JDK-4522417 : InvalidKeySpecException when parsing certificate
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.0
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic
  • CPU: generic
  • Submitted: 2001-11-02
  • Updated: 2001-11-05
  • Resolved: 2001-11-05
Related Reports
Relates :  

Name: nt126004			Date: 11/02/2001

java version "1.4.0-beta2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta2-b77)
Java HotSpot(TM) Client VM (build 1.4.0-beta2-b77, mixed mode)

There is still an unhandled NullPointerException due to an unknown key
specification when executing CertificateFactory.generateCertificate(). Here is the output:

Alias name: Thawte Universal CA Root
Creation date: Oct 29, 2001
Error: Certificate identified by alias Thawte Universal CA Root contains an inva
lid extension - java.io.IOException: subject key, java.security.spec.InvalidKeyS
pecException: Unknown key spec.
keytool error: java.lang.NullPointerException

The first part is the output produced by my code, but then an apparent
unhandled java.lang.NullPointerException occurs.  This doesn't happen in the test program attached.
As part of a project here at the SEI, I wrote an implementation of KeyStoreSpi
that reads from Netscape keystore files, and when I try to use it with keytool that is what I get.

When tracing the exception, I found out that the problem is that it is throwing an exception that 
keytool does not expect, and therefore gets a null piece of data
and throws the exception. But I'm sure the problem is in generateCertificate(). 

This is the exception thrown by the attached program.  It fails
with an apparently valid certificate.  (It is the Thawte Universal CA Root that 
comes with Netscape.)

java.security.cert.CertificateParsingException: java.io.IOException: subject 
key, java.security.spec.InvalidKeySpecException: Unknown key spec. 
java.security.cert.CertificateParsingException: java.io.IOException: subject key 
, java.security.spec.InvalidKeySpecException: Unknown key spec. 
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157) 
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1044) 
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:149) 
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Facto 
        at java.security.cert.CertificateFactory.generateCertificate(Certificate 
        at hello.certDetails(hello.java:26) 
        at hello.main(hello.java:13) 

------------ Source Code ----------
import java.io.*; 
import java.security.*; 
import java.security.cert.*; 
import java.util.*; 

public class hello { 

    public static void main (String args[]) { 

        System.out.println ("hello world"); 

        try { 
            certDetails ("cert2.bad"); 
        } catch (Exception e) { 
            System.out.println ("whoops " + e.toString()); 

        System.out.println ("Goodbye world"); 

    public static void certDetails (String fileName) throws Exception 
        FileInputStream fis = new FileInputStream (fileName); 
        CertificateFactory cf = CertificateFactory.getInstance ("X.509"); 
        X509Certificate subjectCert = (X509Certificate)cf.generateCertificate(fis); 
        System.out.println (subjectCert.getSubjectDN().getName()); 
(Review ID: 134605) 

EVALUATION The certificate in question is a Thawte root certificate with a 16384 bit RSA public key. It is rejected by our JSafe RSA implementation, which limits RSA keys to 2048 bits. This reason does not become apparent because we do not propagate the exceptions very well. Note that the exception propagated to the user of CertificateFactory is a CertificateParsingException as expected. It has its cause set to an IOException, which contains an InvalidKeySpecException in its message. The NullPointerException mentioned in the report does not appear in the API code. It seems to occur when using keytool, which should be fixed. I am closing this as not-a-bug. We should file an RFE to lift the restriction on the length of RSA keys for the next feature release. The NullPointerException in keytool should also be examined in more detail. ###@###.### 2001-11-05