JDK-8245679 : KeyStore cannot probe PKCS12 keystore if BouncyCastle is the top security provider
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2020-05-24
  • Updated: 2020-07-15
  • Resolved: 2020-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 15 JDK 16
15 b28Fixed 16Fixed
Related Reports
Relates :  
JDK-8247534 - Update --release 15 symbol information for JDK 15 build 29
Description
Internally, KeyStore.getInstance(File, password) is supported by

     1  ������private static final KeyStore getInstance(File file, ...) throws ... {
     2  ������������try (open file as dataStream) {
     3  ������������������for (String type : Security.getAlgorithms("KeyStore")) {
     4  ������������������������Object[] objs = null;
     5  ������������������������try {
     6  ������������������������������objs = Security.getImpl(type, "KeyStore", (String)null);
     7  ������������������������������KeyStoreSpi impl = (KeyStoreSpi)objs[0];
     8  ������������������������������if (impl.engineProbe(dataStream)) {
     9  ������������������������������������keystore = new KeyStore(impl, (Provider)objs[1], type);
    10  ������������������������������������break;
    11  ������������������������������}
    12  ������������������������}
    13  ������������������}
    14  ������������������if (keystore != null) {
    15  ������������������������load it and return;
    16  ������������������}
    17  ������������}
    18  ������������die;
    19  ������}

Unfortunately, on line 3, only the storetype names are returned. This means when type == "pkcs12", BC's pkcs12 keystore impl will be returned on line 6 but it does not support probing. The loop continues to other storetypes, and finally reach the die point. What a pity!

Maybe we should iterate through all <Provider,storetype> pairs on line 3.
Comments
Changeset: 2536cbf2 Author: Weijun Wang <weijun@openjdk.org> Date: 2020-06-13 17:49:15 +0000 URL: https://git.openjdk.java.net/lanai/commit/2536cbf2
02-07-2020
Changeset: 2536cbf2 Author: Weijun Wang <weijun@openjdk.org> Date: 2020-06-13 17:49:15 +0000 URL: https://git.openjdk.java.net/panama-foreign/commit/2536cbf2
02-07-2020
Changeset: 2536cbf2 Author: Weijun Wang <weijun@openjdk.org> Date: 2020-06-13 17:49:15 +0000 URL: https://git.openjdk.java.net/amber/commit/2536cbf2
02-07-2020
URL: https://hg.openjdk.java.net/jdk/jdk15/rev/c4841b997e1a User: weijun Date: 2020-06-13 09:49:44 +0000
13-06-2020
According to KeyStore.getInstance���(File file, char[] password), all providers should be searched: "This method traverses the list of registered security providers, starting with the most preferred Provider. For each KeyStoreSpi implementation supported by a Provider, it invokes the engineProbe method to determine if it supports the specified keystore. A new KeyStore object is returned that encapsulates the KeyStoreSpi implementation from the first Provider that supports the specified file." So I agree that we should be iterating through all <Provider,storetype> pairs.
26-05-2020