Hi All
Please review this code change:
http://cr.openjdk.java.net/~weijun/6958026/webrev.00/
Two parts included:
1. Major one: match private key and cert using both keyId and friendlyName.
2. Minor one: add keyId and friendlyName to private keys created by
setKeyEntry(alias, byte[], cert[]). In fact, this method is used by the test to
generate a pkcs12 keystore as fast as possible so that keys' creation times
overlap (hence having same keyId). On my Linux, using the other
setKeyEntry(alias, key, pass, cert[]) method is slow.
I didn't change the current keyId format to force it to be identical, since the
"TIME xxx" format is used to derive creation time.
Thanks
Max
Begin forwarded message:
> *Change Request ID*: 6958026
> *Synopsis*: Problem with PKCS12 keystore
>
> === *Description* ============================================================
> FULL PRODUCT VERSION :
> java version "1.6.0_18"
> Java (TM) SE Runtime Enviroment (build 1.6.0_18-b07)
>
> ADDITIONAL OS VERSION INFORMATION :
> Microsoft Windows [Verze 6.1.7600]
>
> A DESCRIPTION OF THE PROBLEM :
> I have this code :
> .....
> KeyStore kspkcs12 = null;
> kspkcs12.load(new FileInputStream(keystorePath), password.toCharArray());
> KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry)
> kspkcs12.getEntry(alias, new KeyStore.PasswordProtection(password
> .toCharArray()));
> X509Certificate cert = (X509Certificate) kspkcs12.getCertificate(alias);
> ......
>
> I have pfx file with two aliases alias1 and alias2. Alias1 has certificate
> chain with 2 SHA1 certificates. Alias2 has one SHA2 certificate.
> But when i load that pfx file with code above, in KeyStore there are 2
> records (one for each alias) but both records has the same certificate
> loaded. To all aliases is loaded last added certificate to pfx file.
> Is it bug or feature ?
>
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> Create pfx file. Insert first certificate with alias. Insert second
> certificate with another alias.
> Try load in using KeyStore class.
> Check first entry if there is right certificate.
>
>
> REPRODUCIBILITY :
> This bug can be reproduced always.
>
> SUPPORT :
> YES
>
> *** (#1 of 1): 2010-06-02 23:45:21 GMT+00:00 [email protected]
>
> === *Evaluation* =============================================================
> Customer provided a pkcs12 file and it contains:
>
> Private Key #1:
> localKeyId: 01 00 00 00
> friendlyName: p1
> Private Key #2:
> localKeyId: 01 00 00 00
> friendlyName: p2
> Cert #1:
> localKeyId: 01 00 00 00
> friendlyName: p1
> Cert #2:
> localKeyId: 01 00 00 00
> friendlyName: p2
> Cert #3:
> # No recognized attribute
>
> Currently, JDK uses localKeyId to match private key with its corresponding
> certificate (and only fallback to friendlyName when localKeyId is missing).
> Since all localKeyIds have the same value here, it gets confused and always
> returns the same one for both private keys.
>
> I'll enhance the PKCS12KeyStore class to match using both localKeyId and
> friendlyName. However, I do believe the original file is not quite legal.
> Normally we always regard an attribute called "*Id" to be identical in some
> scope (here, the file). It seems customer uses a tool that simply glues 2
> blocks of info into one without reassigning the id values.
>
> The dicussion below is interesting:
> http://www.mail-archive.com/[email protected]/msg27030.html
>
> *** (#1 of 1): 2010-06-02 23:54:14 GMT+00:00 [email protected]
