JDK-8220734 : java.security.KeyStore should support PKCS#12 files with AES
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11.0.2
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_10
  • CPU: x86_64
  • Submitted: 2019-03-13
  • Updated: 2019-03-15
  • Resolved: 2019-03-15
Related Reports
Duplicate :  
Description
ADDITIONAL SYSTEM INFORMATION :
Windows 10 (1803)
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

and 

Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)


A DESCRIPTION OF THE PROBLEM :
The PowerShell function "Export-PfxCertificate" supports exporting a certificate using either TripleDES_SHA1 or AES256_SHA256. I can open the exported PFX using java.security.keystore when I use TripleDES_SHA1, but not if I use AES256_SHA256.

Steps to reproduce the behavior:
$Cert = dir Cert:\LocalMachine\My | Where-Object -Filter { $_.Thumbprint -eq "0141F6F8D22D8227595D52820D91AEB213725AF7" }                                                                
$PFXPassword = Read-Host "Enter password" -AsSecureString                                                                                                                                
Export-PfxCertificate -Cert $Cert -Password $PFXPassword -FilePath .\TripleDES.pfx -CryptoAlgorithmOption TripleDES_SHA1                                                                 
Export-PfxCertificate -Cert $Cert -Password $PFXPassword -FilePath .\AES256.pfx -CryptoAlgorithmOption AES256_SHA256      

The following code demonstrates the problem:
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.util.Enumeration;
import java.util.Objects;

public class Main {
	public static void main(String[] args) throws Exception {
		KeyStore keystore;

		File certFile   = new File("AES256.pfx");
		String password = new String("Password");

		try {
			keystore = KeyStore.getInstance("pkcs12");
			keystore.load(new FileInputStream(certFile),
				password.toCharArray());
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

Testing with 1.8.0_202 and 11.0.2 produces the following errors:
java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:816)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2018)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at Main.main(Main.java:16)
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257)
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:314)
        at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
        at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:812)
        ... 3 more

java version "11.0.2" 2019-01-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)

java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2108)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
        at java.base/java.security.KeyStore.load(KeyStore.java:1479)
        at Main.main(Main.java:16)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 4 more

The programs works correctly in openjdk 12+33. Can this support be backported to earlier versions?



Comments
This has been fixed in JDK 12 with JDK-8214513 and backported to JDK 11.0.3. So closing this one as duplicate.
15-03-2019