JDK-8180819 No installed provider supports this key: sun.security.pkcs.PKCS8Key

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

JDK-8180819 No installed provider supports this key: sun.security.pkcs.PKCS8Key

Florian Bruckner (3kraft)
Hi,

have just stumbled upon a quite strange behavior in a SSL connection with a client certificate. It
looks like something introduced between JDK 8u111 and JDK 8u121; JDK9 (all Oracle) and OpenJDK 8u151
are affected as well. There is already a ticket for this (JDK-8180819) but this has been closed due
to no response from the original reporter.

This is the exception (with 8u121):

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport
error: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
     at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
     at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
     at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
     at
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)
     at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
     at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
     at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
     at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
     at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
     at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
     at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
     at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
     at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
     at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1113)
     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
     at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
     at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
     at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)
     ... 14 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key:
sun.security.pkcs.PKCS8Key
     at java.security.Signature$Delegate.chooseProvider(Signature.java:1135)
     at java.security.Signature$Delegate.engineInitSign(Signature.java:1185)
     at java.security.Signature.initSign(Signature.java:550)
     at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1587)
     at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1110)
     ... 27 more


When using PKCS12 instead of JKS for the identity keystore, the trace is different (this trace is
from a JDK 8u151):

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport
error: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing
implementation (algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
         at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
         at
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
         at
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)
         at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
         at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
         at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
         at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
         at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
         at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
         at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
         at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
         at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing
implementation (algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
         at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:255)
         at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:405)
         at sun.net.NetworkClient.doConnect(NetworkClient.java:162)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
         at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
         at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
         at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
         at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
         at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1199)
         at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050)
         at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
         at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
         at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)
         ... 14 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm:
Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
         at java.security.Provider$Service.newInstance(Provider.java:1617)
         at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
         at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
         at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
         at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
         at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
         at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332)
         at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:289)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:94)
         at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
         at java.net.URL.openConnection(URL.java:1028)
         at com.sun.xml.internal.ws.api.EndpointAddress.openConnection(EndpointAddress.java:217)
         at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.createHttpConnection(HttpClientTransport.java:242)
         at
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:101)
         ... 14 more
Caused by: java.security.UnrecoverableKeyException: Get Key failed:
java.security.InvalidKeyException: Invalid RSA private key
         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:435)
         at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
         at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
         at java.security.KeyStore.getKey(KeyStore.java:1023)
         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
         at
sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:873)
         at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(SSLContextImpl.java:758)
         at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:913)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
         at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
         at java.security.Provider$Service.newInstance(Provider.java:1595)
         ... 27 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid
RSA private key
         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
         at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:399)
         ... 41 more
Caused by: java.security.InvalidKeyException: Invalid RSA private key
         at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:214)
         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343)
         at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
         at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
         at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
         ... 43 more
Caused by: java.io.IOException: DerInputStream.getLength(): Redundant length bytes found
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:606)
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:569)
         at sun.security.util.DerInputStream.getPositiveBigInteger(DerInputStream.java:220)
         at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:205)
         ... 49 more

The keystores as JKS and PKCS#12 have been verified to be working with Java 8u60, so they seem to be
fine. Activating unlimited jurisdiction does not solve the problem. Restricting the client to TLSv1
or TLSv1.1 (via jdk.tls.client.protocols) has not changed behavior. While the client is under my
control, the server isn't. There are no client properties for SSL set except truststore and keystore.

I need to discuss with my client whether I can share -Djavax.net.debug=ssl, but before I do this: Is
this list the right place to work on this and is someone willing to approach this issue?

Regards,

Florian


Reply | Threaded
Open this post in threaded view
|

Re: JDK-8180819 No installed provider supports this key: sun.security.pkcs.PKCS8Key

Adam Petcher
On 11/13/2017 2:20 PM, Florian Bruckner (3kraft) wrote:

> Hi,
>
> have just stumbled upon a quite strange behavior in a SSL connection
> with a client certificate.

Looks like your private key is BER encoded. I think this is supposed to
be fine, but the code is being a bit too strict and rejecting it. There
was a change around 8u121 that added some more DER enforcement. Can you
try converting everything to DER to see if that clears up the problem?
You can do this with openssl e.g.:

openssl pkcs12 -in pkcs12-file -out key-and-cert -nodes -passin pass:abcXYZ
openssl pkcs12 -in key-and-cert -export -out new-pkcs12-file -passout
pass:abcXYZ

The JKS exception doesn't really provide a lot of information. It would
be helpful if you could import the DER-formatted PKCS#12 file back into
JKS and let me know if that works.