JDK-8187634 : keystore.getCertificateAlias(cert) returns original alias, inconsistent with fix of JDK-6483657
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u144
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • OS: windows
  • CPU: x86
  • Submitted: 2017-09-04
  • Updated: 2020-04-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Versi��n 10.0.10586]

A DESCRIPTION OF THE PROBLEM :
I have encountered the bug JDK-8156383, which is about duplicated alias in keystore with MSCAPI provider can cause problem. It is fixed by adding extra identifier after the duplicated ones, making each one unique.

However, the same fix is not done with this method:

        keystore.getCertificateAlias(alias)

thus causing inconsistency. 

For example, I have cert A and cert B in the same keystore, with same alias "alias". When fetching the cert with alias, the alias of one of them is changed to "alias (2)" and all is ok. But, after that, if we go back to get the alias of these two certs, same alias will be returned. I was expecting returning "alias" and "alias (2)". When only the cert is available, this can cause problem. 

The bug may exist too in OpenJDK, but I haven't tested.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. In the Windows certmgr, change the alias of two certs to be the same, e.g., "alias".
2. Run the code I post below to see the inconsistency.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
All certs with same alias now have different alias.
ACTUAL -
Inconsistency. Repetition.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Enumeration;

import java.security.cert.Certificate;

public class WhichAliasToPick {
    public static void main(String[] args) {
        System.out.println("OS name:         " + System.getProperty("os.name"));
        System.out.println("OS architecture: " + System.getProperty("os.arch")); //this is x64 machine so no error
        System.out.println("Java version:    " + System.getProperty("java.version"));
        System.out.println("Java vendor:     " + System.getProperty("java.vendor"));
        System.out.println("------------------------------------------------");
        
        try {
            KeyStore ks = KeyStore.getInstance("Windows-MY");
            ks.load(null, null);
            
            Enumeration<String> as = ks.aliases();
            while (as.hasMoreElements()) {
                String alias = as.nextElement();
                System.out.println("The keystore has alias: " + alias);
                Certificate ct = ks.getCertificate(alias);
                System.out.println("The certificate obtained via 'ks.getCertificate(alias)' is: " + ct.toString());
                System.out.println("");
                String alias2 = ks.getCertificateAlias(ct);
                System.out.println("For this certificate, the result of 'ks.getCertificateAlias(ct)' is: " + alias2);
                if (alias.equals(alias2)) {
                    System.out.println("These two alias are the same. ");
                    System.out.println("------------------------------------------------");
                } else {
                    System.out.println("These two alias are not the same, bug persists!");
                    break;
                }
                
            }
        } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
            e.printStackTrace();
        }
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Change alias in the certmgr. This is annoying if it involves massive manual config.


Comments
This is reproducible with the steps provided in bug report. JDK 8u144 - Fail JDK 9-ea+181 - Fail
18-09-2017