-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
P3
-
None
-
Affects Version/s: 26
-
Component/s: security-libs
This regression was noticed by Pete Bentley in https://github.com/google/conscrypt/issues/1486
> The [SunX509KeyManager] alias chooser methods now return null when asked for a key of type EC_EC. This feels like an upstream regression introduced inJDK-8359956 because this style of naming (<key type>_<signature type>) is still very much listed in the Java 25 JCA Standard Names document [1] and the change makes no reference to deprecating them.
[1] https://docs.oracle.com/en/java/javase/25/docs/specs/security/standard-names.html#key-types
Pete also noted:
> only affects EC_EC (not other compound signature types) and only affects self signed certificates and probably only affects tests as nothing in the SSLEngine implementation ever uses EC_EC.
Repro:
```
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.conscrypt.java.security.TestKeyStore;
public final class T {
public static void main(String[] args) throws Exception {
TestKeyStore testKeyStore =
new TestKeyStore.Builder()
.keyAlgorithms("RSA", "DSA", "EC", "EC_RSA")
.aliasPrefix("rsa-dsa-ec-dh")
.build();
String algorithm = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(testKeyStore.keyStore, testKeyStore.keyPassword);
for (KeyManager keyManager : kmf.getKeyManagers()) {
String alias = ((X509KeyManager) keyManager).chooseServerAlias("EC_EC", null, null);
System.out.println("alias: " + alias);
}
}
}
```
openjdk full version "26-ea+9-927"
alias: rsa-dsa-ec-dh-private-ec
openjdk full version "26-ea+10-1053"
alias: null
> The [SunX509KeyManager] alias chooser methods now return null when asked for a key of type EC_EC. This feels like an upstream regression introduced in
[1] https://docs.oracle.com/en/java/javase/25/docs/specs/security/standard-names.html#key-types
Pete also noted:
> only affects EC_EC (not other compound signature types) and only affects self signed certificates and probably only affects tests as nothing in the SSLEngine implementation ever uses EC_EC.
Repro:
```
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.conscrypt.java.security.TestKeyStore;
public final class T {
public static void main(String[] args) throws Exception {
TestKeyStore testKeyStore =
new TestKeyStore.Builder()
.keyAlgorithms("RSA", "DSA", "EC", "EC_RSA")
.aliasPrefix("rsa-dsa-ec-dh")
.build();
String algorithm = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(testKeyStore.keyStore, testKeyStore.keyPassword);
for (KeyManager keyManager : kmf.getKeyManagers()) {
String alias = ((X509KeyManager) keyManager).chooseServerAlias("EC_EC", null, null);
System.out.println("alias: " + alias);
}
}
}
```
openjdk full version "26-ea+9-927"
alias: rsa-dsa-ec-dh-private-ec
openjdk full version "26-ea+10-1053"
alias: null
- caused by
-
JDK-8359956 Support algorithm constraints and certificate checks in SunX509 key manager
-
- Resolved
-
- links to
-
Review(master)
openjdk/jdk/30064