Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8201290

keytool importcert fails with CertificateParsingException if unknown certificate algorithms should be imported

XMLWordPrintable

    • b07
    • x86_64
    • windows_7

      A DESCRIPTION OF THE REQUEST :
      I'm using a certificate using a Brainpool elliptic curve parameter. This is not supported in Java 8. I was searching if it is possible to provide a different crypto provider, e.g. BouncyCastle. This was working to migrate PKCS#12 keystores into a JSK keystore. But for importing a simple certificate into a truststore such an option is not available. This prevent to use such an certificate in a truststore which results in not being able to start a TLS based server needed this truststore for the CI certificate.

      JUSTIFICATION :
      The Brainpool elliptic curve is a standard used today. It should be supported, but also in the case of a new or different algorithmic parameter it should be possible to supply a source crypto provider which is able to handle it correctly.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The certificate should be imported.
      ACTUAL -
      The following exception is thrown:

      Keytool-Fehler: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7

      ---------- BEGIN SOURCE ----------
      See the needed data in the patched project:

      https://github.com/koh-osug/java-keytool

      keytool.exe-importcert -alias ci -file CERT_CI_ECDSA_BRP.der -keystore truststore.jks -providerPath bcprov-jdk15on-1.59.jar -v -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      None, but I have released a patched version:

      https://github.com/koh-osug/java-keytool

      The only needed change starts at line 916:

      https://github.com/koh-osug/java-keytool/blob/master/src/main/java/sun/security/tools/keytool/Main2.java#L916

                  if (srcProviderName != null) {
                      cf = CertificateFactory.getInstance("X509", srcProviderName);
                  }
                  else {
                      cf = CertificateFactory.getInstance("X509");
                  }

            weijun Weijun Wang
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: