-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
CentOS Stream 9
-
None
-
Important
-
rhel-sst-java
-
None
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
All
-
None
Issue Description: When generating a PKCS12 encrypted file with OpenSSL and attempting to open it with Java 11 keytool, an error occurs indicating that the PBES2 algorithm is not available. This issue is reproducible with the following commands:
openssl genpkey -algorithm RSA -out private.key openssl req -new -key private.key -out certificate.csr openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt openssl pkcs12 -export -out engine.p12 -inkey private.key -in certificate.crt -certfile certificate.crt keytool -list -v -keystore engine.p12 -storetype PKCS12
Error Message:
keytool error: java.io.IOException: parseAlgParameters failed: PBES2 AlgorithmParameters not available
java.io.IOException: parseAlgParameters failed: PBES2 AlgorithmParameters not available
at java.base/sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:839)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2074)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1096)
at java.base/sun.security.tools.keytool.Main.run(Main.java:421)
at java.base/sun.security.tools.keytool.Main.main(Main.java:414)
Caused by: java.security.NoSuchAlgorithmException: PBES2 AlgorithmParameters not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:779)
at java.base/java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:158)
at java.base/sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:831)
... 6 more
Additional Information:
- The issue does not occur when FIPS is disabled.
- A related discussion on StackOverflow suggests that FIPS disables the SunJCE provider, which contains all of the PBE and PBES2 ciphers. This seems to be the root cause of the problem. Reference
Expectation: It is expected that the described process should work out of the box with FIPS enabled, as both Java and OpenSSL support PBES2. If there is a valid reason for this not to work, it should be documented.
