Bug 961069 - openjdk cannot use PKCS#12 produced by ibmjdk using keytool
openjdk cannot use PKCS#12 produced by ibmjdk using keytool
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: java-1.7.0-openjdk (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: pre-dev-freeze
: 7.6
Assigned To: Andrew John Hughes
zzambers
: Reopened
Depends On:
Blocks: 1503147 980926
  Show dependency treegraph
 
Reported: 2013-05-08 13:47 EDT by Alon Bar-Lev
Modified: 2018-05-25 08:51 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-06 05:37:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test.java (455 bytes, text/plain)
2013-05-08 13:49 EDT, Alon Bar-Lev
no flags Details
.keystore (4.39 KB, application/octet-stream)
2013-05-08 13:50 EDT, Alon Bar-Lev
no flags Details
ibm.p12 (3.65 KB, application/x-pkcs12)
2013-05-08 13:51 EDT, Alon Bar-Lev
no flags Details
openjdk.p12 (3.81 KB, application/x-pkcs12)
2013-05-08 13:52 EDT, Alon Bar-Lev
no flags Details

  None (edit)
Description Alon Bar-Lev 2013-05-08 13:47:28 EDT
ibm jdk produces PKCS#12 which is unreadable by openjdk, it is valid PKCS#12 as far as I can see, openssl can manage it.

I think the problem is that the CA certificate that is exported has the same friendly name as the end certificate and key.

[root@rhev alonbl]# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java -version
java version "1.7.0_19"
OpenJDK Runtime Environment (rhel-2.3.9.1.el6_4-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

[root@rhev alonbl]# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470sr1-20120330_01(SR1))
IBM J9 VM (build 2.6, JRE 1.7.0 Linux amd64-64 20120322_106209 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR1_20120322_1720_B106209
JIT  - r11_20120322_22976
GC   - R26_Java726_SR1_20120322_1720_B106209
J9CL - 20120322_106209)
JCL - 20120322_01 based on Oracle 7u3-b05

# javac test.java

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore openjdk.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/java-1.7.0-ibm-1.7.0.1.0.x86_64/jre/bin/keytool -importkeystore -noprompt -srckeystore .keystore -srcstoretype JKS -srcstorepass mypass -srcalias engine -srckeypass mypass -destkeystore ibm.p12 -deststoretype PKCS12 -deststorepass mypass -destalias 1 -destkeypass mypass

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test ibm.p12 mypass
A001 null
A002 null

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java test openjdk.p12 mypass
A001 [
[
  Version: V3
  Subject: CN=rhevm.huff.local, O=huff.local, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
<snip>

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore openjdk.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 1 entry

# /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries
Comment 1 Alon Bar-Lev 2013-05-08 13:49:06 EDT
Created attachment 745326 [details]
test.java
Comment 2 Alon Bar-Lev 2013-05-08 13:50:11 EDT
Created attachment 745327 [details]
.keystore
Comment 3 Alon Bar-Lev 2013-05-08 13:51:03 EDT
Created attachment 745328 [details]
ibm.p12
Comment 4 Alon Bar-Lev 2013-05-08 13:52:31 EDT
Created attachment 745329 [details]
openjdk.p12
Comment 5 Deepak Bhole 2013-05-08 13:52:53 EDT
Does it work with Oracle JDK?
Comment 6 Alon Bar-Lev 2013-05-08 13:59:45 EDT
(In reply to comment #5)
> Does it work with Oracle JDK?

No.

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

# /usr/lib/jvm/jre-1.7.0-oracle.x86_64/bin/keytool -list -keystore ibm.p12  -storetype PKCS12 -storepass mypass
<snip>
Your keystore contains 0 entries

openssl, notice the friendlyName.

# openssl pkcs12 -in ibm.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 35 31 31 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: 1
    localKeyID: 31 33 36 38 30 33 31 37 38 39 37 38 39 
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----

# openssl pkcs12 -in openjdk.p12 -passin pass:mypass -nodes
MAC verified OK
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<snip>
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 33 36 38 30 33 31 37 35 39 35 32 37 
subject=/C=US/O=huff.local/CN=rhevm.huff.local
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=CA-rhevm.huff.local.15628,O=huff.local,C=US
subject=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
issuer=/C=US/O=huff.local/CN=CA-rhevm.huff.local.15628
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
Comment 7 Deepak Bhole 2013-05-08 14:03:48 EDT
Andrew, can you please take a look?
Comment 9 RHEL Product and Program Management 2013-10-13 23:37:51 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 11 Andrew John Hughes 2016-08-26 12:31:14 EDT
Replicated locally and still not fixed with OpenJDK 8:

$ /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore openjdk.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, 08-May-2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 21:4A:00:85:58:E4:E6:15:CC:78:50:25:1B:F4:69:43:50:56:62:4D

 /usr/lib/jvm/icedtea-7/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

$ /usr/lib/jvm/icedtea-8/bin/keytool -list -keystore ibm.p12 -storetype PKCS12 -storepass mypass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries
Comment 16 Jan Kurik 2017-12-06 05:37:49 EST
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Comment 17 Andrew John Hughes 2017-12-20 21:07:08 EST
Moving this to RHEL 7 so we don't lose the bug due to RHEL 6 ramping down.

Note You need to log in before you can comment on or make changes to this bug.