-
Bug
-
Resolution: Fixed
-
P3
-
8, 9
-
b156
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8174601 | 10 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
JDK-8235864 | openjdk8u252 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
JDK-8235893 | openjdk8u242 | Martin Balao Alonso | P3 | Resolved | Fixed | b05 |
JDK-8228389 | 8u241 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
JDK-8235030 | emb-8u241 | Vincent Ryan | P3 | Resolved | Fixed | team |
FULL PRODUCT VERSION :
java version "9-ea"
Java(TM) SE Runtime Environment (build 9-ea+153)
Java HotSpot(TM) 64-Bit Server VM (build 9-ea+153, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Any Java 9 platform. I used x64 Linux (Ubuntu 14.04) and x64 Windows Server 2008 R2.
A DESCRIPTION OF THE PROBLEM :
I believe this bug has been present since changeset 6427:1da93663f8f3 but it's a lot more obvious in Java 9 now that PKCS12 is the default KeyStore type. The bug is also visible on Java 8 if you're explicitly using PKCS12 rather than JKS.
REGRESSION. Last worked in version 8u121
ADDITIONAL REGRESSION INFORMATION:
Any Java 1.4, 1.5, 1.6, or 1.7 works fine, as does 1.8 unless you're explicitly using PKCS12.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Execute the test code with -enableassertions
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Passed (or omitted "-enableassertions"?)
ACTUAL -
X509TrustManager has no trust roots (!?): sun.security.ssl.X509TrustManagerImpl@224edc67
Exception in thread "main" java.lang.AssertionError: Oh where, oh where has my little cert gone?
at Bug8079616OnceMoreWithFeeling.main(Bug8079616OnceMoreWithFeeling.java:37)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
/**
* KeyStore regression in Java 9.
* <p>
* This code works on Java 1.4, 1.5, 1.6, 1.7 and 1.8 but fails on Java 9
* because the default KeyStore type is now PKCS12. It also fails on 1.8
* if the KeyStore type is explicitly chosen to be PKCS12.
*/
public class Bug8079616OnceMoreWithFeeling {
public static void main(String[] ignored) throws Exception {
// The first few lines below are just setup, not part of the test
KeyStore pleaseUseCACerts = null;
X509Certificate testCert = gimmeACert(pleaseUseCACerts);
assert testCert != null;
// Test code starts here
String storeType = KeyStore.getDefaultType(); // or hard-code "pkcs12"
KeyStore p12 = KeyStore.getInstance(storeType);
p12.load(null, null);
p12.setCertificateEntry("testCert", testCert);
assert p12.size() == 1;
assert Collections.list(p12.aliases()).size() == 1;
X509Certificate check = gimmeACert(p12);
assert check != null: "Oh where, oh where has my little cert gone?";
assert check.equals(testCert);
System.out.println("Passed (or omitted \"-enableassertions\"?)");
}
static X509Certificate gimmeACert(KeyStore storeOrNull) {
TrustManager[] reallyOnlyOne;
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(storeOrNull);
reallyOnlyOne = tmf.getTrustManagers();
} catch (NoSuchAlgorithmException bogus) {
throw new AssertionError(bogus);
} catch (KeyStoreException bogus) {
throw new AssertionError(bogus);
}
// Stick with pre-1.5 syntax to allow execution on 1.4
for (int i = 0; i < reallyOnlyOne.length; i++) {
TrustManager tm = reallyOnlyOne[i];
if (tm instanceof X509TrustManager) {
X509Certificate[] certs =
((X509TrustManager) tm).getAcceptedIssuers();
if (certs.length > 0) {
return certs[0];
} else {
System.err.println(
"X509TrustManager has no trust roots (!?): " + tm);
// ... which would lead to hair-pulling later in SSL code
}
}
// TODO: Else log somewhat surprising non-X.509 TrustManager
}
return null; // (Evil if this was an API, but fine for this test)
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Eschew Java 9, or set the default KeyStore type back to JKS, or explicitly use KeyStore.getInstance("JKS")
java version "9-ea"
Java(TM) SE Runtime Environment (build 9-ea+153)
Java HotSpot(TM) 64-Bit Server VM (build 9-ea+153, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Any Java 9 platform. I used x64 Linux (Ubuntu 14.04) and x64 Windows Server 2008 R2.
A DESCRIPTION OF THE PROBLEM :
I believe this bug has been present since changeset 6427:1da93663f8f3 but it's a lot more obvious in Java 9 now that PKCS12 is the default KeyStore type. The bug is also visible on Java 8 if you're explicitly using PKCS12 rather than JKS.
REGRESSION. Last worked in version 8u121
ADDITIONAL REGRESSION INFORMATION:
Any Java 1.4, 1.5, 1.6, or 1.7 works fine, as does 1.8 unless you're explicitly using PKCS12.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Execute the test code with -enableassertions
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Passed (or omitted "-enableassertions"?)
ACTUAL -
X509TrustManager has no trust roots (!?): sun.security.ssl.X509TrustManagerImpl@224edc67
Exception in thread "main" java.lang.AssertionError: Oh where, oh where has my little cert gone?
at Bug8079616OnceMoreWithFeeling.main(Bug8079616OnceMoreWithFeeling.java:37)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
/**
* KeyStore regression in Java 9.
* <p>
* This code works on Java 1.4, 1.5, 1.6, 1.7 and 1.8 but fails on Java 9
* because the default KeyStore type is now PKCS12. It also fails on 1.8
* if the KeyStore type is explicitly chosen to be PKCS12.
*/
public class Bug8079616OnceMoreWithFeeling {
public static void main(String[] ignored) throws Exception {
// The first few lines below are just setup, not part of the test
KeyStore pleaseUseCACerts = null;
X509Certificate testCert = gimmeACert(pleaseUseCACerts);
assert testCert != null;
// Test code starts here
String storeType = KeyStore.getDefaultType(); // or hard-code "pkcs12"
KeyStore p12 = KeyStore.getInstance(storeType);
p12.load(null, null);
p12.setCertificateEntry("testCert", testCert);
assert p12.size() == 1;
assert Collections.list(p12.aliases()).size() == 1;
X509Certificate check = gimmeACert(p12);
assert check != null: "Oh where, oh where has my little cert gone?";
assert check.equals(testCert);
System.out.println("Passed (or omitted \"-enableassertions\"?)");
}
static X509Certificate gimmeACert(KeyStore storeOrNull) {
TrustManager[] reallyOnlyOne;
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(storeOrNull);
reallyOnlyOne = tmf.getTrustManagers();
} catch (NoSuchAlgorithmException bogus) {
throw new AssertionError(bogus);
} catch (KeyStoreException bogus) {
throw new AssertionError(bogus);
}
// Stick with pre-1.5 syntax to allow execution on 1.4
for (int i = 0; i < reallyOnlyOne.length; i++) {
TrustManager tm = reallyOnlyOne[i];
if (tm instanceof X509TrustManager) {
X509Certificate[] certs =
((X509TrustManager) tm).getAcceptedIssuers();
if (certs.length > 0) {
return certs[0];
} else {
System.err.println(
"X509TrustManager has no trust roots (!?): " + tm);
// ... which would lead to hair-pulling later in SSL code
}
}
// TODO: Else log somewhat surprising non-X.509 TrustManager
}
return null; // (Evil if this was an API, but fine for this test)
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Eschew Java 9, or set the default KeyStore type back to JKS, or explicitly use KeyStore.getInstance("JKS")
- backported by
-
JDK-8174601 KeyStore regression due to default keystore being changed to PKCS12
- Resolved
-
JDK-8228389 KeyStore regression due to default keystore being changed to PKCS12
- Resolved
-
JDK-8235030 KeyStore regression due to default keystore being changed to PKCS12
- Resolved
-
JDK-8235864 KeyStore regression due to default keystore being changed to PKCS12
- Resolved
-
JDK-8235893 KeyStore regression due to default keystore being changed to PKCS12
- Resolved