Details
-
Bug
-
Resolution: Fixed
-
P3
-
8u66, 9
-
b107
-
Verified
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8156321 | 8u111 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
| JDK-8149822 | 8u102 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
| JDK-8162159 | emb-8u111 | Vincent Ryan | P3 | Resolved | Fixed | b01 |
| JDK-8190248 | 7u181 | Ivan Gerasimov | P3 | Resolved | Fixed | b01 |
| JDK-8190189 | 7u171 | Ivan Gerasimov | P3 | Resolved | Fixed | b07 |
| JDK-8193994 | openjdk7u | Vincent Ryan | P3 | Resolved | Fixed | master |
Description
A PKCS12 KeyStore cannot decrypt and extract an encoded AES SecretKey. The attached program fails with:
Exception in thread "main" java.security.UnrecoverableKeyException: Get Key failed: AES SecretKeyFactory not available
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:419)
at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1291)
at sun.security.util.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:166)
at java.security.KeyStore.getEntry(KeyStore.java:1535)
at P12SecretKey.run(P12SecretKey.java:47)
at P12SecretKey.main(P12SecretKey.java:21)
Caused by: java.security.NoSuchAlgorithmException: AES SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:396)
... 5 more
The problem is that the PKCS12 KeyStore uses a SecretKeyFactory to decode AES keys, but there is no AES SecretKeyFactory implementation except on Solaris (via the PKCS11 provider). It turns out that for SecretKeyFactory, AES is not an essential requirement, since you can use a generic SecretKeySpec object to create an AES key and don't really need a SecretKeyFactory. Also, in general a SecretKeyFactory should not be used with a SecretKeySpec, since by definition, SecretKeySpec objects contain the raw key in a provider-independent format and do not need to be decoded.
Exception in thread "main" java.security.UnrecoverableKeyException: Get Key failed: AES SecretKeyFactory not available
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:419)
at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1291)
at sun.security.util.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:166)
at java.security.KeyStore.getEntry(KeyStore.java:1535)
at P12SecretKey.run(P12SecretKey.java:47)
at P12SecretKey.main(P12SecretKey.java:21)
Caused by: java.security.NoSuchAlgorithmException: AES SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:396)
... 5 more
The problem is that the PKCS12 KeyStore uses a SecretKeyFactory to decode AES keys, but there is no AES SecretKeyFactory implementation except on Solaris (via the PKCS11 provider). It turns out that for SecretKeyFactory, AES is not an essential requirement, since you can use a generic SecretKeySpec object to create an AES key and don't really need a SecretKeyFactory. Also, in general a SecretKeyFactory should not be used with a SecretKeySpec, since by definition, SecretKeySpec objects contain the raw key in a provider-independent format and do not need to be decoded.
Attachments
Issue Links
- backported by
-
JDK-8149822 PKCS12KeyStore cannot extract AES Secret Keys
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
JDK-8181737 Support secret keys and trusted certs in PKCS12 keystore
-
- Resolved
-
(1 backported by, 1 relates to)