I am getting certificates from the keystore based on alias name using the below code,
KeyStore keyStore = KeyStore.getInstance("Windows-MY");
Enumeration aliasesEnum = keyStore.aliases();
while(aliasesEnum.hasMoreElements())
{
aAliasName = (String)aliasesEnum.nextElement();
X509Certificate certificate = (X509Certificate)keyStore.getCertificate(aAliasName);
}
Is there any way to get aliases from the current token instead of getting from keystore?.
Thanks in advance.
It is not possible to get a particular certificate other than knowing the alias.
The best practice would be to have unique alias in your use case, so you will know which certificate you are getting.
If you are storing the Certificate through the KeyStore api, you can do a containsAlias(alias) to see if the alias already exists before you save.
Normally alias names are unique. This is a problem specific to MSCAPI keystore. There are several bug reports (some of them very old) regarding this issue:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=2162058
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6483657
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8058544
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6672015
Follow the last link, it contains a workaround. You basically have to modify the alias names via reflection API into something unique (see code in link). Not exactly a clean solution, but unfortunately the only way.
Related
Whenever I install WebLogicServer, it doesn't create DemoIdentity.jks under base_domain. As such, I can't use SSL 7002.
I can't create a a new .jks file using instructions here : create new jks
It gives me error: java.security.invalidkeyexception : exponent is larget than modulus
Make sure the CA files are in DER format.
Which they are.
Is there a reason for this happening? Any solutions to it?
In order to bypass this issue, use the "-noskid" parameter when running utils.CertGen .
I'm trying to use the pyjks module to grab keys from a keystore, however loading the keystore fails with the following error:
ValueError: Hash mismatch; incorrect password or data corrupted
If I try using keytool to load the keystore, I have no issues. I was wondering if anyone has ever used pyjks to do this and done so successfully. Here's my python code snippet:
ks = jks.KeyStore.load("/tmp/keystore.jceks", "changeit")
Disclaimer: I wrote the initial JCEKS support for pyjks.
This might be due to the lack of support for SecretKey entries at the time. The parsing routine tracks the current position in the file as it reads through it, and at the end expects the next N bytes to be the correct signature. Because SecretKeys were not yet implemented, they did not advance the current position, thus causing a bad hash check.
I'm responding because I recently added the missing SecretKey support to pyjks. So if your situation is still relevant, feel free to grab the latest source from https://github.com/doublereedkurt/pyjks and try it out.
I am trying to decrypt Database password stored in a Securestorage file. I am using the nCipherKM HSM security provider and the Key Encryption Keys used for decryption is stored in a key store (folder). While I try to load the HSM Key Store by passing the keystore password , it fails to load the key store with the following Exception. Not sure what is the root cause of this error.
Code Snippet:
java.security.provider hsm_provider = (java.security.provider)Class.forName("com.ncipher.provider.km.nCipherKM").newInstance();
java.security.Security.addProvider(hsm_provider);
myKeyStore = KeyStore.getInstance(KeyStore.getDefaulttype,"nCipherKM");
myKeyStore .load(new FileInputStream(KeyStorePath),pwdOfKeyStore);
Exception:
java.io.IOException: A password was supplied but all keys are
module protected. at
com.ncipher.provider.km.KMKeyStore.engineLoad()
Note: Posting this answer to an old question in the hopes of helping others who encounter this same problem.
The root cause could be that the keystore was created with the option to protect the keys with the module. This doesn't mean that a passphrase is optional, it means it is prohibited.
To fix, use the code below
java.security.provider hsm_provider = (java.security.provider)Class.forName("com.ncipher.provider.km.nCipherKM").newInstance();
java.security.Security.addProvider(hsm_provider);
myKeyStore = KeyStore.getInstance(KeyStore.getDefaulttype,"nCipherKM");
myKeyStore .load(new FileInputStream(KeyStorePath),null);
Note: if you attempt to extract the private key from the keystore, you should pass in a null too, like the following:
PrivateKey privateKey = (PrivateKey)keystore.getKey(KEYSTORE_ALIAS, null);
I need to add extra fields in the CSR, like keyusage, regestrationID etc.I am using java IBM-sdk60. I've gone through x500 name API's and could not find any solution. Help on API's would be appreciated.
Thanks in advance
The standard way to include additional information in a CSR (PKCS#10) request is by adding Attributes. According to the PKCS#10 standard:
The intention of including a set of attributes is twofold: to provide
other information about a given entity , or a "challenge password" by
which the entity may later request certificate revocation; and to
provide attributes for inclusion in X.509 certificates. A
non-exhaustive list of attributes is given in PKCS #9
An attribute is an OID and a value whose meaning depends on the OID
Actually PKCS#9 defines 3 attributes:
Challenge password
Extension request
Extended-certificate attributes (this is deprecated)
The one you are looking for is Extension request :
The extensionRequest attribute type may be used to carry information
about certificate extensions the requester wishes to be included in a
certificate.
This code template (not tested) may give you some hints on how include this attribute
CertificateExtensions exts = /* build the extensions set you want to include */
/* Wrap the extensions set into a SET OF */
OutputStream out = new ByteArrayOutputStream();
exts.encode(out);
DerValue val = new DerValue(DerValue.tag_SetOf, out.toByteArray());
PKCSAttribute extReq = new PKCSAttribute(new ObjectIdentifier("1.2.840.113549.1.9.14"), val.toByteArray());
PKCSAttributes attrs = new PKCSAttributes(new PKCSAttribute[] { extReq });
CertificationRequestInfo cri = new CertificationRequestInfo(subject, key, attrs);
CertificationRequest csr = new CertificationRequest(cri);
Please note that unless the CA explicitly announces this PKCS#10 attribute is supported it will be ignored during the certificate generation.
This question is in the specific context of the Java class java.security.KeyStore and its load(InputStream stream, char[] password) method which can accept null values for password to bypass integrity checking.
What are the risks involved with loading and querying a keystore without checking its integrity? The keystore will be queried for the user's private key which will be used to sign a document for non-repudiation. The certificate queried will be further validated against a copy stored in a database at the time the user registered himself and the (supposedly exact same) cert.
Well the main risk is that anyone who can read the file can also modify it. So someone could replace the file you read with a different keystore that has the same names for the keys but contains a different private key, so you end up signing documents with the wrong private key and none of them will pass verification.
Also, anyone with access to the file gains access to the private key and can sign documents as if they came from your app.