-
Bug
-
Resolution: Incomplete
-
P4
-
None
-
9.0.1
-
x86_64
-
linux_ubuntu
FULL PRODUCT VERSION :
root@af65e2481e5f:/# java -version
openjdk version "9-Ubuntu"
OpenJDK Runtime Environment (build 9-Ubuntu+0-9b161-1)
OpenJDK 64-Bit Server VM (build 9-Ubuntu+0-9b161-1, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux af65e2481e5f 4.9.49-moby #1 SMP Wed Sep 27 23:17:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
(Inside docker run -it ubuntu:17.04 )
EXTRA RELEVANT SYSTEM CONFIGURATION :
root@af65e2481e5f:/# env | sort
HOME=/root
HOSTNAME=af65e2481e5f
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
TERM=xterm
_=/usr/bin/env
no_proxy=*.local, 169.254/16
A DESCRIPTION OF THE PROBLEM :
I am unable to select a specific cert according to it's alias for at least one certificate bundled in the openjdk 9 release I've installed.
Here's my attempt to list the cert given it's alias.
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -alias debian:certinomis_-_autorit?_racine.pem -storepass changeit
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <debian:certinomis_-_autorit?_racine.pem> does not exist
I am however able to find the cert by narrowing the output via grep.
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -storepass changeit | grep -A1 debian:certinomis_-_autorit?_racine.pem
Warning: use -cacerts option to access cacerts keystore
debian:certinomis_-_autorit?_racine.pem, Nov 8, 2017, trustedCertEntry,
Certificate fingerprint (SHA-256): FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
The -alias flag is working for a closely named alias:
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -storepass changeit -alias debian:certinomis_-_root_ca.pem
Warning: use -cacerts option to access cacerts keystore
debian:certinomis_-_root_ca.pem, Nov 8, 2017, trustedCertEntry,
Certificate fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
For reference, here's the first part of the certificate, shown with -list -v
Alias name: debian:certinomis_-_autorit?_racine.pem
Creation date: Nov 8, 2017
Entry type: trustedCertEntry
Owner: CN=Certinomis - Autorit? Racine, OU=0002 433998903, O=Certinomis, C=FR
Issuer: CN=Certinomis - Autorit? Racine, OU=0002 433998903, O=Certinomis, C=FR
Serial number: 1
Valid from: Wed Sep 17 08:28:59 UTC 2008 until: Sun Sep 17 08:28:59 UTC 2028
Certificate fingerprints:
SHA1: 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
SHA256: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
My hunch is that the ? (probably a non-ascii character) is throwing off encoding/decoding somewhere, but I can't be sure.
I've tried escaping the following characters : - ? . (with one and two \'s), but none of the combinations work.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -alias debian:certinomis_-_autorit?_racine.pem -storepass changeit
Would return the specified certificate
ACTUAL -
keytool error: java.lang.Exception: Alias <debian:certinomis_-_autorit?_racine.pem> does not exist
REPRODUCIBILITY :
This bug can be reproduced always.
root@af65e2481e5f:/# java -version
openjdk version "9-Ubuntu"
OpenJDK Runtime Environment (build 9-Ubuntu+0-9b161-1)
OpenJDK 64-Bit Server VM (build 9-Ubuntu+0-9b161-1, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux af65e2481e5f 4.9.49-moby #1 SMP Wed Sep 27 23:17:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
(Inside docker run -it ubuntu:17.04 )
EXTRA RELEVANT SYSTEM CONFIGURATION :
root@af65e2481e5f:/# env | sort
HOME=/root
HOSTNAME=af65e2481e5f
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
TERM=xterm
_=/usr/bin/env
no_proxy=*.local, 169.254/16
A DESCRIPTION OF THE PROBLEM :
I am unable to select a specific cert according to it's alias for at least one certificate bundled in the openjdk 9 release I've installed.
Here's my attempt to list the cert given it's alias.
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -alias debian:certinomis_-_autorit?_racine.pem -storepass changeit
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <debian:certinomis_-_autorit?_racine.pem> does not exist
I am however able to find the cert by narrowing the output via grep.
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -storepass changeit | grep -A1 debian:certinomis_-_autorit?_racine.pem
Warning: use -cacerts option to access cacerts keystore
debian:certinomis_-_autorit?_racine.pem, Nov 8, 2017, trustedCertEntry,
Certificate fingerprint (SHA-256): FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
The -alias flag is working for a closely named alias:
root@af65e2481e5f:/# keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -storepass changeit -alias debian:certinomis_-_root_ca.pem
Warning: use -cacerts option to access cacerts keystore
debian:certinomis_-_root_ca.pem, Nov 8, 2017, trustedCertEntry,
Certificate fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
For reference, here's the first part of the certificate, shown with -list -v
Alias name: debian:certinomis_-_autorit?_racine.pem
Creation date: Nov 8, 2017
Entry type: trustedCertEntry
Owner: CN=Certinomis - Autorit? Racine, OU=0002 433998903, O=Certinomis, C=FR
Issuer: CN=Certinomis - Autorit? Racine, OU=0002 433998903, O=Certinomis, C=FR
Serial number: 1
Valid from: Wed Sep 17 08:28:59 UTC 2008 until: Sun Sep 17 08:28:59 UTC 2028
Certificate fingerprints:
SHA1: 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
SHA256: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
My hunch is that the ? (probably a non-ascii character) is throwing off encoding/decoding somewhere, but I can't be sure.
I've tried escaping the following characters : - ? . (with one and two \'s), but none of the combinations work.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
keytool -list -keystore /usr/lib/jvm/java-9-openjdk-amd64/lib/security/cacerts -alias debian:certinomis_-_autorit?_racine.pem -storepass changeit
Would return the specified certificate
ACTUAL -
keytool error: java.lang.Exception: Alias <debian:certinomis_-_autorit?_racine.pem> does not exist
REPRODUCIBILITY :
This bug can be reproduced always.