1 Reply Latest reply on Oct 2, 2010 9:13 PM by arshadnoor

    Help : java.security.UnrecoverableKeyException: excess private key


      I require help for the exception "java.security.UnrecoverableKeyException: excess private key"

      When i am trying to generate digital signature using PKCS7 format using bouncyCastle API, it gives the "java.security.UnrecoverableKeyException: excess private key" exception.

      The full stack trace is as follows
      ------------------------------------------------------------------------java.security.UnrecoverableKeyException: excess private key
           at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
           at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)
           at java.security.KeyStore.getKey(KeyStore.java:289)
           at com.security.Security.generatePKCS7Signature(Security.java:122)
           at com.ibm._jsp._SendSecureDetail._jspService(_SendSecureDetail.java:2282)
           at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:93)
      I had tested the program under following scenarios...

      The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file) I have tested this independently on Sun's JDK 1.4, 1.6

      For IBM JDK 1.4 on Windows machine for WAS(Webshere Application Server) 6.0, The Program for generating the digital signature using PKCS7 works fine, but it required IBM Policy files(local_policy.jar, US_export_policy.jar) and updation in java.security file

      But the problem occurs in Solaris 5.10, WAS 6.0 where Sun JDK 1.4.2_6 is used.
      I copied the unlimited strength policy files for JDK 1.4.2 from Sun's site(because the WAS 6.0 is running on Sun's JDK intead of IBM JDK)...
      I changed the java.security file as follows(only changed content)

      I have used PKCS12(PFX) file for digital signature
      which is same for all environment(i have described as above)
      I copied the PFX file from windows to solaris using WinSCP in binary format so the content of certificate won't get currupted.
      I can not change the certificate because it's given by the company and which is working in other enviroments absolutely fine(just i have described above)

      I have gone though the "http://forums.sun.com/thread.jspa?threadID=408066" and other URLs too. but none of them helped...

      So what could be the problem for such exception?????
      I am on this issue since last one month...
      I know very little about security.
      Thanks in advance


      Edited by: user10935179 on Sep 27, 2010 2:47 AM

      Edited by: user10935179 on Sep 27, 2010 2:54 AM
        • 1. Re: Help : java.security.UnrecoverableKeyException: excess private key
          user10935179 wrote:
          The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file)
          If the program was working fine without changing the java.security policy file, why have you changed it to put the IBM Providers ahead of the SunRsaSign provider?

          While I cannot be sure (because I don't have an IBM provider to test this), the error is more than likely related to the fact that the IBM Provider implementations for handling RSA keys internally are different from the SunRsaSign provider. Since you've now forced the IBM provider ahead of the original Sun provider, you're probably running into interpretation issues of the encoded objects inside the keystore.

          Change your java.security policy back to the default order, and put your IBM Providers at the end of the original list and run your application to see what happens.

          Arshad Noor
          StrongAuth, Inc.