Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8007632: DES/3DES keys support in PKCS12 keystore #877

Closed
wants to merge 3 commits into from

Conversation

alexeybakhtin
Copy link
Contributor

@alexeybakhtin alexeybakhtin commented Oct 27, 2020

Hi All,

DES and DESede keys are supported by JKS/JCEKS but not supported by PKCS#12 keystores.
This issue prevents the migration of legacy applications to PKCS#12 keystore. For example, an application has some old 3DES keys that are required for certain legacy features. Java PKCS12 keystore does not support DES/3DES keys, thus, application can’t migrate to PKCS#12
This patch adds OIDs for the DES/DESede algorithms. It is the only changes required to support DES/3DES keys in the PKCS#12 keystore.
sun/security/pkcs12/P12SecretKey test is updated to verify new secret keys in the PKCS#12 keystore.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Testing

Linux x64 Windows x64 macOS x64
Build ✔️ (3/3 passed) ⏳ (2/2 running) ✔️ (2/2 passed)
Test (tier1) ⏳ (7/9 running) ⏳ (9/9 running)

Issue

  • JDK-8007632: DES/3DES keys support in PKCS12 keystore

Reviewers

Download

$ git fetch https://git.openjdk.java.net/jdk pull/877/head:pull/877
$ git checkout pull/877

@bridgekeeper
Copy link

bridgekeeper bot commented Oct 27, 2020

👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Oct 27, 2020
@openjdk
Copy link

openjdk bot commented Oct 27, 2020

@alexeybakhtin The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Oct 27, 2020
@mlbridge
Copy link

mlbridge bot commented Oct 27, 2020

Webrevs

@@ -352,6 +352,9 @@

// OIW secsig 1.3.14.3.*
OIW_DES_CBC("1.3.14.3.2.7", "DES/CBC"),
OIW_DES_ECB("1.3.14.3.2.6", "DES/ECB", "DES"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What OID are other vendors using?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I can see the OIDs. I was just wondering if other vendors are also using the OID for DES/ECB when storing a DES key. After all, this is only a key and it can can be used with all Cipher modes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified with BC: BouncyCastle uses DES/CBC OID for DES secret key in PKCS#12.
So, the patch for "DES" can be simplified to

   - OIW_DES_CBC("1.3.14.3.2.7", "DES/CBC"),
   + OIW_DES_CBC("1.3.14.3.2.7", "DES/CBC", "DES"),

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good. I also just noticed that the BC provider uses 1.3.14.3.2.7 as alias for KeyGenerator.DES.

OIW_DES_CBC("1.3.14.3.2.7", "DES/CBC"),
OIW_DES_CBC("1.3.14.3.2.7", "DES/CBC", "DES"),

DESede("1.3.14.3.2.17", "DESede"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move this below before SHA-1. The items are ordered by the OIDs (within each section group).

@alexeybakhtin
Copy link
Contributor Author

/integrate

@openjdk
Copy link

openjdk bot commented Oct 27, 2020

@alexeybakhtin This PR has not yet been marked as ready for integration.

@haimaychao
Copy link
Contributor

Change looks good.

@openjdk
Copy link

openjdk bot commented Oct 27, 2020

@alexeybakhtin This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8007632: DES/3DES keys support in PKCS12 keystore

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 452 new commits pushed to the master branch:

  • a023b93: 8255394: jdk/test/lib/hexdump/ASN1FormatterTest.java fails with ---illegal-access=deny
  • 84e985d: 8253920: Share method trampolines in CDS dynamic archive
  • 7d41a54: 8255450: runtime/ThreadCountLimit.java causes high system load
  • 504cb00: 8252113: Move jfr man page into jfr module
  • 552192f: 8255305: Add Linux x86_32 tier1 to submit workflow
  • 66a3917: 8255331: Problemlist java/foreign/TestMismatch.java on 32-bit platforms until JDK-8254162
  • cf56c7e: 8254980: ZGC: ZHeapIterator visits armed nmethods with -XX:-ClassUnloading
  • 18d9905: 8255342: Remove non-specified JVM checks on Classes with Record attributes
  • 7679650: 8231231: The printing result is different from the case instruction
  • f7c59c6: 8255231: Avoid upcalls when initializing the statSampler
  • ... and 442 more: https://git.openjdk.java.net/jdk/compare/55c90a171f28b878beeacd24092c7176cd23f51e...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@wangweij) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Oct 27, 2020
@alexeybakhtin
Copy link
Contributor Author

/integrate

@openjdk openjdk bot added the sponsor Pull request is ready to be sponsored label Oct 27, 2020
@openjdk
Copy link

openjdk bot commented Oct 27, 2020

@alexeybakhtin
Your change (at version efbd5a4) is now ready to be sponsored by a Committer.

@wangweij
Copy link
Contributor

/sponsor

@openjdk openjdk bot closed this Oct 27, 2020
@openjdk openjdk bot added integrated Pull request has been integrated and removed sponsor Pull request is ready to be sponsored ready Pull request is ready to be integrated rfr Pull request is ready for review labels Oct 27, 2020
@openjdk
Copy link

openjdk bot commented Oct 27, 2020

@wangweij @alexeybakhtin Since your change was applied there have been 452 commits pushed to the master branch:

  • a023b93: 8255394: jdk/test/lib/hexdump/ASN1FormatterTest.java fails with ---illegal-access=deny
  • 84e985d: 8253920: Share method trampolines in CDS dynamic archive
  • 7d41a54: 8255450: runtime/ThreadCountLimit.java causes high system load
  • 504cb00: 8252113: Move jfr man page into jfr module
  • 552192f: 8255305: Add Linux x86_32 tier1 to submit workflow
  • 66a3917: 8255331: Problemlist java/foreign/TestMismatch.java on 32-bit platforms until JDK-8254162
  • cf56c7e: 8254980: ZGC: ZHeapIterator visits armed nmethods with -XX:-ClassUnloading
  • 18d9905: 8255342: Remove non-specified JVM checks on Classes with Record attributes
  • 7679650: 8231231: The printing result is different from the case instruction
  • f7c59c6: 8255231: Avoid upcalls when initializing the statSampler
  • ... and 442 more: https://git.openjdk.java.net/jdk/compare/55c90a171f28b878beeacd24092c7176cd23f51e...master

Your commit was automatically rebased without conflicts.

Pushed as commit 7a7ce02.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants