I'm trying to set up a DTLS server on Android based on the example java files from Californium.Scandium. Initially I ran into issues because the keystore and truststore were in jks format and I did not have the key passwords. Hence, I created my own PKCS12 keystore and truststore using Portecle.
KeyStore keyStore = KeyStore.getInstance("PKCS12");
in = getResources().openRawResource(R.raw.keystore);
keyStore.load(in, KEY_STORE_PASSWORD.toCharArray());
KeyStore trustStore = KeyStore.getInstance("PKCS12");
inTrust = getResources().openRawResource(R.raw.truststore);
trustStore.load(inTrust, TRUST_STORE_PASSWORD.toCharArray());
After that, the code did not throw any errors during keystore loading but upon running the application I get this:
FATAL EXCEPTION: main
Process: com.example.admin.securesend, PID: 3402
java.lang.RuntimeException: Unable to start activity
ComponentInfo{com.example.admin.securesend/com.example.admin.securesend.DTLSServer}: java.lang.IllegalStateException: Keys must be ECDSA capable when support for an ECDHE_ECDSA based cipher suite is configured
Edit: I realised that my keys were created using SHA instead of ECDSA. I'm not very familiar with keystores and keys, so I'm assuming that my keystore is now valid and I just need to generate the appropriate keys for the system and plant them into the key. How do I create keys using ECDSA and transfer them into my keystore?
Ok, let's first get the terminology right:
RSA: That's the type of keys that you have created with portecle.
DSA: Another key type, very rarely used. Also a signature algorithm.
EC: Elliptic curve keys are what you want to generate.
ECDSA: A signature algorithm for EC keys.
SHA: A hashing algorithm, used to generate a hash value of the data to be signed.
For generating EC keys you can use keytool (with Java 7 or higher):
keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA -validity 365 -storetype JKS -keystore ectest.jks -storepass 123456
This command generates a 256 bit EC key on a SEC curve (secp256r1) and a self signed certificate using ECDSA with SHA256.
If you prefer GUI tools, KeyStore Explorer is another way to generate EC keys:
Related
I have a problem with a Websphere keyset. I create a keystore using a public key that was generated on another computer with keytool using this command:
keytool -import -noprompt -alias eeccstore -keystore eeccstore.jks -file D:\Keys\eecc_public.key -storepass password
After that, in Websphere Server I create the KeyStore as follows in the next image:
Keystore usages: Key set keystores
Create keystore in Websphere Server
I use the same password that I use to create the KeyStore with Keytool.
Then I create the keySet in WebSphere Server as follows in the next image:
Create keyset in Websphere Server
In my java code I use the keyset as follows:
KeySetHelper ksh = KeySetHelper.getInstance();
KeyPair key = (KeyPair)ksh.getLatestKeyForKeySet("eeccKeySet");
And the console shows me this:
java.lang.NullPointerException
com.ibm.ws.crypto.config.WSKeySet.getLatestKey(WSKeySet.java:257)
com.ibm.websphere.crypto.KeySetHelper.getLatestKeyForKeySet
I understand that the server can not find any key in the KeySet but I don't know what I could be doing wrong.
Thank you in advance for your support.
Reggard!
After days of searching, I found a solution. Instead to access a KeySet, I access to KeyStore directly and get not the key, but the X509 certificate with wich can create the public key and use it to encrypt any text.
char [] passch = password.toCharArray();
com.ibm.crypto.provider.JavaKeyStore keystore = new JavaKeyStore();
keystore.engineLoad(new FileInputStream(new File(pathKeyFileJKS)), null);
KeyStore.TrustedCertificateEntry privKeyEntry = (TrustedCertificateEntry)
keystore.engineGetEntry("eecc-KeyStore", new KeyStore.PasswordProtection(passch));
X509CertImpl cert = (X509CertImpl) privKeyEntry.getTrustedCertificate();
cert.checkValidity();
PublicKey publicKey = cert.getPublicKey();
Where password variable contains the password that I use to create the eecc_public.key file, pathKeyFileJKS contains the path where create the jks file and "eecc-KeyStore" is the name that I use to create my keyStore in WebSphere Server.
so here's what I'm trying to do:
I connect to my SSL server
It sends me two certificates, and one of them is self-signed
At this stage, there are no problems, I've:
X509Certificate[] myTwoCerts;
// with 2 certificates in there, and I'm sure it's there because, I print them in my console.
Now I want to create .p12 file with 2 certificates inside.
Until now, I've tried something like this:
KeyStore pkcs12Store = KeyStore.getInstance("PKCS12");
pkcs12Store.load(null, null);
X509Certificate cert1 = myTwoCerts[0];
X509Certificate cert2 = myTwoCerts[1]
String alias1 = "FIRST";
String alias2 = "SECOND";
pkcs12Store.setCertificateEntry(alias1, cert2);
pkcs12Store.setCertificateEntry(alias2, cert2);
But I'm getting the following Exception:
Exception in thread "main" java.security.KeyStoreException: TrustedCertEntry not supported
Can anybody help me plz??
The PKCS12 keystore in Java cannot be used to store certificates or certificate chains without their private keys.
See this note in the JCA reference guide:
"pkcs12" is another option. This is a cross platform keystore based on the RSA PKCS12 Personal Information Exchange Syntax Standard. This standard is primarily meant for storing or transporting a user's private keys, certificates, and miscellaneous secrets. As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates.
(Despite mentioning JDK 6, this still is in the JDK 7 documentation.)
If you want to store a private key + certificate (chain) in a PKCS#12 store in Java, there needs to be a private key and you need to use the setKeyEntry method.
keytool -trustcacerts -keystore keystore.p12 -storetype pkcs12 -alias root -genkeypair
KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
String filename = "/tmp/keystore.p12";
keyStore.load(
new FileInputStream(/*"myKeyStore.jks"*/filename),
password);
I'm having trouble issuing certificate to a hard token, What I have is a PKCS12 keystore I have created and want to move it to a hardtoken as a PKCS11.
I can successfully generate keys and certificate and save them in a p12 keystore and can import the p12 file to hardtoken using admin console of this device.
But when I try to do the final step programatically I have different result.
Imported p12 file using admin tool what I have in device is
-Serial number
-Signature and key exchange usage
Certificate
Private Key
Public key
Imported all steps programatically
-Serial number
-Signing &encryption
Certificate
Private Key
and the final result is that end user can't use the device for signing.
I'm using SunPKCS11.
Edit: Code used for importing the key:
KeyStore.PrivateKeyEntry priEntry =
new KeyStore.PrivateKeyEntry(keys.getPrivate(), certificateArray);
KeyStore.PasswordProtection password =
new KeyStore.PasswordProtection(pass.toCharArray());
store.setEntry("Entry", priEntry, password);
EDIT 2 keytool -list
The funny thing is that when I use the following command output is the very same
keytool -keystore NONE -storetype pkcs11 -list
Our company purchased a code signing certificate from Thawte a few weeks ago. When we finally received the certificate from the purchasing team they didn't know the alias for the certificate!
I don't seem to be able to import the cert without the alias and they have no clue at all what it is. Is there a way of retrieving the alias? Has anybody else run into this problem? Is there any way of importing without the alias?
The alias is specified during the creation of the private key of the RSA certificate. It is not decided by the certificate signing authority, rather by the person creating the private and public keys.
I can't speak on whether your purchasing department ought to know this, but you'll need to check with the person/department who generated the CSR to determine the toolkit used to generate the CSR, and the key store format.
Now, assuming that the Java keytool utility was utilized to create the CSR, and that the private key is managed in a JKS keystore, you can utilize the keytool command to determine the contents (and hence the alias) of the keystore. This can be done using the keytool -list as indicated in the other answer. A sample run is demonstrated below, with the alias appearing in the output:
keytool -list -v -keystore foo.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: foo
Creation date: Sep 1, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=foo, OU=foo, O=foo, L=foo, ST=foo, C=foo
Issuer: CN=foo, OU=foo, O=foo, L=foo, ST=foo, C=foo
Note that you do not need to know the keystore password to read the contents of the keystore, in which case a warning will be displayed.
In case you are using another toolkit and/or keystore format, you'll need to adopt a similar approach to determine the contents of the keystore, for the alias is not bound to appear in the CSR.
Try with:
keytool -list -keystore certificate.jks
(Note that if your keystore isn't JKS, for example, PKCS12, you can add an optional -storetype option to change the keystore type:)
keytool -list -keystore certificate.p12 -storetype PKCS12
You'll have something like:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Feb 1, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 0F:73:59:5C:35:8C:F2:F0:27:7E:F7:B7:AF:0A:95:B4
Your certificate alias is shown on the first line of the certificate description, here 'mykey'.
I generate a certification key with openssl. Here is my command:
openssl genrsa -des3 -out enc_key.pem 1024
I export into cer file, then with java keytool I import into java keystore (jks).
The keystore sounds good. I can load the keystore from my java app.
The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
There is a few things that I want to ask:
What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
Anybody knows the solution?
Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).
Any help will be appreciated! Thanks
Why are you using OpenSSL to generate the keypair? Why not just use keytool?
The genrsa tool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, because keytool can only import a private key from an existing key store, and only from Java 6 onward.)
I suspect that your problem is that your key store doesn't contain a key entry (private key and corresponding certificate). When you list the keystore contents with keytool, how many entries are there? Are they key entries or trusted entries?
The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6's enhanced keytool.
After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
Then convert this store into a Java key store:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
Now use server.jks in your SSL-enable server, which contains the certificate and the private key.