Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-5060059

import a CSR reply is not generating prompts as keytool docs say.

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • P4
    • Resolution: Fixed
    • 5.0
    • 8
    • docs
    • None
    • b01
    • generic
    • generic

    Description

      When trying to import a PKCS#7 chain, the docs for keytool -import say:

      ===========
      If the reply is a PKCS#7 formatted certificate chain, the chain is first ordered (with the user certificate first and the self-signed root CA certificate last), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or the "cacerts" keystore file (if the -trustcacerts option was specified). If no match can be found, the information of the root CA certificate is printed out, and the user is prompted to verify it, e.g., by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the root CA itself. The user then has the option of aborting the import operation.
      ===========

      The actual operation of keytool is not what's written above. See attachment
      for the script which combines an OpenSSL CA with keytool operations.
      The following shows what happens when you try to import a reply without
      a trust cert installed in the keystore.


      *******************************************
      Original keystore that had a CSR issued.

      [wetmore@bongos] 601 >keytool -list -v -keystore keystore
      Enter keystore password: changeit

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 1 entry

      Alias name: server
      Creation date: Jun 8, 2004
      Entry type: keyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
      Issuer: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
      Serial number: 40c629db
      Valid Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCD
      Certificate fingerprints:
               MD5: E9:E0:66:B1:25:30:5D:09:11:AF:4F:C3:73:48:D6:83
               SHA1: 29:14:5F:0B:38:55:17:9D:9A:31:C6:2A:14:FD:99:FE:D6:95:AC:96


      *******************************************
      Reply we got from CA. Can't import reply.

      [wetmore@bongos] 603 >keytool -printcert -file server.csr.der
      Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, ST=CA, C=US
      Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
      Serial number: 1
      Valid Wrom: DJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJ
      Certificate fingerprints:
               MD5: 25:5C:7B:0C:CB:70:38:64:A1:22:7A:6E:AF:7B:12:81
               SHA1: EA:8C:C7:EE:7F:D9:E4:EC:9E:DC:1F:F6:C7:3A:49:4D:DC:75:5D:37

      [wetmore@bongos] 604 >keytool -import -keystore keystore -alias server -file server.csr.der
      Enter keystore password: changeit
      keytool error: java.lang.Exception: Failed to establish chain from reply

      *******************************************
      CA's trusted cert. Import this and then we can do the above.

      [wetmore@bongos] 602 >keytool -printcert -file ca.crt
      Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
      Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
      Serial number: 0
      Valid Wrom: JPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQ
      Certificate fingerprints:
               MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
               SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F

      [wetmore@bongos] 607 >keytool -import -keystore keystore -alias CA -file ca.crt Enter keystore password: changeit
      Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
      Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
      Serial number: 0
      Valid Wrom: QWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVW
      Certificate fingerprints:
               MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
               SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F
      Trust this certificate? [no]: yes
      Certificate was added to keystore

      *******************************************
      No problem now.

      [wetmore@bongos] 609 >keytool -import -keystore keystore -alias server -file server.csr.der
      Enter keystore password: changeit
      Certificate reply was installed in keystore

      ###@###.### 2004-06-08

      Attachments

        Activity

          People

            rgallard Raymond Gallardo
            wetmore Bradford Wetmore
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: