For our issue, we are using a third party library that requires not yet commons or newly named not going to be commons. Our application can startup in BCFIPS Approved mode and we remove all other security providers and only use BCFIPS provider.
The issue with the code exists within tryJKS method of KeyStoreBuilder. It actually looks at error messages to determine to throw a badpassword exception vs falling thru and returning null. In general this is a very poor implementation as different security providers can supply different error messages. For our situation, BCFIPS puts 'password' in the message where SUN Provider would simply put 'invalid keystore format'. This ultimately stems from the poor implementation of the TrustMaterial class. This class has many constructors which in the end will call KeyStoreBuilder and try to load a PEM format byte array as a key store. When using SUN it ultimately falls through to the CertificateFactory to load the certificates from a stream. Ideally TrustMaterial should have constructors that are very specific to what is being supplied instead of very generic as ultimately most of the constructors end up as a byte array and who knows what the heck bytes are at that point.
For our issue, we are using a third party library that requires not yet commons or newly named not going to be commons. Our application can startup in BCFIPS Approved mode and we remove all other security providers and only use BCFIPS provider. The issue with the code exists within tryJKS method of KeyStoreBuilder. It actually looks at error messages to determine to throw a badpassword exception vs falling thru and returning null. In general this is a very poor implementation as different security providers can supply different error messages. For our situation, BCFIPS puts 'password' in the message where SUN Provider would simply put 'invalid keystore format'. This ultimately stems from the poor implementation of the TrustMaterial class. This class has many constructors which in the end will call KeyStoreBuilder and try to load a PEM format byte array as a key store. When using SUN it ultimately falls through to the CertificateFactory to load the certificates from a stream. Ideally TrustMaterial should have constructors that are very specific to what is being supplied instead of very generic as ultimately most of the constructors end up as a byte array and who knows what the heck bytes are at that point.