Keychain issue as of version 1.53 (follow up)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Keychain issue as of version 1.53 (follow up)

Yves Langisch
I’d like to follow up my thread [1] regarding an issue reading private keys from the Keychain.

Just tried to bump my BouncyCastle from 1.52 to 1.60 and I’m still hitting the following issue:


Security.insertProviderAt(new BouncyCastleProvider(), 1)
...
store = KeyStore.getInstance("KeychainStore“, "Apple“);
store.load(null, null)
store.getKey("myClient", null) // password is not relevant to access Keychain


As of version 1.53 (1.52 works fine) I get the following exception:

Caused by: javax.crypto.BadPaddingException: pad block corrupted
        at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
        at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at apple.security.KeychainStore.engineGetKey(KeychainStore.java:215)
        ... 26 more

Test key attached (pwd test).

[1] http://bouncy-castle.1462172.n4.nabble.com/Since-1-5-3-gt-org-bouncycastle-crypto-InvalidCipherTextException-pad-block-corrupted-td4658153.html

Thanks
Yves

myClient.p12 (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Keychain issue as of version 1.53 (follow up)

David Hook-3

It's going to be the way the getEncoded() method on the key is being used.

I'm not sure how up to date:

https://github.com/frohoff/jdk8u-jdk/blob/master/src/macosx/classes/apple/security/KeychainStore.java

is, but looking at it it appears the apple API is return a secret key
generated by a SecretKeyFactory called "PBE". BC doesn't actually
support this, if you can find out what
SecretKeyFactory.getInstance("PBE") is returning and what getEncoded()
on the key returns there is probably a way of getting this to work.

PBE has been revised in BC since 1.52, but from the point of view of
correctness.

Regards,

David

On 26/11/18 7:26 pm, Yves Langisch wrote:

> I’d like to follow up my thread [1] regarding an issue reading private keys from the Keychain.
>
> Just tried to bump my BouncyCastle from 1.52 to 1.60 and I’m still hitting the following issue:
>
> …
> Security.insertProviderAt(new BouncyCastleProvider(), 1)
> ...
> store = KeyStore.getInstance("KeychainStore“, "Apple“);
> store.load(null, null)
> store.getKey("myClient", null) // password is not relevant to access Keychain
> …
>
> As of version 1.53 (1.52 works fine) I get the following exception:
>
> Caused by: javax.crypto.BadPaddingException: pad block corrupted
> at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
> at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
> at javax.crypto.Cipher.doFinal(Cipher.java:2165)
> at apple.security.KeychainStore.engineGetKey(KeychainStore.java:215)
> ... 26 more
>
> Test key attached (pwd test).
>
> [1] http://bouncy-castle.1462172.n4.nabble.com/Since-1-5-3-gt-org-bouncycastle-crypto-InvalidCipherTextException-pad-block-corrupted-td4658153.html
>
> Thanks
> Yves




Reply | Threaded
Open this post in threaded view
|

Re: Keychain issue as of version 1.53 (follow up)

Yves Langisch
In reply to this post by Yves Langisch
Hi David,

Thanks - yes, the additional line fixes the issue!

Are you going to add this (missing?) secret factory in the next BC release?
-
Yves

> On 29 Nov 2018, at 02:08 , David Hook <[hidden email]> wrote:
>
>
> Hi Yves,
>
>
> Believe it or not but I just got a report of another PBE issue, and I'm pretty sure it's causing what you see below.
>
> Would you add the following line after you add the Bouncy Castle Provider?
> Security.getProvider("BC").put("Alg.Alias.SecretKeyFactory.PBE", "PBEWITHSHAAND3-KEYTRIPLEDES-CBC");
>
> and let me know how you go. I think that might actually fix it.
>
> Thanks,
>
> David
>
> On 26/11/18 7:26 pm, Yves Langisch wrote:
>> I’d like to follow up my thread [1] regarding an issue reading private keys from the Keychain.
>>
>> Just tried to bump my BouncyCastle from 1.52 to 1.60 and I’m still hitting the following issue:
>>
>> …
>> Security.insertProviderAt(new BouncyCastleProvider(), 1)
>> ...
>> store = KeyStore.getInstance("KeychainStore“, "Apple“);
>> store.load(null, null)
>> store.getKey("myClient", null) // password is not relevant to access Keychain
>> …
>>
>> As of version 1.53 (1.52 works fine) I get the following exception:
>>
>> Caused by: javax.crypto.BadPaddingException: pad block corrupted
>> at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
>> at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
>> at javax.crypto.Cipher.doFinal(Cipher.java:2165)
>> at apple.security.KeychainStore.engineGetKey(KeychainStore.java:215)
>> ... 26 more
>>
>> Test key attached (pwd test).
>>
>> [1]
>> http://bouncy-castle.1462172.n4.nabble.com/Since-1-5-3-gt-org-bouncycastle-crypto-InvalidCipherTextException-pad-block-corrupted-td4658153.html
>>
>>
>> Thanks
>> Yves
>>
>
>