JDK-6967112 : keytool and generateCertificate() fails when user tries to use OCSP respondercertificates in jdk6u22
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u21
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • OS: windows_2008
  • CPU: x86
  • Submitted: 2010-07-07
  • Updated: 2011-10-06
  • Resolved: 2011-10-06
Related Reports
Relates :  
JDK-6804045 - DerValue does not accept empty OCTET STRING
Description
When a customer application which connects to ActiveDirectory in TLS connection faces with a problem related to X509 certificates.

PROBLEM : 
The customer plans to adopt OCSP in Windows Server 2008.
They found some errors when they tried to import OCSP certificates to CertStore of JKS in keytool command.
Also, they found some exception when they tried to view the certificates in java.security.cert.CertificateFactory.generateCertificate().

CONFIGURATION:
OS : Windows Server 2008/Windows Vista Business(Japanese)
JDK : jdk6u21/u22

REPRODUCE :
1. Keytool error
(1) invoke the comand line (ocspcert_der.cer is attached to this CR file)

C:\Users\licensees\ocsp-cert-exception> keytool -import -file ocspcert_der.cer
Input Keystore password : 
Input new password again :
Keytool Error : java.lang.Exception: Not X509 certificates

C:\Users\licensees\ocsp-cert-exception> keytool -printcert -file ocspcert_der.cer
keytool error : java.lang.Exception: fails to parse input

NOTE:
 The above messages are just translated into English.
 So, those might not be different from the actual message in Windows (English).


2. Exception in java.security.cert.CertificateFactory.generateCertificate() 

(1) Compile the attached CertView.java and invoke the command line

C:\Users\licensees\ocsp-cert-exception>java CertView ocspcert_der.cer
java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:154)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1729)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:179)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
        at CertView.<init>(CertView.java:23)
        at CertView.main(CertView.java:13)
Caused by: java.io.IOException: short read on DerValue buffer
        at sun.security.util.DerValue.getOctetString(DerValue.java:459)
        at sun.security.x509.Extension.<init>(Extension.java:73)
        at sun.security.x509.CertificateExtensions.init(CertificateExtensions.ja
va:69)
        at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.
java:60)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:723)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:152)
        ... 6 more

NOTE:
 This problems don't occur in jdk7b99.