PROBLEM WITH LOADING CACERTS VIA JDK11

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

PROBLEM WITH LOADING CACERTS VIA JDK11

Syed Mudassir Ahmed
Hi,
  I am trying to load the "cacerts" file that is bundled with JDK11 by default.  And my IDE is set to use JDK11 for execution.

  However, without BouncyCastle provider, the default SUN provider is able to load the "cacerts" successfully, but when I add BouncyCaslte then my program fails.

  The SUN provider works because, it uses "PKCS12" as primary format, and uses "JKS" as secondary format.  See the code here. https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140

   "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest bouncycastle should also follow the same approach as SUN provider.

    How does it sound?

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397
Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

Florian Schmaus


On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:

> Hi,
>    I am trying to load the "cacerts" file that is bundled with JDK11 by
> default.  And my IDE is set to use JDK11 for execution.
>
>    However, without BouncyCastle provider, the default SUN provider is
> able to load the "cacerts" successfully, but when I add
> BouncyCaslte then my program fails.
>
>    The SUN provider works because, it uses "PKCS12" as primary format,
> and uses "JKS" as secondary format.  See the code here.
> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140 
> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>
>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
> bouncycastle should also follow the same approach as SUN provider.
I also ran into this.

It appears that bouncy castle does not to respect the
keystore.type.compat=true setting in $JAVA_HOME/conf/security/java.security.

The only appearance of keystore.type.compat true in bouncy castle's
source is

https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36

which seems to be unrelated.

- Florian


OpenPGP_signature (505 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

Florian Schmaus
On 3/15/21 12:42 PM, Florian Schmaus wrote:

> On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:
>> Hi,
>>    I am trying to load the "cacerts" file that is bundled with JDK11
>> by default.  And my IDE is set to use JDK11 for execution.
>>
>>    However, without BouncyCastle provider, the default SUN provider is
>> able to load the "cacerts" successfully, but when I add
>> BouncyCaslte then my program fails.
>>
>>    The SUN provider works because, it uses "PKCS12" as primary format,
>> and uses "JKS" as secondary format.  See the code here.
>> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140 
>> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>>
>>
>>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
>> bouncycastle should also follow the same approach as SUN provider.
>
> I also ran into this.
>
> It appears that bouncy castle does not to respect the
> keystore.type.compat=true setting in
> $JAVA_HOME/conf/security/java.security.
>
> The only appearance of keystore.type.compat true in bouncy castle's
> source is
>
> https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36 
>
>
> which seems to be unrelated.
Or maybe it is related, but it does seem to simply set the keystore type
to JKS.

I would have expect that the set keystore.type is tried first, and, if
this fails, the keystore file is attempted to be opened as JKS. I do not
see the code performing this fallback.

- Florian


OpenPGP_signature (505 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

Syed Mudassir Ahmed
Sample code to replicate this issue: https://github.com/Syed-SnapLogic/SyedsPublicRepo/tree/master/bctestcacerts

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:26 PM Florian Schmaus <[hidden email]> wrote:
On 3/15/21 12:42 PM, Florian Schmaus wrote:
> On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:
>> Hi,
>>    I am trying to load the "cacerts" file that is bundled with JDK11
>> by default.  And my IDE is set to use JDK11 for execution.
>>
>>    However, without BouncyCastle provider, the default SUN provider is
>> able to load the "cacerts" successfully, but when I add
>> BouncyCaslte then my program fails.
>>
>>    The SUN provider works because, it uses "PKCS12" as primary format,
>> and uses "JKS" as secondary format.  See the code here.
>> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140
>> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>>
>>
>>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
>> bouncycastle should also follow the same approach as SUN provider.
>
> I also ran into this.
>
> It appears that bouncy castle does not to respect the
> keystore.type.compat=true setting in
> $JAVA_HOME/conf/security/java.security.
>
> The only appearance of keystore.type.compat true in bouncy castle's
> source is
>
> https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36
>
>
> which seems to be unrelated.

Or maybe it is related, but it does seem to simply set the keystore type
to JKS.

I would have expect that the set keystore.type is tried first, and, if
this fails, the keystore file is attempted to be opened as JKS. I do not
see the code performing this fallback.

- Florian

Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

Syed Mudassir Ahmed
Any plans to fix this in the next version of bouncy castle?
Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:47 PM Syed Mudassir Ahmed <[hidden email]> wrote:
Sample code to replicate this issue: https://github.com/Syed-SnapLogic/SyedsPublicRepo/tree/master/bctestcacerts

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:26 PM Florian Schmaus <[hidden email]> wrote:
On 3/15/21 12:42 PM, Florian Schmaus wrote:
> On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:
>> Hi,
>>    I am trying to load the "cacerts" file that is bundled with JDK11
>> by default.  And my IDE is set to use JDK11 for execution.
>>
>>    However, without BouncyCastle provider, the default SUN provider is
>> able to load the "cacerts" successfully, but when I add
>> BouncyCaslte then my program fails.
>>
>>    The SUN provider works because, it uses "PKCS12" as primary format,
>> and uses "JKS" as secondary format.  See the code here.
>> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140
>> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>>
>>
>>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
>> bouncycastle should also follow the same approach as SUN provider.
>
> I also ran into this.
>
> It appears that bouncy castle does not to respect the
> keystore.type.compat=true setting in
> $JAVA_HOME/conf/security/java.security.
>
> The only appearance of keystore.type.compat true in bouncy castle's
> source is
>
> https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36
>
>
> which seems to be unrelated.

Or maybe it is related, but it does seem to simply set the keystore type
to JKS.

I would have expect that the set keystore.type is tried first, and, if
this fails, the keystore file is attempted to be opened as JKS. I do not
see the code performing this fallback.

- Florian

Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

David Hook-3

I think this is something we could at least do for the cacerts file. It means implementing the JKS format, which is documented, but I don't think I'd want to go further with it than absolutely necessary. We have enough issues around KeyStore formats as it is.

Would you add this as an issue on github? Will see what we can do.

Regards.

David
On 16/3/21 7:17 pm, Syed Mudassir Ahmed wrote:
Any plans to fix this in the next version of bouncy castle?
Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:47 PM Syed Mudassir Ahmed <[hidden email]> wrote:
Sample code to replicate this issue: https://github.com/Syed-SnapLogic/SyedsPublicRepo/tree/master/bctestcacerts

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:26 PM Florian Schmaus <[hidden email]> wrote:
On 3/15/21 12:42 PM, Florian Schmaus wrote:
> On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:
>> Hi,
>>    I am trying to load the "cacerts" file that is bundled with JDK11
>> by default.  And my IDE is set to use JDK11 for execution.
>>
>>    However, without BouncyCastle provider, the default SUN provider is
>> able to load the "cacerts" successfully, but when I add
>> BouncyCaslte then my program fails.
>>
>>    The SUN provider works because, it uses "PKCS12" as primary format,
>> and uses "JKS" as secondary format.  See the code here.
>> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140
>> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>>
>>
>>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
>> bouncycastle should also follow the same approach as SUN provider.
>
> I also ran into this.
>
> It appears that bouncy castle does not to respect the
> keystore.type.compat=true setting in
> $JAVA_HOME/conf/security/java.security.
>
> The only appearance of keystore.type.compat true in bouncy castle's
> source is
>
> https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36
>
>
> which seems to be unrelated.

Or maybe it is related, but it does seem to simply set the keystore type
to JKS.

I would have expect that the set keystore.type is tried first, and, if
this fails, the keystore file is attempted to be opened as JKS. I do not
see the code performing this fallback.

- Florian


Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH LOADING CACERTS VIA JDK11

Syed Mudassir Ahmed
Thanks Davis.  Issue created: https://github.com/bcgit/bc-java/issues/912

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Sat, Mar 20, 2021 at 7:08 AM David Hook <[hidden email]> wrote:

I think this is something we could at least do for the cacerts file. It means implementing the JKS format, which is documented, but I don't think I'd want to go further with it than absolutely necessary. We have enough issues around KeyStore formats as it is.

Would you add this as an issue on github? Will see what we can do.

Regards.

David
On 16/3/21 7:17 pm, Syed Mudassir Ahmed wrote:
Any plans to fix this in the next version of bouncy castle?
Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:47 PM Syed Mudassir Ahmed <[hidden email]> wrote:
Sample code to replicate this issue: https://github.com/Syed-SnapLogic/SyedsPublicRepo/tree/master/bctestcacerts

Thanks,
Syed Mudassir Ahmed
Technical Architect
o:  +91 40 64535352
m: +91 9177674397


On Mon, Mar 15, 2021 at 5:26 PM Florian Schmaus <[hidden email]> wrote:
On 3/15/21 12:42 PM, Florian Schmaus wrote:
> On 3/15/21 11:03 AM, Syed Mudassir Ahmed wrote:
>> Hi,
>>    I am trying to load the "cacerts" file that is bundled with JDK11
>> by default.  And my IDE is set to use JDK11 for execution.
>>
>>    However, without BouncyCastle provider, the default SUN provider is
>> able to load the "cacerts" successfully, but when I add
>> BouncyCaslte then my program fails.
>>
>>    The SUN provider works because, it uses "PKCS12" as primary format,
>> and uses "JKS" as secondary format.  See the code here.
>> https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140
>> <https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L140>
>>
>>
>>    "cacerts" is ideally "JKS" type and not "PKCS12".  I suggest
>> bouncycastle should also follow the same approach as SUN provider.
>
> I also ran into this.
>
> It appears that bouncy castle does not to respect the
> keystore.type.compat=true setting in
> $JAVA_HOME/conf/security/java.security.
>
> The only appearance of keystore.type.compat true in bouncy castle's
> source is
>
> https://github.com/bcgit/bc-java/commit/0ecaaf0fd379b9d8e569410b7bd56008ec08a5d9#diff-5a575b452dde0e648c04cf4e8dd8ae64d87a1d8960e896f0c09965cc5b2f924dR36
>
>
> which seems to be unrelated.

Or maybe it is related, but it does seem to simply set the keystore type
to JKS.

I would have expect that the set keystore.type is tried first, and, if
this fails, the keystore file is attempted to be opened as JKS. I do not
see the code performing this fallback.

- Florian