Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Withdrawn
Priority: P2
Fix Version/s: None
Affects Version/s: 16, 17
Component/s: security-libs
Labels:
- regression

Subcomponent:
java.security
Introduced In Version:

16
CPU:

x86_64
OS:

os_x

Description

When using java.security.KeyStore, I noticed that the created .p12 file can't be opened by macOS' Keychain Access.

Doing some experiments, I could show that this is a regression. The file is undamaged when created with JDK 15 and below.

Test case:
```
${JAVA_HOME}/bin/keytool -genkey -keystore foo.p12 -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=Self Signed" -validity 730
security import foo.p12 -k login.keychain
```

Expected Result: Output "1 identity imported." (as in JDK 15)

Actual Result: Output "security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)" (JDK 16+)

Additional Info: Running `openssl pkcs12 -info -in foo.p12` can read both and shows different PBE metadata:

<=15:
```
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Bag Attributes
    friendlyName: mykey
    localKeyID: 54 69 6D 65 20 31 36 32 37 34 35 34 36 38 33 37 38 33
Key Attributes: <No Attributes>
```

>=16:
```
MAC Iteration 10000
MAC verified OK
PKCS7 Data
Shrouded Keybag: Bag Attributes
    friendlyName: mykey
    localKeyID: 54 69 6D 65 20 31 36 32 37 34 35 35 32 32 32 30 33 30
```

Attachments

Issue Links

relates to

JDK-8242069 Release Note: Upgraded the Default PKCS12 Encryption and MAC Algorithms

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Sebastian Stenzel

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2021-07-27 23:57

Updated:: 2021-07-28 00:15

Resolved:: 2021-07-28 00:15