I am having a similar issue. We have an Oracle procedure which calls a java class for performing some encryption. The Oracle procedure shows the following error in the Oracle alert log:
ORA-29532: Java call terminated by uncaught Java exception: java.io.IOException: Invalid secret key format
The above procedure is working on all previous versions of Oracle (upto Oracle 12cR1).
The version where this issue has occurred is Oracle Database 12c Enterprise Edition Release 220.127.116.11.0 - 64bit Production
With the Partitioning and this is on Linux. We had recently applied the following update patch on Oracle:
Patch Description: Database PSU 18.104.22.168.171017, Oracle JavaVM Component (OCT2017).
Also we had upgraded java on the linux machine to Java JRE 1.8 update 152. Not sure if this would affect the Oracle internal JRE which is 1.6.0_171.
Can someone please help us to resolve this issue?
Any updates on this? We're seeing the same thing.
I think this a bug of com.sun.crypto.provider.JceKeyStore from JDK 1.8.0_151 (JDK 1.8.0 update 151~172 have this issue).
when I imported the old keystore file to a new keystore file with keytool of JDK1.8.0_141,
and used the new keystore file running my application, the error is gone, and the application is running well.
I have checked the source code, found that the error is from the step of reading SecretKeyEntry from my keystore file.
and I have tested that when I use jdk1.8.0_151 to load a JCEKS keystore without SecretKeyEntry, it works well.
but when opening a keystore with SecretKeyEntry, When calling java.io.ObjectInputStream#resolveClass(), it reads the provider name from the keystore file, and get 'com.sun.crypto.provider.ai',
but there is no any provider which name is 'com.sun.crypto.provider.ai',
so the a ClassNotFoundException is thrown, finally, this exception is wrapped as a 'IOException("Invalid secret key format")'
I can recreate same issue with 8u152 and 8u162. Did they accept it as a bug yet?
This solution worked for me -
the issue is due to the latest security vulnerability fix JDK-8181370 (Better keystore handling) provided by Oracle (security enhancement).
Since it is very old keystore you will need to import the keystore using the keytool from an older JDK (prior the fix for JDK-8181370), you can use JDK 22.214.171.124
So, the steps would be:
1) install JDK 126.96.36.199 (which is known to be able to read the keystore)
2) import the keystore using this older JDK's keytool.
Now, the imported keystore should be readable by the latest JDK.
I am haveing this same issue when I updated the JDK from 1.8.0_141 to 1.8.0_151, can anybody resolve this?
Please solve ??
As others (@user1527706, @user13803674) have mentioned the logic changed as of 8u151 (JDK-8181370), and has had an impact on some older keystores. The release notes do an excellent job of detailing how to recreate your keystore in a way that is compatible with all versions:
Scroll down to "Better keystore handling"