Hi All Please review this code change:
http://cr.openjdk.java.net/~weijun/6958026/webrev.00/ Two parts included: 1. Major one: match private key and cert using both keyId and friendlyName. 2. Minor one: add keyId and friendlyName to private keys created by setKeyEntry(alias, byte[], cert[]). In fact, this method is used by the test to generate a pkcs12 keystore as fast as possible so that keys' creation times overlap (hence having same keyId). On my Linux, using the other setKeyEntry(alias, key, pass, cert[]) method is slow. I didn't change the current keyId format to force it to be identical, since the "TIME xxx" format is used to derive creation time. Thanks Max Begin forwarded message: > *Change Request ID*: 6958026 > *Synopsis*: Problem with PKCS12 keystore > > === *Description* ============================================================ > FULL PRODUCT VERSION : > java version "1.6.0_18" > Java (TM) SE Runtime Enviroment (build 1.6.0_18-b07) > > ADDITIONAL OS VERSION INFORMATION : > Microsoft Windows [Verze 6.1.7600] > > A DESCRIPTION OF THE PROBLEM : > I have this code : > ..... > KeyStore kspkcs12 = null; > kspkcs12.load(new FileInputStream(keystorePath), password.toCharArray()); > KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) > kspkcs12.getEntry(alias, new KeyStore.PasswordProtection(password > .toCharArray())); > X509Certificate cert = (X509Certificate) kspkcs12.getCertificate(alias); > ...... > > I have pfx file with two aliases alias1 and alias2. Alias1 has certificate > chain with 2 SHA1 certificates. Alias2 has one SHA2 certificate. > But when i load that pfx file with code above, in KeyStore there are 2 > records (one for each alias) but both records has the same certificate > loaded. To all aliases is loaded last added certificate to pfx file. > Is it bug or feature ? > > STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : > Create pfx file. Insert first certificate with alias. Insert second > certificate with another alias. > Try load in using KeyStore class. > Check first entry if there is right certificate. > > > REPRODUCIBILITY : > This bug can be reproduced always. > > SUPPORT : > YES > > *** (#1 of 1): 2010-06-02 23:45:21 GMT+00:00 weijun.w...@sun.com > > === *Evaluation* ============================================================= > Customer provided a pkcs12 file and it contains: > > Private Key #1: > localKeyId: 01 00 00 00 > friendlyName: p1 > Private Key #2: > localKeyId: 01 00 00 00 > friendlyName: p2 > Cert #1: > localKeyId: 01 00 00 00 > friendlyName: p1 > Cert #2: > localKeyId: 01 00 00 00 > friendlyName: p2 > Cert #3: > # No recognized attribute > > Currently, JDK uses localKeyId to match private key with its corresponding > certificate (and only fallback to friendlyName when localKeyId is missing). > Since all localKeyIds have the same value here, it gets confused and always > returns the same one for both private keys. > > I'll enhance the PKCS12KeyStore class to match using both localKeyId and > friendlyName. However, I do believe the original file is not quite legal. > Normally we always regard an attribute called "*Id" to be identical in some > scope (here, the file). It seems customer uses a tool that simply glues 2 > blocks of info into one without reassigning the id values. > > The dicussion below is interesting: > http://www.mail-archive.com/openssl-us...@openssl.org/msg27030.html > > *** (#1 of 1): 2010-06-02 23:54:14 GMT+00:00 weijun.w...@sun.com