961069 – openjdk cannot use PKCS#12 produced by ibmjdk using keytool

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 961069 - openjdk cannot use PKCS#12 produced by ibmjdk using keytool

Summary: openjdk cannot use PKCS#12 produced by ibmjdk using keytool

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	java-1.8.0-openjdk
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.5
Assignee:	Andrew John Hughes
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	980926 1503147
TreeView+	depends on / blocked

Reported:	2013-05-08 17:47 UTC by Alon Bar-Lev
Modified:	2021-05-31 07:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-31 07:30:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
test.java (455 bytes, text/plain) 2013-05-08 17:49 UTC, Alon Bar-Lev	no flags	Details
.keystore (4.39 KB, application/octet-stream) 2013-05-08 17:50 UTC, Alon Bar-Lev	no flags	Details
ibm.p12 (3.65 KB, application/x-pkcs12) 2013-05-08 17:51 UTC, Alon Bar-Lev	no flags	Details
openjdk.p12 (3.81 KB, application/x-pkcs12) 2013-05-08 17:52 UTC, Alon Bar-Lev	no flags	Details
View All

Description Alon Bar-Lev 2013-05-08 17:47:28 UTC

ibm jdk produces PKCS#12 which is unreadable by openjdk, it is valid PKCS#12 as far as I can see, openssl can manage it.

I think the problem is that the CA certificate that is exported has the same friendly name as the end certificate and key.

[root@rhev alonbl]# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java -version
java version "1.7.0_19"
OpenJDK Runtime Environment (rhel-2.3.9.1.el6_4-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

[root@rhev alonbl]# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470sr1-20120330_01(SR1))
IBM J9 VM (build 2.6, JRE 1.7.0 Linux amd64-64 20120322_106209 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR1_20120322_1720_B106209
JIT  - r11_20120322_22976
GC   - R26_Java726_SR1_20120322_1720_B106209
J9CL - 20120322_106209)
JCL - 20120322_01 based on Oracle 7u3-b05

# javac test.java

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore openjdk.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore ibm.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test ibm.p12 mypass
A001 null
A002 null

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test openjdk.p12 mypass
A001 [
[
  Version: V3
  Subject: CN=rhevm.huff.local, O=huff.local, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
<snip>

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore openjdk.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 1 entry

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries

Comment 1 Alon Bar-Lev 2013-05-08 17:49:06 UTC

Created attachment 745326 [details]
test.java

Comment 2 Alon Bar-Lev 2013-05-08 17:50:11 UTC

Created attachment 745327 [details]
.keystore

Comment 3 Alon Bar-Lev 2013-05-08 17:51:03 UTC

Created attachment 745328 [details]
ibm.p12

Comment 4 Alon Bar-Lev 2013-05-08 17:52:31 UTC

Created attachment 745329 [details]
openjdk.p12

Comment 5 Deepak Bhole 2013-05-08 17:52:53 UTC

Does it work with Oracle JDK?

Comment 6 Alon Bar-Lev 2013-05-08 17:59:45 UTC

(In reply to comment #5)
> Does it work with Oracle JDK?

No.

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries

openssl, notice the friendlyName.

# openssl pkcs12 -in ibm.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 37 38 39 
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----

# openssl pkcs12 -in openjdk.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=CA-rhevm.huff.local.15628,O=huff.local,C=US
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----

Comment 7 Deepak Bhole 2013-05-08 18:03:48 UTC

Andrew, can you please take a look?

Comment 9 RHEL Program Management 2013-10-14 03:37:51 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 11 Andrew John Hughes 2016-08-26 16:31:14 UTC

Replicated locally and still not fixed with OpenJDK 8:

$ /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore openjdk.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, 08-May-2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 21:4A:00:85:58:E4:E6:15:CC:78:50:25:1B:F4:69:43:50:56:62:4D

 /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

$ /usr/lib/jvm/icedtea-8/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

Comment 16 Jan Kurik 2017-12-06 10:37:49 UTC

Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/

Comment 17 Andrew John Hughes 2017-12-21 02:07:08 UTC

Moving this to RHEL 7 so we don't lose the bug due to RHEL 6 ramping down.

Comment 21 Andrew John Hughes 2020-12-10 17:34:40 UTC

Issue still exists on latest OpenJDK:

$ ~/build/openjdk16/bin/keytool -list -keystore openjdk.p12 -storetype PKCS12 -storepass mypass
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

1, May 8, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 09:0E:13:74:84:09:86:03:84:6F:F5:8A:91:F5:5F:78:DB:EC:70:00:47:F7:18:8A:03:96:42:7D:76:DB:0B:95

Warning:
<1> #1 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
<1> #2 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.

$ ~/build/openjdk16/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

$ openssl pkcs12 -in openjdk.p12 -info -noout
Enter Import Password:
MAC: sha1, Iteration 1024
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Certificate bag
$ openssl pkcs12 -in ibm.p12 -info -noout
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 20
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1
Key bag
Certificate bag
Certificate bag

Comment 33 RHEL Program Management 2021-05-31 07:30:44 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.