Categories: OpenJDK, Security

Listing Certificates in OpenJDK Test Keystore

I was looking at the OpenJDK test failure reported in [JDK-8384815] SelectOneKeyOutOfMany and PreferredKey fail after expired test certificate – Java Bug System and was curious about how to determine that the certificates had expired. This is the command line I found:

KEYSTORE="$JDKSRCPATH/test/jdk/javax/net/ssl/etc/keystore"
$JDKTOTEST/bin/keytool -list -v -keystore "$KEYSTORE" -storepass passphrase \
 | grep -E 'Alias name|Entry type|Signature algorithm|Valid from|Public Key Algorithm|Subject Public Key'

It outputs the block below.

Alias name: dummy
Entry type: PrivateKeyEntry
Valid from: Mon May 16 04:06:38 MDT 2016 until: Sat May 16 04:06:38 MDT 2026
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Alias name: dummydsa
Entry type: PrivateKeyEntry
Valid from: Thu Mar 29 17:06:34 MDT 2018 until: Tue Mar 28 17:06:34 MDT 2028
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 1024-bit DSA key (weak)
Alias name: dummyecdsa
Entry type: PrivateKeyEntry
Valid from: Mon May 16 04:09:01 MDT 2016 until: Sat May 16 04:09:01 MDT 2026
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256k1) key (disabled)
Alias name: dummyecrsa
Entry type: PrivateKeyEntry
Valid from: Fri Apr 13 02:20:55 MDT 2018 until: Wed Apr 12 02:20:55 MDT 2028
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Valid from: Mon May 16 04:06:38 MDT 2016 until: Sat May 16 04:06:38 MDT 2026
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Alias name: ecdsasecp256r1
Entry type: PrivateKeyEntry
Valid from: Tue Mar 27 16:41:31 MDT 2018 until: Sun Mar 26 16:41:31 MDT 2028
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key

Warning:
<dummydsa> uses a 1024-bit DSA key which is considered a security risk. This key size will be disabled in a future update.
<dummyecdsa> uses a 256-bit EC (secp256k1) key which is considered a security risk and is disabled.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:/java/.../test/jdk/javax/net/ssl/etc/keystore -destkeystore C:/java/.../test/jdk/javax/net/ssl/etc/keystore -deststoretype pkcs12".

The history of the current keystore file shows that it was converted to PKCS12 almost 3 years ago in [JDK-8308453] Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 – Java Bug System so the final warning doesn’t affect the latest versions (PR 8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to … · openjdk/jdk@1696603).

Article info



Leave a Reply

Your email address will not be published. Required fields are marked *