Bug 961069

Summary: openjdk cannot use PKCS#12 produced by ibmjdk using keytool
Product: Red Hat Enterprise Linux 8 Reporter: Alon Bar-Lev <alonbl>
Component: java-1.8.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED WONTFIX QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: akashche, dbhole, jvanek, lmiksik, vhaisman
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: 8.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-31 07:30:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 980926, 1503147    
Attachments:
Description Flags
test.java
none
.keystore
none
ibm.p12
none
openjdk.p12 none

Description Alon Bar-Lev 2013-05-08 17:47:28 UTC 
ibm jdk produces PKCS#12 which is unreadable by openjdk, it is valid PKCS#12 as far as I can see, openssl can manage it.

I think the problem is that the CA certificate that is exported has the same friendly name as the end certificate and key.

[root@rhev alonbl]# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java -version
java version "1.7.0_19"
OpenJDK Runtime Environment (rhel-2.3.9.1.el6_4-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

[root@rhev alonbl]# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470sr1-20120330_01(SR1))
IBM J9 VM (build 2.6, JRE 1.7.0 Linux amd64-64 20120322_106209 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR1_20120322_1720_B106209
JIT  - r11_20120322_22976
GC   - R26_Java726_SR1_20120322_1720_B106209
J9CL - 20120322_106209)
JCL - 20120322_01 based on Oracle 7u3-b05

# javac test.java

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore openjdk.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore ibm.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test ibm.p12 mypass
A001 null
A002 null

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test openjdk.p12 mypass
A001 [
[
  Version: V3
  Subject: CN=rhevm.huff.local, O=huff.local, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
<snip>

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore openjdk.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 1 entry

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries
Comment 1 Alon Bar-Lev 2013-05-08 17:49:06 UTC 
Created attachment 745326 [details]
test.java
Comment 2 Alon Bar-Lev 2013-05-08 17:50:11 UTC 
Created attachment 745327 [details]
.keystore
Comment 3 Alon Bar-Lev 2013-05-08 17:51:03 UTC 
Created attachment 745328 [details]
ibm.p12
Comment 4 Alon Bar-Lev 2013-05-08 17:52:31 UTC 
Created attachment 745329 [details]
openjdk.p12
Comment 5 Deepak Bhole 2013-05-08 17:52:53 UTC 
Does it work with Oracle JDK?
Comment 6 Alon Bar-Lev 2013-05-08 17:59:45 UTC 
(In reply to comment #5)
> Does it work with Oracle JDK?

No.

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries

openssl, notice the friendlyName.

# openssl pkcs12 -in ibm.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 37 38 39 
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----

# openssl pkcs12 -in openjdk.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=CA-rhevm.huff.local.15628,O=huff.local,C=US
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Comment 7 Deepak Bhole 2013-05-08 18:03:48 UTC 
Andrew, can you please take a look?
Comment 9 RHEL Program Management 2013-10-14 03:37:51 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 11 Andrew John Hughes 2016-08-26 16:31:14 UTC 
Replicated locally and still not fixed with OpenJDK 8:

$ /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore openjdk.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, 08-May-2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 21:4A:00:85:58:E4:E6:15:CC:78:50:25:1B:F4:69:43:50:56:62:4D

 /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

$ /usr/lib/jvm/icedtea-8/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries
Comment 16 Jan Kurik 2017-12-06 10:37:49 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Comment 17 Andrew John Hughes 2017-12-21 02:07:08 UTC 
Moving this to RHEL 7 so we don't lose the bug due to RHEL 6 ramping down.
Comment 21 Andrew John Hughes 2020-12-10 17:34:40 UTC 
Issue still exists on latest OpenJDK:

$ ~/build/openjdk16/bin/keytool -list -keystore openjdk.p12 -storetype PKCS12 -storepass mypass
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

1, May 8, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 09:0E:13:74:84:09:86:03:84:6F:F5:8A:91:F5:5F:78:DB:EC:70:00:47:F7:18:8A:03:96:42:7D:76:DB:0B:95

Warning:
<1> #1 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
<1> #2 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.

$ ~/build/openjdk16/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

$ openssl pkcs12 -in openjdk.p12 -info -noout
Enter Import Password:
MAC: sha1, Iteration 1024
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Certificate bag
$ openssl pkcs12 -in ibm.p12 -info -noout
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 20
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1
Key bag
Certificate bag
Certificate bag
Comment 33 RHEL Program Management 2021-05-31 07:30:44 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.