Forum Stats

  • 3,757,562 Users
  • 2,251,245 Discussions
  • 7,869,867 Comments

Discussions

Getting keystore issues after JRE update from 1.8.0_131 to 1.8.0_151 version.

Joyce18
Joyce18 Member Posts: 1
edited Oct 9, 2018 11:39AM in Java Enterprise Edition

We have updated JRE from 1.8 Update 131 to 1.8 Update 151 version.

We followed the same process to generate the keystore from the certificate as we did in JRE 1.8 Update 131.

After the update we are getting the below exception while loading the keystore.

java.io.IOException: Invalid secret key format

at com.sun.crypto.provider.JceKeyStore.engin eLoad(JceKeyStore.java:856)

at java.security.KeyStore.load(Unknown Source)

There is no change in our java code.

Can you please help us resolve this issue.

bec2d695-0a43-4c44-9f46-f55f678c8b6966020983-b93e-4c19-a53b-c2a1063ab4b0

Answers

  • Arun Sanbhat
    Arun Sanbhat Member Posts: 3
    edited Jan 10, 2018 8:58AM

    I am having a similar issue. We have an Oracle procedure which calls a java class for performing some encryption.  The Oracle procedure shows the following error in the Oracle alert log:

    ORA-29532: Java call terminated by uncaught Java exception: java.io.IOException: Invalid secret key format

    The above procedure is working on all previous versions of Oracle (upto Oracle 12cR1).

    The version where this issue has occurred is Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

    With the Partitioning and this is on Linux. We had recently applied the following update patch on Oracle:

    Patch Description: Database PSU 12.1.0.2.171017, Oracle JavaVM Component (OCT2017).

    Also we had upgraded java on the linux machine to Java JRE 1.8 update 152. Not sure if this would affect the Oracle internal JRE which is 1.6.0_171.

    Can someone please help us to resolve this issue?

  • bec2d695-0a43-4c44-9f46-f55f678c8b69
    edited Feb 21, 2018 1:05AM

    Any updates on this? We're seeing the same thing.

  • user1527706
    user1527706 Member Posts: 3
    edited Apr 23, 2018 11:24AM

    I am haveing this same issue when I updated the JDK from 1.8.0_141 to 1.8.0_151, can anybody resolve this?

    @Joyce18, what's going on about this issue?

    PS:

    the key store type is JCEKS

  • user1527706
    user1527706 Member Posts: 3
    edited Apr 24, 2018 8:17AM

    I think this a bug of com.sun.crypto.provider.JceKeyStore from JDK 1.8.0_151 (JDK 1.8.0 update 151~172 have this issue).

    when I imported the old keystore file to a new keystore file with keytool of JDK1.8.0_141,

    and used the new keystore file running my application, the error is gone, and the application is running well.

    66020983-b93e-4c19-a53b-c2a1063ab4b0
  • user1527706
    user1527706 Member Posts: 3
    edited Apr 28, 2018 12:49PM

    I have checked the source code, found that the error is from the step of reading SecretKeyEntry from my keystore file.

    and I have tested that when I use jdk1.8.0_151 to load a JCEKS keystore without SecretKeyEntry, it works well.

    but when opening a keystore with SecretKeyEntry, When calling java.io.ObjectInputStream#resolveClass(), it reads the provider name from the keystore file, and get 'com.sun.crypto.provider.ai',

    but there is no any provider which name is 'com.sun.crypto.provider.ai',

    so the a ClassNotFoundException is thrown, finally, this exception is wrapped as a 'IOException("Invalid secret key format")'

  • user13803674
    user13803674 Member Posts: 2
    edited Jun 6, 2018 1:00AM

    I can recreate same issue with 8u152 and 8u162. Did they accept it as a bug yet?

  • user13803674
    user13803674 Member Posts: 2
    edited Jun 7, 2018 7:55PM

    This solution worked for me -

    the issue is due to the latest security vulnerability fix JDK-8181370 (Better keystore handling) provided by Oracle (security enhancement).

    Since it is very old keystore you will need to import the keystore using the keytool from an older JDK (prior the fix for JDK-8181370), you can use JDK 1.8.0.131

    So, the steps would be:

    1) install JDK 1.8.0.131 (which is known to be able to read the keystore) 

    2) import the keystore using this older JDK's keytool.

    Now, the imported keystore should be readable by the latest JDK.

    66020983-b93e-4c19-a53b-c2a1063ab4b0
  • nikki_carol
    nikki_carol Member Posts: 10
    edited Aug 6, 2018 2:05AM

    I am haveing this same issue when I updated the JDK from 1.8.0_141 to 1.8.0_151, can anybody resolve this?

    Please solve ??

  • 66020983-b93e-4c19-a53b-c2a1063ab4b0
    edited Oct 9, 2018 11:39AM

    As others (@user1527706, @user13803674) have mentioned the logic changed as of 8u151 (JDK-8181370), and has had an impact on some older keystores. The release notes do an excellent job of detailing how to recreate your keystore in a way that is compatible with all versions:

    https://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html

    Scroll down to "Better keystore handling"