-
Enhancement
-
Resolution: Fixed
-
P4
-
8, 9, 10, 11
-
b07
-
x86_64
-
windows_7
A DESCRIPTION OF THE REQUEST :
I'm using a certificate using a Brainpool elliptic curve parameter. This is not supported in Java 8. I was searching if it is possible to provide a different crypto provider, e.g. BouncyCastle. This was working to migrate PKCS#12 keystores into a JSK keystore. But for importing a simple certificate into a truststore such an option is not available. This prevent to use such an certificate in a truststore which results in not being able to start a TLS based server needed this truststore for the CI certificate.
JUSTIFICATION :
The Brainpool elliptic curve is a standard used today. It should be supported, but also in the case of a new or different algorithmic parameter it should be possible to supply a source crypto provider which is able to handle it correctly.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The certificate should be imported.
ACTUAL -
The following exception is thrown:
Keytool-Fehler: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7
---------- BEGIN SOURCE ----------
See the needed data in the patched project:
https://github.com/koh-osug/java-keytool
keytool.exe-importcert -alias ci -file CERT_CI_ECDSA_BRP.der -keystore truststore.jks -providerPath bcprov-jdk15on-1.59.jar -v -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None, but I have released a patched version:
https://github.com/koh-osug/java-keytool
The only needed change starts at line 916:
https://github.com/koh-osug/java-keytool/blob/master/src/main/java/sun/security/tools/keytool/Main2.java#L916
if (srcProviderName != null) {
cf = CertificateFactory.getInstance("X509", srcProviderName);
}
else {
cf = CertificateFactory.getInstance("X509");
}
I'm using a certificate using a Brainpool elliptic curve parameter. This is not supported in Java 8. I was searching if it is possible to provide a different crypto provider, e.g. BouncyCastle. This was working to migrate PKCS#12 keystores into a JSK keystore. But for importing a simple certificate into a truststore such an option is not available. This prevent to use such an certificate in a truststore which results in not being able to start a TLS based server needed this truststore for the CI certificate.
JUSTIFICATION :
The Brainpool elliptic curve is a standard used today. It should be supported, but also in the case of a new or different algorithmic parameter it should be possible to supply a source crypto provider which is able to handle it correctly.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The certificate should be imported.
ACTUAL -
The following exception is thrown:
Keytool-Fehler: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7
---------- BEGIN SOURCE ----------
See the needed data in the patched project:
https://github.com/koh-osug/java-keytool
keytool.exe-importcert -alias ci -file CERT_CI_ECDSA_BRP.der -keystore truststore.jks -providerPath bcprov-jdk15on-1.59.jar -v -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None, but I have released a patched version:
https://github.com/koh-osug/java-keytool
The only needed change starts at line 916:
https://github.com/koh-osug/java-keytool/blob/master/src/main/java/sun/security/tools/keytool/Main2.java#L916
if (srcProviderName != null) {
cf = CertificateFactory.getInstance("X509", srcProviderName);
}
else {
cf = CertificateFactory.getInstance("X509");
}
- csr for
-
JDK-8208689 keytool importcert fails with CertificateParsingException if unknown certificate algorithms should be imported
-
- Closed
-
- relates to
-
-
- Resolved
-