JDK-6304267 : keytool -printcert option skips certain extensions.
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux_redhat_3.0
  • CPU: x86
  • Submitted: 2005-07-31
  • Updated: 2012-08-16
  • Resolved: 2005-10-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6 betaFixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
Attached certificate is generated by MS CA on windows 2003 server.

This is a interoperability issue. Keytool shows there are only four extensions in the certificate but both MS certificate tool & dumpasn1 show there are six extensions. 

--------------------
keytool output:
--------------------
-bash-2.05b$ keytool -printcert -v -file DSA1024.crt
Owner: EMAILADDRESS=###@###.###, CN=xml dsig cert2, OU=j2se, O=sun, L=santa clara, ST=ca, C=US
Issuer: CN=MS CA, DC=jdksec, DC=sfbay, DC=sun, DC=com
Serial number: 1abc9a81000100000046
Valid from: Tue Jun 28 14:59:46 PDT 2005 until: Wed Jun 28 15:09:46 PDT 2006
Certificate fingerprints:
         MD5:  43:71:40:C1:8D:B7:0D:83:B8:F2:98:77:90:58:24:41
         SHA1: 4E:80:1A:4F:D6:23:61:1D:D8:B8:6E:88:61:3B:66:3D:9A:DC:0D:38
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 C2 F3 FA 17 56 6A 26   06 3B 69 FD FC E1 34 60  .....Vj&.;i...4`
0010: F8 D1 39 72                                        ..9r
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FF B4 C9 92 9E EC 89 A7   45 C6 AA AE 26 97 20 D1  ........E...&. .
0010: 3D 10 DE FC                                        =...
]

]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  emailProtection
]

---------------------
dumpasn1 output:
---------------------

   0 1523: SEQUENCE {
   4 1243:   SEQUENCE {
   8    3:     [0] {
  10    1:       INTEGER 2
         :       }
  13   10:     INTEGER 1A BC 9A 81 00 01 00 00 00 46
  25   13:     SEQUENCE {
  27    9:       OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
  38    0:       NULL
         :       }
  40  105:     SEQUENCE {
  42   19:       SET {
  44   17:         SEQUENCE {
  46   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  58    3:           IA5String 'com'
         :           }
         :         }
  63   19:       SET {
  65   17:         SEQUENCE {
  67   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  79    3:           IA5String 'sun'
         :           }
         :         }
  84   21:       SET {
  86   19:         SEQUENCE {
  88   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 100    5:           IA5String 'sfbay'
         :           }
         :         }
 107   22:       SET {
 109   20:         SEQUENCE {
 111   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 123    6:           IA5String 'jdksec'
         :           }
         :         }
 131   14:       SET {
 133   12:         SEQUENCE {
 135    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 140    5:           PrintableString 'MS CA'
         :           }
         :         }
         :       }
 147   30:     SEQUENCE {
 149   13:       UTCTime 28/06/2005 21:59:46 GMT
 164   13:       UTCTime 28/06/2006 22:09:46 GMT
         :       }
 179  136:     SEQUENCE {
 182   11:       SET {
 184    9:         SEQUENCE {
 186    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 191    2:           PrintableString 'US'
         :           }
         :         }
 195   11:       SET {
 197    9:         SEQUENCE {
 199    3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
 204    2:           PrintableString 'ca'
         :           }
         :         }
 208   20:       SET {
 210   18:         SEQUENCE {
 212    3:           OBJECT IDENTIFIER localityName (2 5 4 7)
 217   11:           PrintableString 'santa clara'
         :           }
         :         }
 230   12:       SET {
 232   10:         SEQUENCE {
 234    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 239    3:           PrintableString 'sun'
         :           }
         :         }
 244   13:       SET {
 246   11:         SEQUENCE {
 248    3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
 253    4:           PrintableString 'j2se'
         :           }
         :         }
 259   23:       SET {
 261   21:         SEQUENCE {
 263    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 268   14:           PrintableString 'xml dsig cert2'
         :           }
         :         }
 284   32:       SET {
 286   30:         SEQUENCE {
 288    9:           OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
 299   17:           IA5String '###@###.###'
         :           }
         :         }
         :       }
 318  438:     SEQUENCE {
 322  299:       SEQUENCE {
 326    7:         OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
 335  286:         SEQUENCE {
 339  129:           INTEGER
         :             00 F0 AA 19 08 95 4A 31 4D CB E3 B8 29 6E 59 72
         :             8A 22 D8 82 07 53 87 32 C5 C1 CC E2 BF C8 79 F5
         :             8D 59 EE 6C C8 1A DD 1B D4 36 2C 61 63 4D 08 5F
         :             0C 58 62 63 6C 4A 99 62 70 75 F9 85 1A 6B 51 41
         :             05 C3 D1 C0 B0 24 17 C4 AF 84 C5 7B 25 87 4D 31
         :             EF 43 E5 E3 3B 51 B3 38 73 B2 7C 08 A9 2C 31 DC
         :             4F 2C 57 2C 44 C9 D4 09 B4 69 83 4A 36 BF 08 0E
         :             E7 00 D6 04 37 6F 40 05 C8 04 68 FD 60 15 FB 99
         :                     [ Another 1 bytes skipped ]
 471   21:           INTEGER
         :             00 82 12 2A D6 3B 97 C1 7F CB 54 37 8C 44 8A 62
         :             5C 18 C3 90 A3
 494  128:           INTEGER
         :             26 60 22 D2 E9 17 41 78 78 FC E2 95 63 0C 60 0F
         :             D8 47 F3 87 41 AC D2 01 2F 1C 26 F3 6D F8 F3 3C
         :             A3 96 8E 87 B8 31 98 B8 EA FD CF 2F B1 7F F4 F8
         :             AF 00 C3 60 9B CF 28 D0 85 57 59 26 1F EC EF 75
         :             CA 67 14 2D DC FE 37 2F 52 DE 18 3D 02 BE 17 46
         :             EE 5C 82 50 50 06 FC E9 02 C7 C0 FE 83 D2 B9 3B
         :             39 DE E9 7A 3E BC 81 91 74 42 18 C7 DA FF 20 13
         :             B6 28 4B 0C 98 3C 00 76 EB 66 E4 34 DA AD 34 DB
         :           }
         :         }
 625  132:       BIT STRING, encapsulates {
 629  128:         INTEGER
         :           2E A8 B5 AE A2 A4 95 C8 87 67 5E 8E A6 44 5C 5F
         :           7E 4C F3 34 FA 33 10 2B 0C B9 C5 E6 43 ED A0 D7
         :           A9 B4 D1 C4 A9 69 1F 53 84 2D 33 75 1E 4F 29 49
         :           96 C8 D5 62 8B F6 F0 52 42 67 0D A5 A9 4A AD 8D
         :           78 7F 48 AA 52 F5 72 10 6B E3 EC AE BC 4D 5F 11
         :           42 63 E5 B7 4D AF BF E1 93 F8 50 EB 89 D4 F5 D1
         :           89 28 1F 44 D1 E2 8F 54 22 8E F6 D4 35 DA F5 09
         :           E6 2C BA 06 9C 85 48 B2 17 CB 67 B5 01 0E 80 E5
         :         }
         :       }
 760  487:     [3] {
 764  483:       SEQUENCE {
 768   14:         SEQUENCE {
 770    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 775    1:           BOOLEAN TRUE
 778    4:           OCTET STRING, encapsulates {
 780    2:             BIT STRING 6 unused bits
         :               '11'B
         :             }
         :           }
 784   29:         SEQUENCE {
 786    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 791   22:           OCTET STRING, encapsulates {
 793   20:             OCTET STRING
         :               95 C2 F3 FA 17 56 6A 26 06 3B 69 FD FC E1 34 60
         :               F8 D1 39 72
         :             }
         :           }
 815   19:         SEQUENCE {
 817    3:           OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
 822   12:           OCTET STRING, encapsulates {
 824   10:             SEQUENCE {
 826    8:               OBJECT IDENTIFIER emailProtection (1 3 6 1 5 5 7 3 4)
         :               }
         :             }
         :           }
 836   31:         SEQUENCE {
 838    3:           OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
 843   24:           OCTET STRING, encapsulates {
 845   22:             SEQUENCE {
 847   20:               [0]
         :                 FF B4 C9 92 9E EC 89 A7 45 C6 AA AE 26 97 20 D1
         :                 3D 10 DE FC
         :               }
         :             }
         :           }
 869  148:         SEQUENCE {
 872    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
 877  140:           OCTET STRING, encapsulates {
 880  137:             SEQUENCE {
 883  134:               SEQUENCE {
 886  131:                 [0] {
 889  128:                   [0] {
 892   62:                     [6]
         :                   'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
         :                   'MS%20CA(1).crl'
 956   62:                     [6]
         :                   'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
         :                   'l\MS CA(1).crl'
         :                     }
         :                   }
         :                 }
         :               }
         :             }
         :           }
1020  228:         SEQUENCE {
1023    8:           OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
1033  215:           OCTET STRING, encapsulates {
1036  212:             SEQUENCE {
1039  104:               SEQUENCE {
1041    8:                 OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1051   92:                 [6]
         :                   'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
         :                   'IONPULSE.jdksec.sfbay.sun.com_MS%20CA(1).crt'
         :                 }
1145  104:               SEQUENCE {
1147    8:                 OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1157   92:                 [6]
         :                   'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
         :                   'l\IONPULSE.jdksec.sfbay.sun.com_MS CA(1).crt'
         :                 }
         :               }
         :             }
         :           }
         :         }
         :       }
         :     }
1251   13:   SEQUENCE {
1253    9:     OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
1264    0:     NULL
         :     }
1266  257:   BIT STRING
         :     4D C1 86 11 C1 E8 69 F6 21 D2 72 AD 97 E7 31 53
         :     37 16 1B 8D 88 6F A6 EA 0E 56 D9 41 33 7E 19 76
         :     D5 6B FD 54 CB 86 CE F0 6E 0F 50 5B B2 05 89 13
         :     AB 83 82 E7 9B 95 71 92 6E D9 C5 0D B1 2E C3 6D
         :     A3 E3 38 36 69 15 78 5C 92 E8 55 5D 02 CB D6 7C
         :     3C 35 4D 62 8E 38 D1 C6 05 55 49 20 46 8A 35 35
         :     FC 07 7C 55 D9 CD 70 FF E9 3A 2C 22 19 C7 96 BF
         :     9D 04 B0 19 26 91 BE 81 25 DC F9 65 63 D6 F9 39
         :             [ Another 128 bytes skipped ]
         :   }

0 warnings, 0 errors.

Comments
EVALUATION Bug fixed, after Andreas fix 6209956
28-09-2005

SUGGESTED FIX In stead of just the hex dump, I think a much better solution is to parse out the extensions and generates a warning, saying the URI is invalid.
03-08-2005

EVALUATION I can print out the hex'ed extension. The real problem here is that file://\\server\path\filename is not a valid java.net.URI
03-08-2005

SUGGESTED FIX keytool has problem on parsing two extensions in the certificate (refer to bug 6304269), which caused keytool only show 4 extensions in output. The preferred behavior is to produce a warning and show the hex of unparsed extensions.
31-07-2005