-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
8, 9
-
x86
-
os_x
FULL PRODUCT VERSION :
ADDITIONAL OS VERSION INFORMATION :
Darwin stratus.local 15.5.0 Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
java.security.KeyStore (and related tools like `keytool`) will incorrectly count and enumerate the entries in certain PKCS#12 keystores. So far, we've only been able to reproduce the problem with keystores exported from Apple's Keychain Access app.
Exporting keystores that contain two keys with the same name yields a keystore that OpenSSL (for example) reports contains two private key entries, but KeyStore/keytool reports only one.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Generate a PKCS#12 file containing a single key pair with keytool: `keytool -genkeypair -storepass example -keypass example -dname "CN=com.example" -keystore example.p12 -deststoretype PKCS12`
2. Import the key into Apple's Keychain Access app.
3. Create a [possibly-malformed] new PKCS#12 keystore from Keychain Access by selecting BOTH the certificate and the key and using File -> Export Items.
4. Inspect the resulting PKCS#12 keystore with OpenSSL and keytool (or write an application to do the same with KeyStore).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
OpenSSL and keytool both report that the PKCS#12 keystore exported from Keychain Access contains two entries.
ACTUAL -
OpenSSL reports that the exported keystore has two entries, but keytool reports only one entry:
```
$ openssl pkcs12 -in example-after-keychain-access.p12 -info -noout
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```
```
$ keytool -list -storetype PKCS12 -keystore example.p12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
mykey, May 26, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 23:FD:A2:8A:1F:68:E2:C1:12:13:3D:08:97:F0:AE:F4:EB:0D:0E:8F
stratus:Desktop jon$ keytool -list -storetype PKCS12 -keystore example-after-keychain-access.p12
```
REPRODUCIBILITY :
This bug can be reproduced always.
ADDITIONAL OS VERSION INFORMATION :
Darwin stratus.local 15.5.0 Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
java.security.KeyStore (and related tools like `keytool`) will incorrectly count and enumerate the entries in certain PKCS#12 keystores. So far, we've only been able to reproduce the problem with keystores exported from Apple's Keychain Access app.
Exporting keystores that contain two keys with the same name yields a keystore that OpenSSL (for example) reports contains two private key entries, but KeyStore/keytool reports only one.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Generate a PKCS#12 file containing a single key pair with keytool: `keytool -genkeypair -storepass example -keypass example -dname "CN=com.example" -keystore example.p12 -deststoretype PKCS12`
2. Import the key into Apple's Keychain Access app.
3. Create a [possibly-malformed] new PKCS#12 keystore from Keychain Access by selecting BOTH the certificate and the key and using File -> Export Items.
4. Inspect the resulting PKCS#12 keystore with OpenSSL and keytool (or write an application to do the same with KeyStore).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
OpenSSL and keytool both report that the PKCS#12 keystore exported from Keychain Access contains two entries.
ACTUAL -
OpenSSL reports that the exported keystore has two entries, but keytool reports only one entry:
```
$ openssl pkcs12 -in example-after-keychain-access.p12 -info -noout
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```
```
$ keytool -list -storetype PKCS12 -keystore example.p12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
mykey, May 26, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 23:FD:A2:8A:1F:68:E2:C1:12:13:3D:08:97:F0:AE:F4:EB:0D:0E:8F
stratus:Desktop jon$ keytool -list -storetype PKCS12 -keystore example-after-keychain-access.p12
```
REPRODUCIBILITY :
This bug can be reproduced always.