JDK-6483657 : MSCAPI provider does not create unique alias names
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 6,7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_2000,windows_xp,windows_7
  • CPU: x86
  • Submitted: 2006-10-18
  • Updated: 2020-07-22
  • Resolved: 2016-04-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9 Other
7u121Fixed 8u101Fixed 9 b113Fixed openjdk7uFixed
Related Reports
Duplicate :  
JDK-8144604 - Problem with SSL Client Authentication having multiple certificates on smartcard
Duplicate :  
JDK-6672015 - Microsoft CryptoAPI KeyStore can have aliases duplicates
Duplicate :  
JDK-8149344 - Application doesn't work with Java 8U45 using smartcard
Duplicate :  
JDK-8058544 - SunMSCAPI provider KeyStore.aliases() returns non unique aliases
Duplicate :  
JDK-7192000 - MSCAPI as trust provider does not include all certificates with same Subject
Relates :  
JDK-8249831 - sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java uses @ignore w/o bug-id
Relates :  
JDK-8153948 - sun/security/mscapi/ShortRSAKey1024.sh fails with "Field length overflow"
Relates :  
JDK-8187634 - keystore.getCertificateAlias(cert) returns original alias, inconsistent with fix of JDK-6483657
Relates :  
JDK-8185844 - MSCAPI doesn't list aliases correctly
Sub Tasks
JDK-8161128 :  
Release Note: MSCAPI KeyStore can handle same named certificates - Closed
Description
FULL PRODUCT VERSION :
java version "1.6.0-rc"
Java(TM) SE Runtime Environment (build 1.6.0-rc-b101)
Java HotSpot(TM) Client VM (build 1.6.0-rc-b101, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows 2000 english fully patched

A DESCRIPTION OF THE PROBLEM :
The new keystore provider "MSCAPI" does not create uniqe aliase names if several keystore entries with the same subject are located in the windows certificate store.
In such a case only the first keystore entry can be accessed. The other keystore entries are inaccessible because the selection is performed by their alias - which is identical.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create/import two or more certificates with the same subject (or "Issued to" as it is called in windows) and import them into the windows personal certificate store.
Now load the MSCAPI provider and open the keystore "Windows-MY". Then enumerate through all aliases via java.security.KeyStore.aliases().



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The alias has to be unique within a keystore for allowing to accessing the correspondant keystore entry
ACTUAL -
The alias-enumeration contains two or more equal aliases

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
UR SQE OK to defer the risky fix from PSU16_03.
20-06-2016
See also http://mail.openjdk.java.net/pipermail/security-dev/2014-February/010119.html for a posting to security-dev about this issue.
03-02-2014