Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loading JKS file written by OpenJDK Java 21 results in ASN.1 error #79

Open
pnickerson-cashstar opened this issue Jul 24, 2024 · 1 comment
Open

Loading JKS file written by OpenJDK Java 21 results in ASN.1 error #79

pnickerson-cashstar opened this issue Jul 24, 2024 · 1 comment

Comments

@pnickerson-cashstar
Copy link

I'm not sure whether this issue stems from pyjks or pyasn1. I might post it in both projects.

If I use jks.KeyStore.load on a JKS file containing a certificate/key bunde that was imported using keytool from OpenJDK Java 21 (java-21-openjdk-21.0.3.0.9-1.fc40.x86_64), then an ASN.1 error occurs:

>>> import jks
>>> jks.KeyStore.load('javakeystore21.jks', '[PASSWORD]')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/username/.local/lib/python3.12/site-packages/jks/util.py", line 90, in load
    ret = cls.loads(input_bytes,
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/username/.local/lib/python3.12/site-packages/jks/jks.py", line 525, in loads
    entry.decrypt(store_password)
  File "/home/username/.local/lib/python3.12/site-packages/jks/jks.py", line 197, in decrypt
    algo_params = encrypted_info['encryptionAlgorithm']['parameters'].asOctets()
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/username/.local/lib/python3.12/site-packages/pyasn1/type/univ.py", line 915, in asOctets
    return bytes(self._value)
           ^^^^^^^^^^^^^^^^^^
  File "/home/username/.local/lib/python3.12/site-packages/pyasn1/type/base.py", line 213, in plug
    raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema object' % name)
pyasn1.error.PyAsn1Error: Attempted "__index__" operation on ASN.1 schema object

If I instead import the same SSL bundle using keytool from OpenJDK Java 17 (java-17-openjdk-17.0.11.0.9-1.fc40.x86_64), then loading it works fine:

>>> import jks
>>> jks.KeyStore.load('javakeystore17.jks', '[PASSWORD]')
<jks.jks.KeyStore object at 0x7f04826bd6a0>

This happens with pyjks 20.0.0 and pyasn1 0.6.0 on Python 3.12.

The keytool import command that I run looks like this:
keytool -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 -srcalias mybundle -destkeystore javakeystore.jks -destalias mybundle

I have a feeling that OpenJDK 21's keytool command does not give encrypted private keys any encryption algorithm parameters when they're placed into JKS files. When I compare javakeystore21.jks and javakeystore17.jks using keytool -list -v, they're exactly the same. But the two files are slightly different sizes. And if I use the strings command on the two of them, it looks like the encrypted private key under mybundle is quite different.
@mahmoud
Copy link
Collaborator

mahmoud commented Jul 24, 2024

Thanks for reaching out with the excellent report, Paul. Unfortunately, the maintainers of this package (myself included) haven't touched a JKS in a long while. If you make any progress, we're happy to review a PR with a test/fix. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mahmoud @pnickerson-cashstar