JDK-8139436 : sun.security.mscapi.KeyStore might load incomplete data
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 8,9
- Priority: P4
- Status: Resolved
- Resolution: Fixed
- OS: windows
- Submitted: 2015-10-12
- Updated: 2023-11-29
- Resolved: 2015-11-18
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 7 | JDK 8 | JDK 9 | Other |
|---|---|---|---|
| 7u121Fixed | 8u101Fixed  |
9 b94Fixed |
openjdk7uFixed |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
Description
It is possible that a sun.security.mscapi.KeyStore loaded from the Windows System Key store contains certificate entries with no certificate objects associated. Later, when you try to access the certificate, you get exceptions like this:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
at sun.security.mscapi.KeyStore.engineGetCertificate(KeyStore.java:313)
at sun.security.mscapi.KeyStore$ROOT.engineGetCertificate(KeyStore.java:60)
at java.security.KeyStore.getCertificate(KeyStore.java:1095)
at WindowsCertificateReaderTest.main(WindowsCertificateReaderTest.java:24)
The issue can be recreated, using e.g. an old IAIK security provider, for instance version 3.15, when you have elliptic curve certificates in the windows keystore. This is the source code:
import iaik.security.provider.IAIK;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Enumeration;
public class WindowsCertificateReaderTest {
public static void main(String[] args) {
System.out.println("Prepending IAIK as security provider.");
IAIK.addAsJDK14Provider();
try {
System.out.print("Loading Windows-ROOT Certificates...");
KeyStore ks = KeyStore.getInstance("Windows-ROOT", "SunMSCAPI");
ks.load(null, null);
System.out.println(" done.");
Enumeration iter = ks.aliases();
while (iter.hasMoreElements()) {
String alias = (String)iter.nextElement();
System.out.print("Reading certificate for alias: " + alias + "...");
ks.getCertificate(alias);
System.out.println(" ok.");
}
} catch (KeyStoreException kse) {
kse.printStackTrace();
} catch (NoSuchProviderException nse) {
nse.printStackTrace();
} catch (NoSuchAlgorithmException nsae) {
nsae.printStackTrace();
} catch (CertificateException ce) {
ce.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
}
}
}
The reason is that in method "private void generateCertificate(byte[] data, Collection<Certificate> certCollection)" exceptions are just caught and silently ignored which will lead to the situation that an entry for the certificate alias is added to the certificate collection but no certificate data is associated with it.
Comments
|