7 Ответы Последний ответ: 04.12.2005 19:40, автор: 843811

    Error in getting Private Key from KeyStore

    843811
      Hi,

      I am using JKS java keystore. I have successfully added two private keys and associated certificates into the keystore. When I try to access my first private key using the method keystore.getKey(alias,password) I get the key successfully, but when I try to access the second key by using the same method, I get the following exception:

      java.security.UnrecoverableKeyException: excess private key
      at sun.security.provider.KeyProtector.recover(KeyProtector.java:314)
      at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106)
      at java.security.KeyStore.getKey(KeyStore.java:250)

      Any ideas to fix this problem?

      Regards
      YK
        • 1. Re: Error in getting Private Key from KeyStore
          843811
          any ideas plzzz ??
          • 2. Re: Error in getting Private Key from KeyStore
            843811
            public static PrivateKey parseKey (DerValue in) throws IOException
                {
                 AlgorithmId algorithm;
                 PrivateKey privKey;
                 
                 if (in.tag != DerValue.tag_Sequence)
                     throw new IOException ("corrupt private key");
            
                 BigInteger parsedVersion = in.data.getInteger().toBigInteger();
                 if (!version.equals(parsedVersion)) {
                     throw new IOException("version mismatch: (supported: " + 
                                  version + ", parsed: " + 
                                  parsedVersion);
                 }
            
                 algorithm = AlgorithmId.parse (in.data.getDerValue ());
            
                 try {
                     privKey = buildPKCS8Key (algorithm, in.data.getOctetString ());
            
                 } catch (InvalidKeyException e) {
                     throw new IOException("corrupt private key");
                 }
            
                 if (in.data.available () != 0)
                     throw new IOException ("excess private key");
                 return privKey;
                }
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
            • 3. Re: Error in getting Private Key from KeyStore
              843811
              How was the key inserted? Using keytool or programmatically? If programmatically did you pass in a PKCS8Encoded key or did you call the standard method where the KeyStore encodes it itself?

              Somehow, either the data wasn't encoded properly, or the keystore file has been corrupted somehow...
              • 4. Re: Error in getting Private Key from KeyStore
                843811
                Hi,

                Yes, I inserted the keys programatically. I am using the following code to insert and retrieve the private key.

                public class KeyStoreManager{

                //getting keystore instance
                KeyStore m_objKeyStore = KeyStore.getInstance("JKS");

                //setting key into keystore
                public void setKey(String a_strAlias, PrivateKey a_objKey, String a_strPassword, X509Certificate[] a_objX509CertificateChain){
                try{
                m_objKeyStore.setKeyEntry(a_strAlias, a_objKey, a_strPassword.toCharArray(), a_objX509CertificateChain);
                }
                catch(Exception ex){
                ex.printStackTrace();
                }
                }

                //getting key from keystore
                public PrivateKey getKey(String a_strAlias, String a_strPassword){
                try{
                return (PrivateKey)m_objKeyStore.getKey(a_strAlias, a_strPassword.toCharArray());
                }
                catch(Exception ex){
                ex.printStackTrace();
                return null;
                }
                }

                }//end class

                When I try to access the private key using getKey() method I got the following exception

                java.security.UnrecoverableKeyException: excess private key
                at sun.security.provider.KeyProtector.recover(KeyProtector.java:314)
                at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106)
                at java.security.KeyStore.getKey(KeyStore.java:250)
                at KeyStoreManager.getKey(KeyStoreManager.java:372)

                I also noted a strange behaviour i.e. the problem occurs only when, if my PFX file is obtained by exporting a private key from Internet Explorer. If I use the PFX file generated by my CA, it works fine and I am able to get private key from keystore. I think there is some difference in private key formats of Internet Explorer and my CA.

                Any ideas and solutions would be highly appreciated. Thanx.

                Best Regards,

                -Yasir
                • 5. Re: Error in getting Private Key from KeyStore
                  843811
                  I notice you are using a PFX file which means you are using a PKCS#12 keystore correct? Are you using Sun's PKCS#12 read-only keystore impl? If so that is your problem. Sun's PKCS#12 keystore and many others for that matter are read-only. You need a read/write capable keystore.

                  Also note that Sun's PKCS#12 keystore does have issues with some PKCS#12 file's (aka the ones created by microsoft)..

                  Try using IAIK, BouncyCastle, or WedgeTail's DSTC providers. They seem to be the most robust and they all provide read/write capabilities...
                  • 6. Re: Error in getting Private Key from KeyStore
                    843811
                    Thanx floersh,

                    I am able to resolve the issue with your kind help. You are right, there is some problem with JKS implementation. I used IAIK Keystore and everything works fine with it. I successfully retrieved the private keys from keystore, those were actually exported from Microsoft Internet Explorer.

                    Thanx again and Best Regards,

                    -Yasir
                    • 7. Re: Error in getting Private Key from KeyStore
                      843811
                      Hi there,

                      my reply comes quite late, but might be of interest for people facing the same problem.

                      I also just couldn't get a certain .pfx private/public keypair into my .jks keystore (while others worked just fine). First, the CA root cert had a 4096bit RSA-key, hence unsupported by Sun's crypto-provider - but I had 4096bit RSA-implementations available from other vendors.

                      As it has been pointed out, there seems to be an issue with Sun's keystore implementation, and can be circumvented by using third party implementations like IAIK or BouncyCastle.

                      Still I had to import it into a Sun keystore because of backward compatibility. I finally managed to do so be splitting up the import to several steps: first, import the private key only to your .jks (without the cert chain), then import the cert chain, and finally merge them together again programmatically and store the resulting key to your keystore

                      Kind regards,
                      Arno Huetter