Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14221

keytool does not work against pkcs12 store of PBEWithSHA1AndDESede in FIPS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • rhel-8.8.0.z
    • java-17-openjdk
    • None
    • None
    • None
    • sst_java
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Tried to run keytool against pkcs12 store of PBEWithSHA1AndDESede in FIPS mode, and it failed with the following error:

      [root@localhost security]# fips-mode-setup --check
FIPS mode is enabled.
[root@localhost ~]# openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out new.des.p12 -passin pass:password -passout pass:password -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
[root@localhost ~]# rpm -qa | grep java-17
java-17-openjdk-headless-17.0.8.0.7-2.el8.x86_64
java-17-openjdk-17.0.8.0.7-2.el8.x86_64
[root@localhost ~]# /usr/lib/jvm/java-17-openjdk-*/bin/keytool -list -v -keystore /new.des.p12 -storetype pkcs12 -storepass password
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
	at java.base/java.security.KeyStore.load(KeyStore.java:1473)
	at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:946)
	at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
	at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede
	... 6 more

      Please provide the package NVR for which bug is seen:

      How reproducible:

      Steps to reproduce

      1.  `openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out new.des.p12 -passin pass:password -passout pass:password -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES`
      2.  `/usr/lib/jvm/java-17-openjdk-*/bin/keytool -list -v -keystore /new.des.p12 -storetype pkcs12 -storepass password`
      3.  

      Expected results

      It should show a certificate.

      Actual results

      It shows java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede

            rhn-engineering-ahughes Andrew Hughes
            rhn-support-hokuda Hisanobu Okuda
            Andrew Hughes Andrew Hughes
            David Kutalek David Kutalek
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: