Re: RFR: JDK-8311892: TrustManagerFactory loading an invalid keystore yield vague exception

[Craig Andrews]

On Tue, 11 Jul 2023 18:09:26 GMT, Craig Andrews <d...@openjdk.org> wrote:

> When loading the default JVM trust store, if the JVM trust store contains an 
> invalid certificate, the exception contains insufficient information to 
> determine which certificate is invalid, making it very difficult to fix the 
> problem.
> 
> To reproduce the issue:
> 1. Modify the default JVM trust store to contain invalid information. A very 
> easy way to do this on openjdk / red hat systems is to edit 
> /etc/pki/ca-trust/extracted/java/cacerts and add garbage text to the file.
> 2. Run this code:
> 
> TrustManagerFactory = 
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> // initializing the trust store with a null KeyStore will load the default 
> JVM trust store
> tmf.init((KeyStore) null);
> 
> 
> This stack trace results:
> 
> Caused by: java.security.KeyStoreException: problem accessing trust store
>       at 
> java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
>       at 
> java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
>       ... 81 common frames omitted
> Caused by: java.io.IOException: toDerInputStream rejects tag type 97
>       at 
> java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
>       at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2013)
>       at 
> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
>       at java.base/java.security.KeyStore.load(KeyStore.java:1473)
>       at 
> java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
>       at 
> java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
>       at 
> java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
>       at 
> java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
>       ... 83 common frames omitted
> 
> 
> Throwing an exception with a more detailed error message facilitates 
> debugging and ultimately fixing such problems.

Caused by: java.security.KeyStoreException: problem accessing trust store
        at 
java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
        at 
java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
        ... 73 common frames omitted
Caused by: java.security.KeyStoreException: Failed to load key store: 
/usr/lib/jvm/java-17-openjdk-17.0.7.0.7-5.fc38.x86_64/lib/security/cacerts
        at 
java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
        at 
java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
        at 
java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
        at 
java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
        ... 79 common frames omitted
Caused by: java.io.IOException: toDerInputStream rejects tag type 97
        at 
java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
        at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engine(PKCS12KeyStore.java:2013)
        at 
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        ... 83 common frames omitted


The `KeyStoreException` inside `KeyStoreException` could be eliminated by 
adding a `catch` clause at 
https://github.com/openjdk/jdk/blob/257bc1745cf275d691db1801f8dd270b9ff1b324/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L67
 like this:

            } catch (KeyStoreException ke) {
                throw ke;


Please let me know if you'd like me to include that change.

Thanks!

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14834#issuecomment-1635157558