bcgit
Loading a PKCS12 keystore with wrong password should throw recommended exception
When loading a PKCS12 keystore using the JCA API Method java.security.Keystore#load(InputStream, char[]) using a wrong password, an IOException without a cause is thrown. The JCA API recommends throwing an IOException with a java.security.UnrecoverableKeyException as the cause to indicate a wrong password (see JCA API Docs). This is the case for both PKCS12 keystores with a MAC and without a MAC.
We are currently using Java 11 with Bouncy Castle Version 1.77, but the issue seems to exist with the latest Bouncy Castle Version ( 1.80) as well.
Code Pointers:
- PKCS12KeyStoreSpi#engineLoad (with MAC)
- PKCS12KeyStoreSpi#unwrapKey (without MAC)
Thanks for the report; it seems reasonable to conform to that behaviour. getEntry, getKey are related cases that could be handled at the same time.
Latest openjdk implementation, for reference: https://github.com/openjdk/jdk/blob/48df41b6997cfe2c8aa3bc46ea25eff01f615d31/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java .
