JDK-8139436 : sun.security.mscapi.KeyStore might load incomplete data
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows
  • Submitted: 2015-10-12
  • Updated: 2023-11-29
  • Resolved: 2015-11-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9 Other
7u121Fixed 8u101Fixed 9 b94Fixed openjdk7uFixed
Related Reports
Duplicate :  
Relates :  
It is possible that a sun.security.mscapi.KeyStore loaded from the Windows System Key store contains certificate entries with no certificate objects associated. Later, when you try to access the certificate, you get exceptions like this:

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
        at sun.security.mscapi.KeyStore.engineGetCertificate(KeyStore.java:313)
        at sun.security.mscapi.KeyStore$ROOT.engineGetCertificate(KeyStore.java:60)
        at java.security.KeyStore.getCertificate(KeyStore.java:1095)
        at WindowsCertificateReaderTest.main(WindowsCertificateReaderTest.java:24)

The issue can be recreated, using e.g. an old IAIK security provider, for instance version 3.15, when you have elliptic curve certificates in the windows keystore. This is the source code:

import iaik.security.provider.IAIK;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Enumeration;

public class WindowsCertificateReaderTest {

	public static void main(String[] args) {
		System.out.println("Prepending IAIK as security provider.");
		try {
			System.out.print("Loading Windows-ROOT Certificates...");
			KeyStore ks = KeyStore.getInstance("Windows-ROOT", "SunMSCAPI");
			ks.load(null, null);
			System.out.println(" done.");
			Enumeration iter = ks.aliases();
			while (iter.hasMoreElements()) {
				String alias = (String)iter.nextElement();
				System.out.print("Reading certificate for alias: " + alias + "...");
				System.out.println(" ok.");
		} catch (KeyStoreException kse) {
		} catch (NoSuchProviderException nse) {
		} catch (NoSuchAlgorithmException nsae) {
		} catch (CertificateException ce) {
		} catch (IOException ioe) {

The reason is that in method "private void generateCertificate(byte[] data, Collection<Certificate> certCollection)" exceptions are just caught and silently ignored which will lead to the situation that an entry for the certificate alias is added to the certificate collection but no certificate data is associated with it.
No issues in the recent core-libs PSU nightly. SQE OK to take the fix to PSU16_02

Do we have backport to 8 ready?

URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/05899a336fcd User: lana Date: 2015-11-25 21:18:22 +0000

URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/05899a336fcd User: weijun Date: 2015-11-18 00:44:17 +0000