I want to read information the certificate with .pfx extension, but when load the certificate occurs this error:
failed to decrypt safe contents entry:
javax.crypto.BadPaddingException: Given final block not properly
padded
Stack trace:
(java.lang.StackTraceElement[]) [
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1304),
java.security.KeyStore.load(KeyStore.java:1214),
br.com.certificateutils.CertificatesTest.testLoadCertificateIdeal(CertificatesTest.java:48),
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method),
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57),
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),
java.lang.reflect.Method.invoke(Method.java:606),
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47),
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12),
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44),
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17),
org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271),
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70),
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50),
org.junit.runners.ParentRunner$3.run(ParentRunner.java:238),
org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63),
org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236),
org.junit.runners.ParentRunner.access$000(ParentRunner.java:53),
org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229),
org.junit.runners.ParentRunner.run(ParentRunner.java:309),
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50),
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38),
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467),
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683),
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390),
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)]
My code is:
try{
KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
InputStream is = new FileInputStream("C:\\certificado.pfx");
ks.load(is, "password".toCharArray()); //line ocorrus error
String alias = ks.aliases().nextElement();
Key key = ks.getKey(alias, "password".toCharArray());
Certificate[] cc = ks.getCertificateChain(alias);
X509Certificate certificate1 = (X509Certificate) cc[0];
ret += certificate1.getNotAfter();
ret += certificate1.getNotBefore();
} catch (Exception e) {
System.out.print(e.getMessage());
}
My objective is read a certificate and get validity and an unique identifier.
Here is the code
KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load(newByteArrayInputStream(signature),password.toCharArray());
Enumeration<String> enums = keyStore.aliases();
while (enums.hasMoreElements()) {
String alias = enums.nextElement();
X509Certificate c = (X509Certificate)keyStore.getCertificate(alias);
LocalDateTime expiryDate = LocalDateTime.ofInstant(Instant.ofEpochMilli(c.getNotAfter().getTime()), ZoneId.systemDefault());
}
Related
void createKeyStore(String alias) throws Exception {
if(keyStoreType == null || keyStoreType.isEmpty()){
keyStoreType = KeyStore.getDefaultType();
}
keyStore = KeyStore.getInstance(keyStoreType);
KeyPair kp = generateRSAKeyPair();
Certificate[] certChain = new Certificate[1];
certChain[0] = generateCertificate(kp);
//load
char[] pwdArray = keyStorePassword.toCharArray();
keyStore.load(null, pwdArray);
keyStore.setKeyEntry(alias, kp.getPrivate(), keyStorePassword.toCharArray(), certChain);
// Save the keyStore
FileOutputStream fos = new FileOutputStream(keyStoreName,true);
keyStore.store(fos, pwdArray);
fos.close();
}
Using this function for create and write multiple alias in keystore
In the first request it create keystore file and store the alias with private key and certificate but in the second request with alias it not storing any data in same keystore file.
I am working on a Java project. I have created certificate using my function but now I have only one certificate . I am expecting to store multiple alias in the same file but it happen only with first request but not with second request.
I've been trying on this for a couple of days and I'm hopelessly stuck.
To fully understand how java key store works, i've been trying to create my own keystore, put some stuff inside it, then retrieve them from another program.
Here's my keystore generator :
{
//generate a X509 certificate
Security.addProvider(new BouncyCastleProvider());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream("certificate.cer"));
LOGGER.debug("BouncyCastle provider & X509 certificate added.");
//generate a private & a public key
KeyPair keyPair = generateRSAKeyPair();
RSAPrivateKey priv = (RSAPrivateKey) keyPair.getPrivate();
RSAPublicKey pub = (RSAPublicKey) keyPair.getPublic();
//generate a keystore
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = "keystore_password".toCharArray();
ks.load(null, keyStorePassword);
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.jks")) {
ks.store(fos, keyStorePassword);
}
ks.load(new FileInputStream("TestKeyStore.jks"), keyStorePassword);
//Symmetric key
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry((secretKey));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(keyStorePassword);
ks.setEntry("symmetric_key", secretKeyEntry, protectionParameter);
//Asymmetric key
X509Certificate[] x509Certificates = new X509Certificate[1];
x509Certificates[0] = certificate;
ks.setKeyEntry("asymmetric key", priv, keyStorePassword, x509Certificates);
//certificate
ks.setCertificateEntry("test_certif", certificate);
Key key = ks.getKey("symmetric_key", keyStorePassword);
System.out.println("I have this symmetric key : " + key);
X509Certificate certificate1 = (X509Certificate) ks.getCertificate("test_certif");
System.out.println("I have this certificate : " + certificate1);
System.out.println(ks.aliases().nextElement());
LOGGER.debug("all went well");
}
As you probably noticed, it's not all polished: my goal for now is only to put some stuff inside the keystore. But the point here, from the last System.out.println(ks.aliases().nextElement());, is just to see there is indeed something inside the keystore. And this is working just fine, it gives back symmetric_key.
Now, from the same folder is another class that is supposed to read from that keystore.
Note: there is no issue regarding the file (I've tested by moving its localization) so it can't be that.
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = "keystore_password".toCharArray();
ks.load(new FileInputStream("TestKeyStore.jks"), keyStorePassword);
System.out.println(ks.containsAlias("symmetric_key"));
This always gets me: false
If I try this: System.out.println(ks.aliases());, it's always null
If I try this:
if (!keystore.aliases().hasMoreElements()) {
System.out.println("nothing inside the keystore");
}
it gives me back nothing inside the keystore.
Even though it's not the case in the generator.
Any clue?
Thank you
The problem is that you are setting the entries after writing the keystore.
If you move:
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.jks")) {
ks.store(fos, keyStorePassword);
}
Till after this line:
ks.setCertificateEntry("test_certif", certificate);
Everything should work fine.
Bellow you have an working example with some code removed for clarity:
public static void main(String[] args) throws Exception{
final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
final KeyPair keyPair = keyGen.genKeyPair();
RSAPrivateKey priv = (RSAPrivateKey) keyPair.getPrivate();
//generate a keystore
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = PASSWORD;
ks.load(null, keyStorePassword);
X509Certificate[] chain = {generateCertificate("cn=Unknown", keyPair, 365, "SHA256withRSA")};
// saving one keypair in keystore object
ks.setKeyEntry("asymmetric key", keyPair.getPrivate(), keyStorePassword, chain);
//Symmetric key
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry((secretKey));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(keyStorePassword);
// saving symmetric key in keystore object
ks.setEntry("symmetric_key", secretKeyEntry, protectionParameter);
// Saving our keystore object into the filesystem
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.p12")) {
ks.store(fos, keyStorePassword);
}
// The rest of the code
}
The reason why it works in the method that saves the keystore is because the changed keystore is still in memory, but not on the filesystem. Also, since you are creating a PKCS12 keystore, I would avoid the .jks extension and go for something like .pkcs12.
I'm unable to add a certificate with a 2048 bit key to a Bouncy Castle KeyStore. I've updated my version of JCE, both the JRE and JDK security folders, with UnlimitedJCEPolicyJDK7.zip. The code below indicates the error location. I'm using bcprov-jdk15on-149 but have tried bcprov-jdk15on-157 with the same results. There are a number of posts regarding symmetric encryption problems but fewer on PKE. I'm running Windows 10 Pro, JRE 7, JDK 1.7.0_51. I'd appreciate any suggestions.
char[] testPass = "changeit".toCharArray();
String testAlias = "express";
// -----------------------------------------------------------------
// Open source TrustStore and extract certificate and key
FileInputStream jksFis = new FileInputStream("G:\\testSrc.jks");
KeyStore jksKS = KeyStore.getInstance(KeyStore.getDefaultType());
jksKS.load(jksFis, testPass);
PrivateKey jksPK = (PrivateKey) jksKS.getKey(testAlias,testPass);
RSAKey rsaKey = (RSAKey)jksPK;
int rsaKeyLen = rsaKey.getModulus().bitLength();
System.out.printf("Key length is %d\n",rsaKeyLen); // 2048
X509Certificate[] jksCerts = new X509Certificate[1];
jksCerts[0] = (X509Certificate) jksKS.getCertificate(testAlias);
// -----------------------------------------------------------------
// Create new default type keystore and add certificate and key.
KeyStore jksDest = KeyStore.getInstance(KeyStore.getDefaultType());
jksDest.load(null,null);
jksDest.setKeyEntry(testAlias, jksPK, testPass, jksCerts);
FileOutputStream jfos = new FileOutputStream("G:\\testDest.jks");
jksDest.store(jfos, testPass);
jfos.close();
// -----------------------------------------------------------------
// Create Bouncy Castle KeyStore and add certificate and key
Security.addProvider(new BouncyCastleProvider());
KeyStore bksKS = KeyStore.getInstance("PKCS12","BC");
bksKS.load(null,null);
bksKS.setKeyEntry(testAlias, jksPK, testPass, jksCerts);
FileOutputStream bksFos = new FileOutputStream("G:\\testDest.bks");
// -----------------------------------------------------------------
// Next line gives this error:
// java.io.IOException: exception encrypting data -
// java.security.InvalidKeyException: Illegal key size
bksKS.store(bksFos, testPass); // This is the error line.
// Error on previous line.
The procedure for installing the JCE update seems pretty straightforward so one of my assumptions about the version I'm using may be mistaken. As Omikron pointed out in his helpful comment it shouldn't have mattered anyway. He did get me going in the right direction which led to the solution. I'm posting the revised code below. I'm not sure why the default keystore type worked in the first place and bouncy castle didn't. Maybe someone familiar with bouncycastle will share their thoughts. In the meantime I'm going to see if this works on Android too.
public static void main(String[] args) {
try{
// -----------------------------------------------------------------
// Anonymous recommendation I found here:
// http://suhothayan.blogspot.com/2012/05/how-to-install-java-cryptography.html
// This fixed my problem.
try {
Field field = Class.forName("javax.crypto.JceSecurity").
getDeclaredField("isRestricted");
field.setAccessible(true);
field.set(null, java.lang.Boolean.FALSE);
} catch (Exception ex) {
ex.printStackTrace();
}
// -----------------------------------------------------------------
// Check recommended by Omikron, who was correct: I assume I didn't
// install the JCE properly because it prints 128 for the max
// key allowd key length.
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.printf("max key len: %d\n",maxKeyLen);
// -----------------------------------------------------------------
char[] testPass = "changeit".toCharArray();
String testAlias = "express";
// -----------------------------------------------------------------
// Open source TrustStore and extract certificate and key
FileInputStream jksFis = new FileInputStream("G:\\testSrc.jks");
KeyStore jksKS = KeyStore.getInstance(KeyStore.getDefaultType());
jksKS.load(jksFis, testPass);
PrivateKey jksPK = (PrivateKey) jksKS.getKey(testAlias,testPass);
RSAKey rsaKey = (RSAKey)jksPK;
int rsaKeyLen = rsaKey.getModulus().bitLength();
System.out.printf("JKS key length is %d\n",rsaKeyLen); // 2048
X509Certificate[] jksCerts = new X509Certificate[1];
jksCerts[0] = (X509Certificate) jksKS.getCertificate(testAlias);
// -----------------------------------------------------------------
// Create new default type keystore and add certificate and key.
KeyStore jksDest = KeyStore.getInstance(KeyStore.getDefaultType());
jksDest.load(null,null);
jksDest.setKeyEntry(testAlias, jksPK, testPass, jksCerts);
FileOutputStream jfos = new FileOutputStream("G:\\testDest.jks");
jksDest.store(jfos, testPass);
jfos.close();
// -----------------------------------------------------------------
// Create Bouncy Castle KeyStore and add certificate and key
Security.addProvider(new BouncyCastleProvider());
KeyStore bksKS = KeyStore.getInstance("PKCS12","BC");
bksKS.load(null,null);
bksKS.setKeyEntry(testAlias, jksPK, testPass, jksCerts);
FileOutputStream bksFos = new FileOutputStream("G:\\testDest.bks");
bksKS.store(bksFos, testPass);
bksFos.close();
// -------------------------
// Open file and check key length:
bksKS = KeyStore.getInstance("PKCS12","BC");
FileInputStream bksFis = new FileInputStream("G:\\testDest.bks");
bksKS.load(bksFis, testPass);
PrivateKey bpk = (PrivateKey) bksKS.getKey(testAlias,testPass);
rsaKey = (RSAKey)bpk;
rsaKeyLen = rsaKey.getModulus().bitLength();
System.out.printf("BKS key length is %d\n",rsaKeyLen); // 2048
X509Certificate bkCert = (X509Certificate) bksKS.getCertificate(testAlias);
System.out.printf("Issuer name: %s", bkCert.getIssuerDN().getName());
}catch(Exception e){
e.printStackTrace();
}
}
I have the following code that tries to initialize KeyManagerFactory using SHA-256 hash as password.
public static KeyManager[] getKeystoreManagers()
throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException {
KeyStore keystore = getKeyStore();
if (keystore == null) {
return null;
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keystore, getMachinePassword(SHA_256).toCharArray());
return kmf.getKeyManagers();
}
getKeyStore() returns my application keystore. getMachinePassword() returns a password using SHA-256, 64 digits password length. The problem is that I get the exception when init() is called:
java.security.UnrecoverableKeyException: Cannot recover key
If I am passing smaller password length lets say, 50 digits the init succeeded. What seems to be the problem here?
I've solved my problem. The keystore was created using setEntry with specific alias. Therefore, in my conversion function I had to get the entry using the old password and set the same entry with the same alias again with the new password. Now, with this updated keystore the KeyManagerFactory.init() runs successfully. See the following code below:
static void convertPasswordAlgorithm(String keystorePath, String fromAlgorithm, String toAlgorithm) throws Exceptionc {
FileInputStream fileInStream = null;
String keystoreFullPath = keystorePath + ISiteConstants.c_FILE_SEPERATOR + KEYSTORE_FILE_NAME;
KeyStore keyStore;
try {
String alias = getCertificateAlias();
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
fileInStream = new FileInputStream(keystoreFullPath);
// Try to load the keystore with fromAlgorithm password hash.
char[] machineOldAlgPassword = getMachinePassword(fromAlgorithm).toCharArray();
keyStore.load(fileInStream, machineOldAlgPassword);
// Save the entry to update
KeyStore.Entry entry = keyStore.getEntry(alias, new KeyStore.PasswordProtection(machineOldAlgPassword));
HandleFiles.close(fileInStream);
// If succeeded, recalculate password using toAlgorithm hash and save.
String machineNewAlgPassword = getMachinePassword(toAlgorithm);
keyStore.setEntry(alias, entry, new KeyStore.PasswordProtection(machineNewAlgPassword.toCharArray()));
FileOutputStream fileOutputStream = new FileOutputStream(keystoreFullPath);
keyStore.store(fileOutputStream, machineNewAlgPassword.toCharArray());
HandleFiles.close(fileOutputStream);
} finally {
HandleFiles.close(fileInStream);
}
}
The question is how to generate certificate chains programmatically in Java. In other words, I would like to perform in java the operations detailed here: http://fusesource.com/docs/broker/5.3/security/i382664.html
Besically, I can create the RSA keys for a new client:
private KeyPair genRSAKeyPair(){
// Get RSA key factory:
KeyPairGenerator kpg = null;
try {
kpg = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
e.printStackTrace();
return null;
}
// Generate RSA public/private key pair:
kpg.initialize(RSA_KEY_LEN);
KeyPair kp = kpg.genKeyPair();
return kp;
}
and I generate the corresponding certificate:
private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
Then I generate the cert signing request and I save it to csrFile file:
public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks)
throws KeyStoreException,
NoSuchAlgorithmException,
InvalidKeyException,
IOException,
CertificateException,
SignatureException,
UnrecoverableKeyException {
Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());
PrivateKey privKey = (PrivateKey) objs[0];
PKCS10 request = null;
Certificate cert = ks.getCertificate(alias);
request = new PKCS10(cert.getPublicKey());
String sigAlgName = "MD5WithRSA";
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature, subject);
request.encodeAndSign(signer);
request.print(System.out);
FileOutputStream fos = new FileOutputStream(csrFile);
PrintStream ps = new PrintStream(fos);
request.print(ps);
fos.close();
}
where
private static Object[] getPrivateKey(KeyStore ks, String alias, char keyPass[])
throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException {
key = null;
key = ks.getKey(alias, keyPass);
return (new Object[]{ (PrivateKey) key, keyPass });
}
Now I should sign the CSR with the CA private key, but I cannot see how to achive that in java. I have "my own" CA private key in my jks.
Besides, once I manage to sign the CSR I should chain the CA cert with the signed CSR: how that can be done in java?
I would prefer not to use bc or other external libs, just "sun.security" classes.
Thank you.
I believe the code example in the post http://www.pixelstech.net/article/1406726666-Generate-certificate-in-Java----2 will show you how to generate certificate chain with pure Java. It doesn't require you to use Bouncy Castle.
Sorry, but despite your desires, and besides writing all of your crypto code and including it with your project (not recommended), I'd recommend using Bouncy Castle here.
Specifically, please refer to https://stackoverflow.com/a/7366757/751158 - which includes code for exactly what you're looking to do.
I see you've already gone over to the BouncyCastle side of the house but just in case anyone else was wondering; you can add the cert chain to the entry when putting the key into the KeyStore. For example
// build your certs
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());
// do other stuff