Re: New test in TestPEMFile fails ...

Fri, 13 May 2022 04:16:39 -0700 

On 13/05/2022 10:15, Mark Thomas wrote:

To add my results:

Linux
  - Oracle 1.8.0
    - 321 passes
    - 331 passes
    - 333 passes
  - Temurin 1.8.0
    - 312 fails
    - 332 fails
  - Temurin 11
    - 11.0.15 passes
Adding these to Rainer's results, it looks like this feature depends on something in Java 8 that is Oracle specific and not part of the open source distributions until Java 11 (or maybe 9).
I'll see if I can figure out exactly what is going wrong and if there is a way to get this working with the open source Java 8 releases. 

This looks like a bug to me.

With Temurin JDK 8 302_b08 the test fails at line 204 with:
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48) 
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:320)
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:151)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:133)
t sun.security.x509.AlgorithmId.parse(AlgorithmId.java:413)
at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:204) 


With Temurin JDK 8 302_b08 the test fails at line 212 with:
java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212)
The issue is that the wrong algorithm is identified. It should be PBEWithHmacSHA256AndAES_256 but the Temurin JDK selects PBEWithHmacSHA1AndAES_256.
I think things are going wrong back at line 204. I'm still digging for the root cause. 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to