Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8187634

keystore.getCertificateAlias(cert) returns original alias, inconsistent with fix of JDK-6483657

XMLWordPrintable

    • b03
    • x86
    • windows
    • Verified

      FULL PRODUCT VERSION :
      java version "1.8.0_144"
      Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
      Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Versión 10.0.10586]

      A DESCRIPTION OF THE PROBLEM :
      I have encountered the bug JDK-8156383, which is about duplicated alias in keystore with MSCAPI provider can cause problem. It is fixed by adding extra identifier after the duplicated ones, making each one unique.

      However, the same fix is not done with this method:

              keystore.getCertificateAlias(alias)

      thus causing inconsistency.

      For example, I have cert A and cert B in the same keystore, with same alias "alias". When fetching the cert with alias, the alias of one of them is changed to "alias (2)" and all is ok. But, after that, if we go back to get the alias of these two certs, same alias will be returned. I was expecting returning "alias" and "alias (2)". When only the cert is available, this can cause problem.

      The bug may exist too in OpenJDK, but I haven't tested.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. In the Windows certmgr, change the alias of two certs to be the same, e.g., "alias".
      2. Run the code I post below to see the inconsistency.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      All certs with same alias now have different alias.
      ACTUAL -
      Inconsistency. Repetition.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.IOException;
      import java.security.KeyStore;
      import java.security.KeyStoreException;
      import java.security.NoSuchAlgorithmException;
      import java.security.cert.CertificateException;
      import java.util.Enumeration;

      import java.security.cert.Certificate;

      public class WhichAliasToPick {
          public static void main(String[] args) {
              System.out.println("OS name: " + System.getProperty("os.name"));
              System.out.println("OS architecture: " + System.getProperty("os.arch")); //this is x64 machine so no error
              System.out.println("Java version: " + System.getProperty("java.version"));
              System.out.println("Java vendor: " + System.getProperty("java.vendor"));
              System.out.println("------------------------------------------------");
              
              try {
                  KeyStore ks = KeyStore.getInstance("Windows-MY");
                  ks.load(null, null);
                  
                  Enumeration<String> as = ks.aliases();
                  while (as.hasMoreElements()) {
                      String alias = as.nextElement();
                      System.out.println("The keystore has alias: " + alias);
                      Certificate ct = ks.getCertificate(alias);
                      System.out.println("The certificate obtained via 'ks.getCertificate(alias)' is: " + ct.toString());
                      System.out.println("");
                      String alias2 = ks.getCertificateAlias(ct);
                      System.out.println("For this certificate, the result of 'ks.getCertificateAlias(ct)' is: " + alias2);
                      if (alias.equals(alias2)) {
                          System.out.println("These two alias are the same. ");
                          System.out.println("------------------------------------------------");
                      } else {
                          System.out.println("These two alias are not the same, bug persists!");
                          break;
                      }
                      
                  }
              } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
                  e.printStackTrace();
              }
          }
      }

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Change alias in the certmgr. This is annoying if it involves massive manual config.

            weijun Weijun Wang
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: