One of the security reps at my company gave me a keystore to use when I sign my applet. However, I'm having issues actually importing the keystore. I tried executing the following, but nothing happened... well almost nothing... The keytool application prompted me for my password which I entered and then hit return. The tool responded by placing the cursor on the next line and it just sat there for like 10 minutes at which time I killed the process. I'm assuming that I'm doing something wrong and am hoping that someone can point me in the right direction.
C:/program files/java/jdk1.6.0_19/bin/keytool" -import -alias company -keystore D:/companysig.jks
Thanks,
Jeremy
If you have a keystore, you can just use that keystore with the jarsigner command. For an example, see here (you inform the keystore to be used for signing, as well as the alias of the key to use):
http://www.owasp.org/index.php/Signing_jar_files_with_jarsigner
When you use they keytool import option, you will be importing a key you specify (that's in a file) to the keystore you specify. If you don't specify the file, the command probably wants to read the key from standard input, and the process was waiting for the key that never arrived. But in any case, in your case I don't see why you'd need to use this.
If you wish to import the whole keystore into another keystore you need to use the importkeystore option:
-importkeystore [-v]
[-srckeystore <srckeystore>] [-destkeystore <destkeystore>]
[-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]
[-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]
[-srcprotected] [-destprotected]
[-srcprovidername <srcprovidername>]
[-destprovidername <destprovidername>]
[-srcalias <srcalias> [-destalias <destalias>]
[-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]
[-noprompt]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
Related
These are the steps I am taking, in the order presented, to update a published app after fixing a bug, through Android studio:
Fix the bug.
Changed to versionCode 2 and versionName "1.1" on build.gradle (Module)
Generate Signed Bundle
Key-store path is C:\Folder\Folder\Android\MyApp.jks
Both passwords are correct
Key alias: key0 (default as on first time)
But then this error is raised:
Cause: jarsigner.exefailed with exit code 1 :
jarsigner: key associated with key0 not a private key
What could be causing this?
"Build" -> "Clean project", then "Generate signed ..." again - worked fine for me
it's simply means that you enter wrong key let me explain
your password for keystore correct
you password for The key is't correct
I had the same issue, I have tried Clean Build and Invalidate Caches/Restart but didn't work. Finally I entered a Wrong KeyStore password then it has shown some error like jarsigner error: java.lang.RuntimeException: keystore load: Keystore was tampered with, or password was incorrect. Then I tried with the Original one and it worked.
For those coming to this question to build a release candidate of a React Native app for the Play Store, or if building without Android Studio.
a) Cleaning the project is particularly useful if you've had previous errors in your release packaging:
cd android
./gradlew clean
b) Check to see if your keystore was created correctly, with a valid, exportable certificate embedded inside:
keytool -export -alias your-keystore-alias -file mycertificate.crt -keystore /path/to/keystore
You will be prompted for the keystore password you used when generating the keystore. If you get a mycertificate.crt file created successfully, there isn't anything wrong with your keystore. It's valid.
c) The not a private key error can also come up if you've not explicitly supplied a key password, and just a store password (as shown below), in your gradle release build properties:
MYAPP_UPLOAD_STORE_FILE=my-app.keystore
MYAPP_UPLOAD_KEY_ALIAS=my-app
MYAPP_UPLOAD_STORE_PASSWORD=keystorePassword
MYAPP_UPLOAD_KEY_PASSWORD=
When generating a signing certificate with keytool, there is an optional argument to generate a separate certificate password, apart from the keystore password. However, if no certificate/key password is supplied, it inherits the keystore password. So in this case, a working set of properties would be:
MYAPP_UPLOAD_STORE_FILE=my-app.keystore
MYAPP_UPLOAD_KEY_ALIAS=my-app
MYAPP_UPLOAD_STORE_PASSWORD=keystorePassword
MYAPP_UPLOAD_KEY_PASSWORD=keystorePassword
Well i also faced this problem after upgrading to android studio 3.3 and i resolved in 3 steps. But firstly make sure you backup your whole project.
In Android Studio goto File > Project Structure and untick from "use embedded JDK" then click OK
Goto Computer Settings (system settings) (win + pause key) then go to Advanced system settings>Environment variables. if JAVA_HOME not present then add it and set path to your installed JDK.
As i couldn't find a direct approach to modify jdk path in my project that is upgraded in some way to android studio 3.3 settings, i did following(for the last step) BUT MAKE SURE YOU MAKE BACKUP BEFORE THIS.
To make sure where i am guiding come to project view, I deleted ".grade", ".idea", "capture", "gradle" folders from the root and "build", "release", "lib" folder from "app" leaving "src" as it is. Deleted root.iml and did not delete app.iml file Then rebuild the project and then created the Signed package.
It went successful after 2 try. To be very honest i did the last step twice by restoring files from backup. As deleting these folders i messed up 1 time.
It seems that you are entering wrong password if
"Build" > "Clean project"
doesn't solved your problem.
Try the reference link providing :
Click here
For those who had no luck with "Clean Project", try changing the key password with the following command in the Android Studio Terminal
keytool -keypasswd -alias yourAliasName -keystore pathToYourKeystoreFile
afterwards you're prompted for your keystore password and if correct can then change the key password.
I had the same issue, I have both passwords written on a piece of paper and all of a sudden (Android Studio update?) the key password didn't work anymore. Keystore worked, could select the alias, but when generating the signed app, same error as you got.
After trying all the solutions here, it either did not work or was too complicated to even make it work.
In the end simply restarting my PC is what helped.
Special characters in your password? Read on
(Not 100% sure but) I had special characters in my key password and I decided to remove all double quotes (") only because it might have been the culprit and it worked.
Take care of the numbers of caracters of your password :
6 min
I have try more than 20 => this is ko
12 is ok
Don't use special car, caps, nums, are enought
I know this question appears no stackoverflow a lot, and the exception is to do with a missing truststore - but here is my issue:
Using Apache Tomcat v7.0.56 as server on Windows with Java 8.0.71
modified tomcat/conf/server.xml to include SSL Connector with truststoreType="PKCS12", truststoreFile="conf/regtomcat.truststore" truststorePass="password"
I launch tomcat and I know it is reading this truststore file correctly as I originally did not have the file in pkcs12 format and tomcat reported an error on startup. I also have tried breaking the file location just to see tomcat startup fail as it can not find the file. So tomcat launches okay - it is reading the truststore which must mean it exists and can be read.
I load a p12 file into my browser certificate, and go to my application URL. I then get the tomcat error:
handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty
Given that my trustore exists, and contains my certificate - what could the problem be?
I generated all certificates and truststores using keytool. The truststore was created using the command
keytool -importcert -alias regClient -storetype PKCS12 -keystore regtomcat.truststore -file regClient.cer
One probable reason might be that if we use same .jks file as a keystore and as a truststore, then the server start up is failing with following error : java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.
Keystore is to store the ServerCerts and TrustStore is to store the CA certs. On adding at least one CA certificate in the .jks, above issue will be resolved.
Okay - the problem was the certificate was created using JDK 1.8 and the tomcat was running with JRE 1.7 - for whatever reason this caused an issue, so the fix was to use JRE 1.8 and now everything works okay.
Faced same issue. My keystore only had private key pair of the website. Imported the public certificates from the key pair all the way down to the root and it worked.
Faced same issue. The cause was far more basic: the .jks file must be readable for the account under which tomcat service runs. Though we have it as a systemctl service (hence started/stopped from root) the account was tomcat, so a simple chown tomcat:tomcat for the .jks store did the job!
For me the issue was I was passing null to the keyword as password wherein the password was changeit
ks.load(fis, "changeit".toCharArray());
Apologies for yet another "unable to find certificate" question.
I'm developing on a Windows 7 machine. I am using multiple Java versions and because of that am explicit about paths to the used java version (here Java6). I achieve this by the following two lines:
set path=c:\Program Files\Java\jdk1.6.0_45\bin;%path%
set java_home=c:\Program Files\Java\jdk1.6.0_45
I need to use a 3rd party web service https://service.gov/Service.svc?wsdl that provides a certificate.PFX certificate (both service URI and certificate file are renamed as a way to protect the 3rd party's interests). I have made sure that after importing the certificate file in Windows I can open the WSDL file in my browser.
I first import the certificate in my keystore (using Administrator Command Prompt to get access to write in the system folder):
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -keystore "c:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts"
I get a success notification. Still, I make sure that the new certificate is present in the output of:
keytool -list -keystore "c:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts"
Then I create a new folder containing blank subfolders called src and classes. Once this is done, I run wsimport from that new folder (using Java class instead of binary to make sure I am explicit about the truststore being used):
java -classpath "c:\Program Files\Java\jdk1.6.0_45\lib\tools.jar" -Djavax.net.ssl.trustStore="c:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit com.sun.tools.internal.ws.WsImport https://service.gov/Service.svc?wsdl -s src -d classes
The output is the following:
parsing WSDL...
[ERROR] sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failed to read the WSDL document: https://service.gov/Service.svc?wsdl, because 1) could not find the document; /2) the document could not be read; 3) the root element of the document is not <wsdl:definitions>.
[ERROR] failed.noservice=Could not find wsdl:service in the provided WSDL(s):
At least one WSDL with at least one service definition needs to be provided.
Failed to parse the WSDL.
The WSDL file contains and is used by other organisations, so the problem is pretty certainly not on the 3rd party's side.
Am I missing something? To me it all seems obvious by now, but it still doesn't work. I have also tried this with Java8, and the result is pretty much the same. The only difference is that in Java8, the WsImport class no longer exists, so I am using the wsimport.exe binary.
Thanks in advance for any ideas or hints.
The pfx file (which contains a certificate and also a private key) is for client authentication, while a truststore is for validating the server certificate. It is important to understand the difference between a keystore and a truststore.
You have imported the client certificate (and key) into the default truststore (cacerts). What you should have done instead is:
Import the issuer (CA) of the SSL certificate of the server into cacerts. You can skip this step if the CA certificate is already in cacerts, which is probably the case here.
Use the pfx file as your keystore for client authentication. The easiest way is to convert it to jks: https://stackoverflow.com/a/3054034/2672392 The properties to pass to wsimport are "javax.net.ssl.keyStore" and "javax.net.ssl.keyStorePassword".
See this answer for a list of important SSL properties: https://stackoverflow.com/a/5871352/2672392
I successfully installed a GoDaddy SSL certificate in Tomcat last year.
When the certificate expired, I renewed it. I did this without generating a new keystore or CSR. GoDaddy delivered three files to me, gd_bundle.crt, gd_intermediate.crt, and a third .crt file with a random number as the name.
I don't know what to do next. I assume I have to incorporate these files into my existing keystore. GoDaddy provides this help page:
http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4-x5-x6-x
The page says I can do this one of two ways. I tried the first way and all I got was an error message saying "-inkey: no such file or directory". I tried the second way, but I do not have any file with the name it references, and also any attempt to import the new certs into the existing keystore results in an error "certificate not imported, alias already exists".
What is the correct way to update my keystore file with the new certificate?
Thanks.
You need to use the keytool to import the numbered file into the existing KeyStore, using the same alias you're already using, with the -importcert option.
I generate a certificate using the keytool command:
keytool -genkeypair -alias myRSAKey -keyalg RSA -keysize 1024 -keystore test.p12 -storepass test -storetype pkcs12
Then if I try to load it using java security API, after getting the file as a byte[] :
KeyStore ks = KeyStore.getInstance("PKCS12");
try{
ks.load(new ByteArrayInputStream(data), "test".toCharArray())
} catch (Exception e){
...
}
I get a DerInputStream.getLength(): lengthTag=127, too big exception.
What is wrong?
I had this problem and I've searched the depths of google and still couldn't find the answer. After some days battling with a terrible quality legacy code, I found what was causing this error.
KeyStore.load(InputStream is, String pass);
this method takes an InputStream and if there's any problem with such InputStream, this exception is thrown, some problems that I've encountered:
The InputStream points to the wrong / blank / just created file
The InputStream is already open or something else is holding the resource
The InputStream was already used and read, thus the position of the next byte of InputStream is it's end
The last one was the responsible for my problem. The code was creating an InputStream from a certificate, and proceeding to use it in two KeyStore.load() calls, the first one was successful, the second one always got me this error.
For others with a similar problem:
"keystore load: DerInputStream.getLength(): lengthTag=109, too big."
For me solution was to remove the param: -storetype pkcs12
since the standard type is jks
Probably the certificate you create has an extra character at the end which is misinterpreted to be another certificate.
Use one or more blank lines at the end.
Refer: Java Certificate Parsing
My issue (lengthTag=109, too big) was the .p12 file actually is JKS format and not PKCS # 12 format. Someone renamed the file extension. By regenerating in proper PKCS format resolved the issue.
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:599)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.<init>(DerValue.java:320)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)
at java.security.KeyStore.load(KeyStore.java:1445)
To check the format of a security file, may use KeyStore Explorer to open the file. The left bottom bar shows the actual format.
Specify the type of certificate in the code
for eg:
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
This happened to me in Android Studio after AndroidX migration and using the new testing framework. Even deleting the existing ~/.android/debug.keystore was failing for me
The solution was regenerate it manually (accept all questions as empty and say yes at the last one)
$ keytool -genkey -v -keystore debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000
And copy it
$ rm ~/.android/debug.keystore
$ cp debug.keystore ~/.android/debug.keystore
This happened to me because I had copy and pasted the .p12 file locally on my windows 10 machine. No clue how/why this is a problem, but when I clone a project that has .p12 files and point my code to them, the files work. However, copy and pasting the files in windows file explorer to somewhere else on the harddrive causes this error!!!!
I had the same issue.
My solution is to replace PKCS12 with jceks in the line below because I was apparently using the wrong type.
KeyStore clientStore = KeyStore.getInstance("PKCS12");
You are doing something wrong.
I tried your command and then loaded the p12 just fine.
The following code works:
FileInputStream fin = new FileInputStream("..\\test.p12");
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(fin, "123456".toCharArray());
System.out.println(ks.getCertificate("myrsakey"));
I was wondering if you put the command as is you get an error from keytool that the password must be at least 6 characters.
You did not get that error? What version of java are you using?
Note:if you need to create certificates you can also look into this tool.
http://sourceforge.net/projects/certhelper/
Make sure the scope of the inputstream variable is only to the method where you’re declaring it but not as static/class variable.This way this exception can be avoided.
Reason : Inputstream is not getting closed after the first time of loading certificate or data in it while it is declared as class variable.so make it available only to method.
This happened to me because the following command:
openssl pkcs12 -export -in import.pem -inkey myhost.key.pem -name shared > server.p12 (from https://docs.oracle.com/en/database/other-databases/nosql-database/12.2.4.5/security/import-key-pair-java-keystore.html)
generated a wrongly formatted pkcs12 file. Using the following corrected the problem:
openssl pkcs12 -export -in import.pem -inkey myhost.key.pem -name shared -out server.p12
This error has multpile causes... The log can be realy confusing.
One main cause can be maven filtering.
According to maven official documentation
Warning: Do not filter files with binary content like images! This will most likely result in corrupt output.
Our .jks was corrupted by maven during packaging stage.
This thread helped me to figure it out.
We can exclude some directories or file extensions from filtering directly in concerned pom.xml :
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>${maven-resources-plugin.version}</version>
<configuration>
<nonFilteredFileExtensions>
<nonFilteredFileExtension>jks</nonFilteredFileExtension>
<nonFilteredFileExtension>p12</nonFilteredFileExtension>
</nonFilteredFileExtensions>
</configuration>
</plugin>