Bug 1993142
| Summary: | java-11-openjdk / rhel-9: OpenJDK cannot read keystore generated by OpenSSL | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | zzambers | ||||
| Component: | java-11-openjdk | Assignee: | Andrew John Hughes <ahughes> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | OpenJDK QA <java-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 9.0 | CC: | jandrlik, jvanek | ||||
| Target Milestone: | beta | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | java-11-openjdk-11.0.12.0.6-0.0.ea.el9 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1993150 (view as bug list) | Environment: | |||||
| Last Closed: | 2021-12-07 22:04:56 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1813464 [details]
keystore-rsa.p12
keystore generated by openssl on rhel-9, which can be used for testing,
password: changeit
I verified that it was JDK-8076190, that fixed this issue for JDK11. |
OpenJDK fails to read keystore generated by OpenSSL: JDK11 rpms: /usr/lib/jvm/java-11-openjdk/bin/keytool -J-Dcom.redhat.fips=false -importkeystore \ -srckeystore build/certgen/keystore-rsa.p12 -srcstoretype PKCS12 \ -srcstorepass changeit \ -destkeystore build/certgen/keystore.p12 -deststoretype PKCS12 \ -deststorepass changeit \ -noprompt -v Importing keystore build/certgen/keystore-rsa.p12 to build/certgen/keystore.p12... keytool error: java.io.IOException: keystore password was incorrect java.io.IOException: keystore password was incorrect at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) at java.base/java.security.KeyStore.load(KeyStore.java:1479) at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2200) at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1200) at java.base/sun.security.tools.keytool.Main.run(Main.java:409) at java.base/sun.security.tools.keytool.Main.main(Main.java:402) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 7 more JDK8 rpms: keytool -J-Dcom.redhat.fips=false -importkeystore \ -srckeystore build/certgen/keystore-rsa.p12 -srcstoretype PKCS12 \ -srcstorepass changeit \ -destkeystore build/certgen/keystore.p12 -deststoretype PKCS12 \ -deststorepass changeit \ -noprompt -v Importing keystore build/certgen/keystore-rsa.p12 to build/certgen/keystore.p12... keytool error: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48) java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48) at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:829) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2037) at java.security.KeyStore.load(KeyStore.java:1445) at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2061) at sun.security.tools.keytool.Main.doCommands(Main.java:1080) at sun.security.tools.keytool.Main.run(Main.java:377) at sun.security.tools.keytool.Main.main(Main.java:370) Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48) at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285) at sun.security.util.DerInputStream.getOID(DerInputStream.java:320) at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:825) ... 6 more Steps to Reproduce: Can by reproduced by ssl-tests [1]: export JAVA_HOME=... make ssl-tests or just by reading pkcs12 keystore generated by openssl on rhel-9 by keytool openjdk: java-11-openjdk-headless-11.0.11.0.9-1.el9 java-1.8.0-openjdk-headless-1.8.0.302.b08-0.el9 openssl: compat-openssl11-1.1.1k-1.el9.x86_64 openssl-3.0.0-0.beta2.2.el9.x86_64 openssl-devel-3.0.0-0.beta2.2.el9.x86_64 openssl-libs-3.0.0-0.beta2.2.el9.x86_64 openssl-pkcs11-0.4.11-6.el9.x86_64 I also tested builds, built locally from current upstream repos: jdk (2021-08-11) OK jdk11u-dev (2021-08-11) OK jdk8u (2021-08-11) /mnt/workspace/jdk8u-2021-08-11-el8/bin/keytool -J-Dcom.redhat.fips=false -importkeystore \ -srckeystore build/certgen/keystore-rsa.p12 -srcstoretype PKCS12 \ -srcstorepass changeit \ -destkeystore build/certgen/keystore.p12 -deststoretype PKCS12 \ -deststorepass changeit \ -noprompt -v Importing keystore build/certgen/keystore-rsa.p12 to build/certgen/keystore.p12... keytool error: java.io.IOException: keystore password was incorrect java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079) at java.security.KeyStore.load(KeyStore.java:1445) at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2057) at sun.security.tools.keytool.Main.doCommands(Main.java:1076) at sun.security.tools.keytool.Main.run(Main.java:375) at sun.security.tools.keytool.Main.main(Main.java:368) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 6 more So current JDK has fix for this, also looks like fix was backported to JDK11, but JDK8 is currently still affected. I think this issue was probably fixed by JDK-8076190 [2], which was backported to JDK11, but JDK8 backport is still in-progress. [1] https://github.com/zzambers/ssl-tests [2] https://bugs.openjdk.java.net/browse/JDK-8076190