JDK-8243551 : Hmac Keys loaded from PKCS12 don't have a Standard Algorithm Name
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,11,14,15
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2020-04-23
  • Updated: 2020-07-01
  • Resolved: 2020-07-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 15
15Resolved
Related Reports
Duplicate :  
JDK-8242151 - Improve OID mapping and reuse among JDK security providers for aliases registration
Description
ADDITIONAL SYSTEM INFORMATION :
Tested with OpenJDK 14.0.1 as provided from Oracle and also openJDK 11 and 1.8.0 from the Fedora Repositories

A DESCRIPTION OF THE PROBLEM :
When a Hmac key is loaded from a PKCS12 keystore, its Algorithm Name (Key#getAlgorithm) doesn't conform to Standard Algorithm Names as described in https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a HmacSha512 Key, store to pkcs12 keystore, load from keystore.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The key loaded from the keystore should have standard algorithm name, as descibed in https://docs.oracle.com/javase/8/docs/api/java/security/Key.html#getAlgorithm--
ACTUAL -
The key loaded from the keystore has the algorithm name '1.2.840.113549.2.11' - which is not listed in https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html

---------- BEGIN SOURCE ----------
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;

public class Main {
	public static void main(String[] args) throws Exception {
		KeyStore pkcs12 = KeyStore.getInstance("pkcs12");
		pkcs12.load(null, "keystorepassword".toCharArray());

		Key generatedKey = new SecretKeySpec(new byte[512], "HmacSha512");
		System.out.println(generatedKey.getAlgorithm());
		pkcs12.setKeyEntry("testkey", generatedKey, "keypassword".toCharArray(), new Certificate[0]);
		Key keyFromKeystore = pkcs12.getKey("testkey", "keypassword".toCharArray());
		System.out.println(keyFromKeystore.getAlgorithm());

		assert generatedKey.getAlgorithm().equalsIgnoreCase(keyFromKeystore.getAlgorithm());
	}
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
After loading the key, one could probably "recreate" it as

new SecretKeySpec(keyFromKeystore.getEncoded, "HmacSha512");

FREQUENCY : always
Comments
JDK-8242151
10-06-2020
Now the test passes and prints out: HmacSha512 HmacSHA512 Closing this as duplicate of JDK-8242151.
10-06-2020
It's very likely that the fix for JDK-8242151 would also address this. The earlier AlgorithmId class impl uses separate tables for storing the info needed for name and oid object lookup and issues like this occur if the two tables are NOT in sync.
01-05-2020
1.2.840.113549.2.11 is the oid for HmacSHA512. Should fix to pick it up during the PKCS12 Keystore loading process and use the friendly algorithm name instead of the oid value for getAlgorithm() calls.
29-04-2020
The observations on Windows 10: JDK 8: Fail JDK 11: Fail JDK 14: Fail JDK 15: Fail ILW=MML=P4
24-04-2020
Java Security Standard Algorithm Names can be found at https://docs.oracle.com/en/java/javase/14/docs/specs/security/standard-names.html
24-04-2020