Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266293

Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

    XMLWordPrintable

Details

    • b22

    Backports

      Description

        Attached is a test that reads the in-memory key and certificate bytes, constructs a key and certificate chain, and attempts to import those onto a PKCS12 keystore. The default execution works well. However, if we run:

        java -Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithMD5AndDES PKCS12Tester

        ---------------------------------------------

        Exception in thread "main" java.security.KeyStoreException: Key protection algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Salt must be 8 bytes long
        at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:709)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:589)
        at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
        at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
        at PKCS12Tester.main(PKCS12Tester.java:81)
        Caused by: java.security.UnrecoverableKeyException: Encrypt Private Key failed: Salt must be 8 bytes long
        at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:951)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:631)
        ... 4 more
        Caused by: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long
        at java.base/com.sun.crypto.provider.PBES1Core.init(PBES1Core.java:241)
        at java.base/com.sun.crypto.provider.PBES1Core.init(PBES1Core.java:347)
        at java.base/com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(PBEWithMD5AndDESCipher.java:227)
        at java.base/javax.crypto.Cipher.implInit(Cipher.java:875)
        at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:929)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1585)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1516)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.encryptPrivateKey(PKCS12KeyStore.java:931)
        ... 5 more

        -----------------------------------------------

        In comparison, openssl seems to have no issues with the same algorithm:

        $ openssl version
        OpenSSL 1.0.2k-fips 26 Jan 2017

        $ openssl pkcs12 -export -in rsa.cert.pem -inkey rsa.pkey.pem -name a -passout pass:hello -keypbe PBE-MD5-DES >/dev/null && echo $?
        0

        I went through the PKCS12KeyStore implementation, and have included at the end of the same attached program, what I think is taking place in the implementation, reaching at the exception.

        Attachments

          1. PKCS12Tester.java
            6 kB
          2. rsa.cert.pem
            4 kB
          3. rsa.pkey.pem
            2 kB

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266921 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266926 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266928 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266980 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266986 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8267034 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8267453 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8269328 Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

            • P3 - Major loss of function.
            • Resolved
            relates to

            Enhancement - null JDK-8076190 Customizing the generation of a PKCS12 keystore

            • P3 - Major loss of function.
            • Resolved
            links to

            Commit Commit openjdk/jdk/04f71126

            Review Review openjdk/jdk/3822

            Activity

              People

                weijun Weijun Wang
                tvoniadka Thejasvi Voniadka (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: