf('.', firstDot + 1);
if ((firstDot == -1) || (secondDot == firstDot)) {
// invalid alias
return null;
}
try {
238
int builderIndex = Integer.parseInt
(alias.substring(firstDot + 1, secondDot));
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Configure a smart card with several certificates with Identity certificate not the first one.
2. Use dots in alias names.
3. Configure KeyManagerFactory algorithm to use the only relatively decent option NewSunX509
4. Try to establish SSL handshake
5. Verify that during handshake certification chain was taken from the first certificate, not from Identity:
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
ssl: KeyMgr: choosing key: Identity Key for john.smith (verified: OK)
*** Certificate chain
chain [0] = [
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Certificate chain matches the selected alias
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
- Do not use dots in alias names
- Have certificate with "Client Authentication" first on the card