Public certificate not displayed

[shakvaal]

Describe the bug
Public certificate not shown in a PKCS12 keystore.
I'd rather not share the certificate, so maybe there is some obvious shortcoming of Java that I'm missing that stops Keystore Explorer from displaying certain types of public certificates?
I am ready to provide the details of the file, keystore, certificate.

To Reproduce
Steps to reproduce the behavior:

1. Open PKCS12 keystore file (*.pfx)
2. Enter correct password
3. The keystore is opened but there are no entries
   4a. Use Windows 10 dialog to import certificate - a new entry is imported
   4b. Use a 3rd party app XCA to inspect the keystore - it does contain a single entry

Expected behavior
Either the certificate should be displayed, or the number of stored items must be non-zero.

Screenshots

Environment

• Version of KSE: 5.4.2, 5.4.3
• Version of Java: 1.8.0_241-b07
• Platform (OS): Windows 10 Pro

Thank you.

[shakvaal]

Uh oh, already covered by #35
Any chance of KS at least throwing some notifications about the hidden entries?

[kaikramer]

Unfortunately KSE doesn't even know that those entries exist, because it uses the Java keystore API (the first screenshot shows all the information that the keystore API provides).

I could parse PKCS#12 files with BC's low level API and check if there are any possible incompatibilities and notify the user or maybe even fix them. But ...

• that would be a lot of work for something that might only very rarely be an issue
• my personal opinion is that it was a really bad decision by the Java makers to introduce a special Java-only attribute for trusted certs in PKCS#12 files and that it should be fixed in a future Java version

That being said, if there is enough demand for this feature, I would implement it. So, everybody who wants this feature in KSE, just vote for it by giving this comment a thumbs up.

[jpstotz]

Regarding the number of thumbs-up on the previous post:

The number of people who are affected by the PKCS12 JCE problem is most likely much higher than the number of thumbs-up responses would indicate because:

1. The bug is silent - if the user does not know entries are missing the user will not detect that (s)he is affected by a bug
2. If the user recognizes that there is a bug in loading a PKCS#12 file using KeyStore Explorer there is no warning/error message you could use to search and thus end up here.

[kaikramer]

@jpstotz I am aware of the importance of this ticket and as I have already told you this will be addressed in the KSE release after the next together with other PKCS#12 related issues. This requires some work however and can't be just "fixed", at least not in KSE.

Also keep in mind that this behaviour is consistent over all Java applications. If you use keytool to list the content of such a keystore, it will also tell you there is no content. If you use it for Tomcat's SSL configuration, it simply won't work. Of course you often can add BC and if you position it before the default Java PKCS#12 provider, then it will process those p12 files, but then again you have to know what the problem is and how to solve it. Or in other words: If KSE simply used the BC provider for p12 there would be loads of bug reports here complaining that the p12 files from KSE do not work in their Java application.

And one last word for everyone that is affected by this: I understand that it seems easier and with a higher chance for success to create a ticket here, but as this is actually a problem in the Java runtime code, you should really consider adding a ticket in the Java Bug Database as well.

[lhunath]

Thought I would point out that portecle does list these items. I'm not sure what they do differently to make it so.
https://portecle.sourceforge.net/

[jpstotz]

@lhunath Portecle uses BouncyCastle KeyStore implementation: https://github.com/scop/portecle/blob/67456dc1729f28be03ab2079a329c585ad1d96df/src/main/net/sf/portecle/crypto/KeyStoreUtil.java#L91-L100

That the BouncyCastle implementation works I already mentioned here: #391 (comment)

[lhunath]

@kaikramer I fully agree with you that these issues need to be fixed in the default Java PKCS#12 provider rather than in KSE, and the best place to discuss a resolution is in the Java Bug Database, however as non-developers/experts in this specific area it is a challenge for us to create accurate and topical bug reports there. I suspect you have a better grasp on the specifics, so perhaps if you can link to a bug upstream, I would certainly be happy to offer my support there.

[kaikramer]

@lhunath This might be easier than you think, because KSE behaves exactly like keytool. So you can simply say "I have a p12 file here with a certificate and keytool shows it as empty".

Maybe with a concrete example:

$ openssl pkcs12 -in test.p12
Enter Import Password:
Bag Attributes: <No Attributes>
subject=CN = www.google.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIQJMhYK06uJUYKf9LOuxaAmjANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAxMDIxMzA5NThaFw0yNDAzMjYx
MzA5NTdaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEYu0tLTB5/pTxzMiuX0+G2C55qxYjz0vnuYCHDzHiO5dI+s/Y
dlaPl6PSQ9GGD4TkT5s1M0fbMw0Ttq/Q5k4aX6OCAmYwggJiMA4GA1UdDwEB/wQE
AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBRSI27wEGzqsdIHGq4hFvoSZ0oXjTAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi
RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl
cG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAh
BgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9RT3ZKME4xc1QyQS5jcmww
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAYzKgoCZAAAEAwBGMEQCIFVtsiLPwfY+75leKhJY7Gde/d4Y
HwOy71ODQ6i70uyKAiAEInUZ2MiirLaXu8xyMI12soS/0aCTvELWVE2Jla1cUQB2
ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjMqCgK0AAAQDAEcw
RQIhAOKWMVqh/xbTSdTCtHR+WwxOsFPNd6uAKm5L+94rRyyNAiBUq81BV6Ws/haq
XCUOcaZNPMvt+eJ+PsdRVDPpt2zIJDANBgkqhkiG9w0BAQsFAAOCAQEAN8mLAr+f
92XA9NQNOkOYHg6Focv9QeZ9KCHDb4ktoQMwLTFBqfKxHCwTjui4lfR5tewUB0hZ
S/tx+gS6CnixInTx2/zJmoleH04s9wdMFWHtiufBbCJByS4Ah8feAstFkTMXXBid
k+ly+/0tKtleoksa8tWHvNgq1Kf0dZZ+fvni8LEQggLfVZBQNdHgAoJbtiB0K95D
Jdjp89tCMBXbJwweu0JBQaRpe+KWBC+Ir0/ah50cJ6E4hMTi05t9Bl/e0arnRgOZ
iBykAsERFR0Yma9EkExCqzq/dshbd6DnYBrLczpqE6jr6CQ88VMlmJ1AV7VtHN9f
4mFP5ins5a92Zg==
-----END CERTIFICATE-----

$ keytool -list -keystore test.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

By the way in the latest OpenSSL release 3.2 a new option for creating PKCS#12 files was added that makes them compatible with Java - but only for pure truststores (no private keys):

-jdktrust

Export pkcs12 file in a format compatible with Java keystore usage. This option accepts a string parameter indicating the trustoid name to be granted to the certificate it is associated with.
Currently only "anyExtendedKeyUsage" is defined. Note that, as Java keystores do not accept PKCS12 files with both trusted certificates and keypairs, use of this option implies the setting of the -nokeys option

Example:

$ openssl pkcs12 -export -out test.p12 -in www.google.com.cer -jdktrust anyExtendedKeyUsage
$ keytool -list -keystore test.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

1, Jan 28, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 52:68:B6:49:C9:8B:16:56:5E:7F:FF:48:C6:C1:33:7C:5F:4E:62:16:14:8E:6A:14:5F:7D:D5:C4:50:3F:C4:BC