Bug ID: JDK-8266279 8u292 NoSuchAlgorithmException unrecognized algorithm name: PBEWithSHA1AndDESede

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: openjdk8u292

Priority: P3
Status: Closed
Resolution: Duplicate

Submitted: 2021-04-29
Updated: 2021-06-02
Resolved: 2021-05-18

ADDITIONAL SYSTEM INFORMATION :
Windows Server 2019 Standard

openjdk version "1.8.0_292"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.292-b10, mixed mode)

A DESCRIPTION OF THE PROBLEM :
NoSuchAlgorithmException exception is thrown when invoking java.security.KeyStore.setKeyEntry(String alias, Key key, char[] password, Certificate[] chain) method.

The root cause is at: sun.security.x509.AlgorithmId.get(AlgorithmId.java:448), and it does not appear to be related to the input arguments passed to the setKeyEntry method. 

It's possible that other factors, like order of other classes being loaded, are impacting the correct initialization/loading of oidTable in AlgorithmId, and result in incomplete populating of algorithms in oidTable.

In addition to setKeyEntry, the issue can be also be reproduced by invoking: new
EncryptedPrivateKeyInfo("PBEWithSHA1AndDESede", new byte[] {0}).  Moreover, the issue can also be reproduced by directly invoking sun.security.x509.AlgorithmId.get("PBEWithSHA1AndDESede") under certain conditions (see sample code).

Not reproducible using:  8u282-b08,  11.0.11+9.


REGRESSION : Last worked in version 8

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
There are two different, minimal ways to reproduce this issue: 

Example 1: Using bouncycastle (Eclipse IDE not required): 
---------------------------------------------------------------
Compile and run the program on command line with bouncy castle (https://bouncycastle.org/download/bcprov-jdk15on-168.jar) JAR in classpath. 

javac -cp bcprov-jdk15on-168.jar TestAlgorithm.java
java -cp bcprov-jdk15on-168.jar;. TestAlgorithm


Example 2: Using Eclipse IDE Debug: 
----------------------------------------
- Create Java file in Eclipse. Do not add any breakpoint.
- Compile. 
- Right click and Debug as Java Application.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Example 1: using bouncycastle: 
No exception.

Example 2: using Eclipse IDE Debug: 
No exception.
ACTUAL -
Example 1: using bouncycastle: 
----------------------------------
Exception in thread "main" java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
        at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
        at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:137)
        at TestAlgorithm.main(TestAlgorithm.java:8)

Example 2: using Eclipse IDE Debug: 
---------------------------------------
Exception in thread "main" java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede
	at sun.security.x509.AlgorithmId.get(AlgorithmId.java:448)
	at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:137)
	at TestAlgorithmEclipseDebug.main(TestAlgorithmEclipseDebug.java:6)

---------- BEGIN SOURCE ----------
Example 1: using bouncycastle: 

TestAlgorithm.java
---------------------

import javax.crypto.EncryptedPrivateKeyInfo;

import org.bouncycastle.asn1.x500.X500Name;

public class TestAlgorithm {
    public static void main(String[] args) throws Exception {
        new X500Name("CN=Test");
        new EncryptedPrivateKeyInfo("PBEWithSHA1AndDESede", new byte[] { 0 });
        // Or use sun package directly.
        // sun.security.x509.AlgorithmId.get("PBEWithSHA1AndDESede");
    }
}

---------------------------------------------

Example 2: using Eclipse IDE Debug: 

TestAlgorithmEclipseDebug.java
-----------------------------------

import javax.crypto.EncryptedPrivateKeyInfo;

public class TestAlgorithmEclipseDebug {

    public static void main(String[] args) throws Exception {
        new EncryptedPrivateKeyInfo("PBEWithSHA1AndDESede", new byte[] { 0 });
        // Or use sun package directly.
        // sun.security.x509.AlgorithmId.get("PBEWithSHA1AndDESede");
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
A static block like the following to load the oidTable first could be tried in simple cases like Example 1. But this does not work for Example 2. 

static {
        try {
            sun.security.x509.AlgorithmId.get("PBEWithSHA1AndDESede");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }

FREQUENCY : always

This issue will also be fixed by JDK-8266929 adding a link.
02-06-2021
I think the reason for this issue is the same as the one noted in https://bugs.openjdk.java.net/browse/JDK-8266290?focusedCommentId=14421360&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14421360
18-05-2021
Adding link to JDK-8242565
18-05-2021
Yes. The reason why Oracle JDK 8u301 passed seems to be because this is a duplicate of JDK-8242565 (as that patch adds the SunJCE provider to the list of providers usable for jar verification). That's enough to "fix" this particular bug. JDK-8242565 is in openjdk 8u302 the next July release. JDK-8242565 is also in 11.0.11 which is why this doesn't seem reproducible with that release.
18-05-2021
The observations on Windows 10: Oracle JDK 8u301ea+2: Passed. Open JDK 8u282: Passed. Open JDK 8u292: Failed, NoSuchAlgorithmException thrown.
29-04-2021

Duplicate :	JDK-8242565 - Policy initialization issues when the denyAfter constraint is enabled
Duplicate :	JDK-8266261 - After 8u282 -> 8u292 update: "unrecognized algorithm name: PBEWithSHA1AndDESede"
Duplicate :	JDK-8266261 - After 8u282 -> 8u292 update: "unrecognized algorithm name: PBEWithSHA1AndDESede"
Relates :	JDK-8266929 - Unable to use algorithms from 3p providers
Relates :	JDK-8266261 - After 8u282 -> 8u292 update: "unrecognized algorithm name: PBEWithSHA1AndDESede"
Relates :	JDK-8242565 - Policy initialization issues when the denyAfter constraint is enabled