Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When opening keystore the alias is not displayed correctly #8

Closed
informatik01 opened this issue Jan 12, 2016 · 4 comments
Closed

When opening keystore the alias is not displayed correctly #8

informatik01 opened this issue Jan 12, 2016 · 4 comments

Comments

@informatik01
Copy link

Hi.

I have the latest KeyStore Explorer version 5.1.1. And I have just noticed an issue that when opening some test .p12 file the "Entry name" column, which is supposed to show the alias, shows SHA1 fingerprint instead. The correct alias is "1".

To see what the command line tool keystore shows do the following:

keytool -list -keystore signout.p12 -storepass test -storetype PKCS12

The output is the following:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, 12.01.2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 37:D3:9D:AE:E6:A7:5F:CC:5D:D2:39:90:8A:A6:93:8E:72:1B:EC:C9

I have attached this .p12 file (inside an archive archive, key store password is "test") along with the screenshot of KyeStore Explorer that illustrates this issue.

test.p12.gz

screenshot

Hope this info will be useful.
@kaikramer
Copy link
Owner

Hi and thank you for taking the time to write a bug report. I appreciate that.

The key and certificate in this specific PKCS#12 file both have no friendlyName (which is the PKCS#12 equivalent of an alias):

$ openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 37 D3 9D AE E6 A7 5F CC 5D D2 39 90 8A A6 93 8E 72 1B EC C9
subject=/C=EE/O=ESTEID/OU=digital signature/CN=\xC5\xBD\xC3\x95RIN\xC3\x9CW\xC5\xA0KY,M\xC3\x84R\xC3\x9C-L\xC3\x96\xC3\x96Z,11404176865/SN=\xC5\xBD\xC3\x95RIN\xC3\x9CW\xC5\xA0KY/GN=M\xC3\x84R\xC3\x9C-L\xC3\x96\xC3\x96Z/serialNumber=11404176865
issuer=/C=EE/O=AS Sertifitseerimiskeskus/CN=TEST of ESTEID-SK 2011/[email protected]
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: 37 D3 9D AE E6 A7 5F CC 5D D2 39 90 8A A6 93 8E 72 1B EC C9
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----

So, if there is no friendlyName provided in the file, something else has to be used as an alias. The SunJSSE JCE provider (used by keytool in your case) simply uses a counter, while the Bouncy Castle provider in KSE uses the localKeyID. In other words: There is no "correct" alias, both values are only substitutes.

By the way, the next release of KSE will actually use SunJSSE instead of Bouncy Castle as the backing provider for PKCS#12 files. Then keytool and KSE will show the same behaviour.

@informatik01
Copy link
Author

OK, I see. Thanks for clarification.

@gstanchev
Copy link

Sorry to use this issue as a vehicle for a question but when are you planning the new release to be?

@kaikramer
Copy link
Owner

In 1-2 months.

@kaikramer kaikramer mentioned this issue May 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gstanchev @kaikramer @informatik01