Bug in apple.security.KeychainStore provider

[David Kocher]

(I haven’t found a way to register on bugs.openjdk.java.net and file a bug, 
therefore posting it here).


There is a bug in the native KeystoreImpl that it only searches for identities 
that have a key usage of “Any” using CSSM_KEYUSE_ANY instead of passing `0` to 
the SecIdentitySearchCreate keychain function. Refer to line 282 in [1]. This 
will exclude all identities that have a specific key usage set such as 
“Encrypt, Verify, Wrap, Derive”.


[1] 
http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/macosx/native/apple/security/KeystoreImpl.m

I have also found issues with instances of KeyEntry that have an empty array 
for the “chain” property causing index out of bounds exceptions. See attached 
patch.



-
David

Re: Bug in apple.security.KeychainStore provider

[Wang Weijun]

Hi David

I don't understand what it is but I've created a bug for you:

  https://bugs.openjdk.java.net/browse/JDK-8046777

BTW, I see no patch. I'm also not sure if this also found issues is related 
to the main bug.

Thanks
Max

On Jun 13, 2014, at 16:31, David Kocher dkoc...@sudo.ch wrote:

 (I haven’t found a way to register on bugs.openjdk.java.net and file a bug, 
 therefore posting it here).
 
 
 There is a bug in the native KeystoreImpl that it only searches for 
 identities that have a key usage of “Any” using CSSM_KEYUSE_ANY instead of 
 passing `0` to the SecIdentitySearchCreate keychain function. Refer to line 
 282 in [1]. This will exclude all identities that have a specific key usage 
 set such as “Encrypt, Verify, Wrap, Derive”.
 
 
 [1] 
 http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/macosx/native/apple/security/KeystoreImpl.m
 
 I have also found issues with instances of KeyEntry that have an empty array 
 for the “chain” property causing index out of bounds exceptions. See attached 
 patch.
 
 
 
 -
 David