-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8, 24
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
x86_64 Linux
LANG=de_DE.UTF-8
openjdk 24.0.1 2025-04-15
OpenJDK Runtime Environment (build 24.0.1+9-30)
OpenJDK 64-Bit Server VM (build 24.0.1+9-30, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
There appears to be a regression in keytool commit fa5ff82 (8342062: Reformat keytool and jarsigner output for keys with a named parameter set) at java.base/sun.security.tools.keytool.Main:3629
In the method withWeakConstraint, the marked line was changed such that displayAlg (a String) is now passed as the first parameter to the format string provided by rb.getString("key.bit"). Before this commit, kLen was given (an int derived from key). I didn't dig into the resource bundle, but it appears that this wasn't changed from something with %d as the first parameter, at least not in the German locale: I was running keytool with LANG=de_DE.UTF-8.
private String withWeakConstraint(Key key,
CertPathConstraintsParameters cpcp) {
String displayAlg = fullDisplayKeyName(key);
try {
DISABLED_CHECK.permits(key.getAlgorithm(), cpcp, true);
} catch (CertPathValidatorException e) {
return String.format(rb.getString("key.bit.disabled"), displayAlg);
}
try {
LEGACY_CHECK.permits(key.getAlgorithm(), cpcp, true);
return String.format(rb.getString("key.bit"), displayAlg); // BUG,
} catch (CertPathValidatorException e) {
return String.format(rb.getString("key.bit.weak"), displayAlg);Add commentMore actions
}
}
I placed a note at https://github.com/openjdk/jdk/commit/fa5ff82eb3f0f2df74acd117509bac6e3c634a3f#r158918438 for your convenience.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
export LANG=de_DE.UTF-8 # may be irrelevant or quite relevant, we'll see. ;)
jdk-24.0.1/bin/keytool -importcert -alias my_ca -file ca.cer -cacerts -v
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The normal import behaviour
ACTUAL -
Invoking keytool with -v revealed the Stack trace:
$ ~/development/jdk-24.0.1/bin/keytool -importcert -alias ca -file ~/ca.cer -cacerts -v
Keytool-Fehler: java.util.IllegalFormatConversionException: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.base/java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4662)
at java.base/java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:3200)
at java.base/java.util.Formatter$FormatSpecifier.print(Formatter.java:3155)
at java.base/java.util.Formatter.format(Formatter.java:2767)
at java.base/java.util.Formatter.format(Formatter.java:2698)
at java.base/java.lang.String.format(String.java:4468)
at java.base/sun.security.tools.keytool.Main.withWeakConstraint(Main.java:3629)
at java.base/sun.security.tools.keytool.Main.printX509Cert(Main.java:3660)
at java.base/sun.security.tools.keytool.Main.addTrustedCert(Main.java:3427)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1228)
at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
at java.base/sun.security.tools.keytool.Main.main(Main.java:400)
x86_64 Linux
LANG=de_DE.UTF-8
openjdk 24.0.1 2025-04-15
OpenJDK Runtime Environment (build 24.0.1+9-30)
OpenJDK 64-Bit Server VM (build 24.0.1+9-30, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
There appears to be a regression in keytool commit fa5ff82 (8342062: Reformat keytool and jarsigner output for keys with a named parameter set) at java.base/sun.security.tools.keytool.Main:3629
In the method withWeakConstraint, the marked line was changed such that displayAlg (a String) is now passed as the first parameter to the format string provided by rb.getString("key.bit"). Before this commit, kLen was given (an int derived from key). I didn't dig into the resource bundle, but it appears that this wasn't changed from something with %d as the first parameter, at least not in the German locale: I was running keytool with LANG=de_DE.UTF-8.
private String withWeakConstraint(Key key,
CertPathConstraintsParameters cpcp) {
String displayAlg = fullDisplayKeyName(key);
try {
DISABLED_CHECK.permits(key.getAlgorithm(), cpcp, true);
} catch (CertPathValidatorException e) {
return String.format(rb.getString("key.bit.disabled"), displayAlg);
}
try {
LEGACY_CHECK.permits(key.getAlgorithm(), cpcp, true);
return String.format(rb.getString("key.bit"), displayAlg); // BUG,
} catch (CertPathValidatorException e) {
return String.format(rb.getString("key.bit.weak"), displayAlg);Add commentMore actions
}
}
I placed a note at https://github.com/openjdk/jdk/commit/fa5ff82eb3f0f2df74acd117509bac6e3c634a3f#r158918438 for your convenience.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
export LANG=de_DE.UTF-8 # may be irrelevant or quite relevant, we'll see. ;)
jdk-24.0.1/bin/keytool -importcert -alias my_ca -file ca.cer -cacerts -v
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The normal import behaviour
ACTUAL -
Invoking keytool with -v revealed the Stack trace:
$ ~/development/jdk-24.0.1/bin/keytool -importcert -alias ca -file ~/ca.cer -cacerts -v
Keytool-Fehler: java.util.IllegalFormatConversionException: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.base/java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4662)
at java.base/java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:3200)
at java.base/java.util.Formatter$FormatSpecifier.print(Formatter.java:3155)
at java.base/java.util.Formatter.format(Formatter.java:2767)
at java.base/java.util.Formatter.format(Formatter.java:2698)
at java.base/java.lang.String.format(String.java:4468)
at java.base/sun.security.tools.keytool.Main.withWeakConstraint(Main.java:3629)
at java.base/sun.security.tools.keytool.Main.printX509Cert(Main.java:3660)
at java.base/sun.security.tools.keytool.Main.addTrustedCert(Main.java:3427)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1228)
at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
at java.base/sun.security.tools.keytool.Main.main(Main.java:400)
- relates to
-
-
- Resolved
-