-
Bug
-
Resolution: Fixed
-
P3
-
11, 12
-
b22
-
x86_64
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8214328 | 11.0.3-oracle | Ivan Gerasimov | P3 | Resolved | Fixed | master |
| JDK-8219430 | 11.0.3 | Weijun Wang | P3 | Resolved | Fixed | master |
ADDITIONAL SYSTEM INFORMATION :
openjdk version "11.0.1" 2018-10-16
OpenJDK Runtime Environment 18.9 (build 11.0.1+13)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)
A DESCRIPTION OF THE PROBLEM :
On line 1326 in the sun.security.tools.keytool.Main class:
// Probe for real type. A JKS can be loaded as PKCS12 because
// DualFormat support, vice versa.
keyStore = KeyStore.getInstance(f, pass);
If the format of the keystore is not one already recognized and the required provider does not implement the new KeyStoreSpi.engineProbe() method, the supporting provider will return false and the keytool will throw an exception keytool error: java.security.KeyStoreException: Unrecognized keystore format: null.
We are raising this as we are aware that, if the situation stays as it is, this issue will act as a significant impediment to users who simply wish to migrate to Java 11 rather than update to a BC provider that supports engineProb() as well. Although the keytool still creates files, ignoring the exception is not something a lot of our users are comfortable with.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
keytool -genkeypair -keyalg RSA -alias selfsigned -keysize 2048 -sigalg SHA256withRSA -keystore keystore.bcfks -keypass password -storepass password -validity 365 -storetype BCFKS -providerName BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar
bc-fips-1.0.1.jar is available from https://www.bouncycastle.org/fips-java
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/src/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
<command prompt>
ACTUAL -
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/src/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
keytool error: java.security.KeyStoreException: Unrecognized keystore format: null
<command prompt>
---------- BEGIN SOURCE ----------
keytool -genkeypair -keyalg RSA -alias selfsigned -keysize 2048 -sigalg SHA256withRSA -keystore keystore.bcfks -keypass password -storepass password -validity 365 -storetype BCFKS -providerName BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar
bc-fips-1.0.1.jar is available from https://www.bouncycastle.org/fips-java
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
The tool still creates the keystore so it is possible to ignore the exception.
FREQUENCY : always
openjdk version "11.0.1" 2018-10-16
OpenJDK Runtime Environment 18.9 (build 11.0.1+13)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)
A DESCRIPTION OF THE PROBLEM :
On line 1326 in the sun.security.tools.keytool.Main class:
// Probe for real type. A JKS can be loaded as PKCS12 because
// DualFormat support, vice versa.
keyStore = KeyStore.getInstance(f, pass);
If the format of the keystore is not one already recognized and the required provider does not implement the new KeyStoreSpi.engineProbe() method, the supporting provider will return false and the keytool will throw an exception keytool error: java.security.KeyStoreException: Unrecognized keystore format: null.
We are raising this as we are aware that, if the situation stays as it is, this issue will act as a significant impediment to users who simply wish to migrate to Java 11 rather than update to a BC provider that supports engineProb() as well. Although the keytool still creates files, ignoring the exception is not something a lot of our users are comfortable with.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
keytool -genkeypair -keyalg RSA -alias selfsigned -keysize 2048 -sigalg SHA256withRSA -keystore keystore.bcfks -keypass password -storepass password -validity 365 -storetype BCFKS -providerName BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar
bc-fips-1.0.1.jar is available from https://www.bouncycastle.org/fips-java
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/src/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
<command prompt>
ACTUAL -
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/src/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
keytool error: java.security.KeyStoreException: Unrecognized keystore format: null
<command prompt>
---------- BEGIN SOURCE ----------
keytool -genkeypair -keyalg RSA -alias selfsigned -keysize 2048 -sigalg SHA256withRSA -keystore keystore.bcfks -keypass password -storepass password -validity 365 -storetype BCFKS -providerName BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar
bc-fips-1.0.1.jar is available from https://www.bouncycastle.org/fips-java
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
The tool still creates the keystore so it is possible to ignore the exception.
FREQUENCY : always
- backported by
-
JDK-8214328 use of keystore probing results in unnecessary exception thrown
-
- Resolved
-
-
-
- Resolved
-