-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
8
-
x86_64
-
windows_7
A DESCRIPTION OF THE PROBLEM :
sun.security.util.AnchorCertificates assumes that cacerts file is of type JKS.
This is not necessarily the case.
If the cacerts file is not of type JKS (or PKCS12), the following exception is sent to console...
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.validator.Validator.validate(Validator.java:236)
at sun.security.validator.Validator.validate(Validator.java:205)
at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.Cipher.getInstance(Cipher.java:652)
at javax.crypto.Cipher.getInstance(Cipher.java:595)
at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)
The problem code from a decompiled output of the class is as highlighted here...
File f = new File(System.getProperty("java.home"),
"lib/security/cacerts");
KeyStore cacerts;
try {
cacerts = KeyStore.getInstance("JKS"); <----------------------------------
try (FileInputStream fis = new FileInputStream(f)) {
.
.
.
}
} catch (Exception e) {
.
.
.
}
return null;
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Install a JDK
- Edit the java.security file in the jre/lib/security folder for the JDK. Set the default keystore to JCEKS.
#
# Default keystore type.
#
keystore.type=jceks
- Import a custom certificate into the jre/lib/security/cacerts trust store using keytool.
- Compile and run a java application that requires encryption. I use the following main method...
public static void main(String[] args) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
}
The exception mentioned above will be sent to the error console.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should run successfully without any errors being shown.
ACTUAL -
The application runs successfully, but the following exception stack is sent to the error console
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.validator.Validator.validate(Validator.java:236)
at sun.security.validator.Validator.validate(Validator.java:205)
at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.Cipher.getInstance(Cipher.java:652)
at javax.crypto.Cipher.getInstance(Cipher.java:595)
at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)
---------- BEGIN SOURCE ----------
public static void main(String[] args) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
}
---------- END SOURCE ----------
FREQUENCY : always
sun.security.util.AnchorCertificates assumes that cacerts file is of type JKS.
This is not necessarily the case.
If the cacerts file is not of type JKS (or PKCS12), the following exception is sent to console...
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.validator.Validator.validate(Validator.java:236)
at sun.security.validator.Validator.validate(Validator.java:205)
at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.Cipher.getInstance(Cipher.java:652)
at javax.crypto.Cipher.getInstance(Cipher.java:595)
at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)
The problem code from a decompiled output of the class is as highlighted here...
File f = new File(System.getProperty("java.home"),
"lib/security/cacerts");
KeyStore cacerts;
try {
cacerts = KeyStore.getInstance("JKS"); <----------------------------------
try (FileInputStream fis = new FileInputStream(f)) {
.
.
.
}
} catch (Exception e) {
.
.
.
}
return null;
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Install a JDK
- Edit the java.security file in the jre/lib/security folder for the JDK. Set the default keystore to JCEKS.
#
# Default keystore type.
#
keystore.type=jceks
- Import a custom certificate into the jre/lib/security/cacerts trust store using keytool.
- Compile and run a java application that requires encryption. I use the following main method...
public static void main(String[] args) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
}
The exception mentioned above will be sent to the error console.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The application should run successfully without any errors being shown.
ACTUAL -
The application runs successfully, but the following exception stack is sent to the error console
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:61)
at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.validator.Validator.validate(Validator.java:236)
at sun.security.validator.Validator.validate(Validator.java:205)
at javax.crypto.JarVerifier.isTrusted(JarVerifier.java:610)
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:530)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:363)
at javax.crypto.JarVerifier.verify(JarVerifier.java:289)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.Cipher.getInstance(Cipher.java:652)
at javax.crypto.Cipher.getInstance(Cipher.java:595)
at com.sita.ats.itd.KeyLengthCheck.main(KeyLengthCheck.java:22)
---------- BEGIN SOURCE ----------
public static void main(String[] args) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
System.out.println("DES/CBC/PKCS5Padding algorithm is " + cipher.getAlgorithm());
}
---------- END SOURCE ----------
FREQUENCY : always