-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
tiger
-
generic
-
generic
Plugin has valid certs they are using for JSSE client auth, using normal
JKS keytstore. They are trying to copy to a PKCS 12 keystore using code below.
c[0] = client cert
c[1] = ca cert
Getting the following exception in engineSetKeyEntry.
wetmore@summer] 221 >java template
Exception in thread "main" java.security.KeyStoreException: Key protection algorithm not foundjava.security.KeyStoreException: Certificate chain is not validate
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:409)
at java.security.KeyStore.setKeyEntry(KeyStore.java:397)
at template.main(template.java:34)
Caused by: java.security.KeyStoreException: Certificate chain is not validate
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:396)
... 2 more
Code is trying to match subject of c[0] and issuer c[1], which don't match.
If certs were in reverse order, this would work fine.
import java.io.*;
import java.util.*;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.*;
public class template {
public static void main(String args[]) throws Exception {
KeyStore jks = KeyStore.getInstance("JKS");
FileInputStream fis = new FileInputStream("clientAuthStore");
jks.load(fis, "changeit".toCharArray());
Certificate[] certChain = jks.getCertificateChain("gu_client");
Key outKey = jks.getKey("gu_client", "changeit".toCharArray());
System.out.println(certChain[0]);
System.out.println(certChain[1]);
Certificate [] revCertChain = new Certificate [] {
certChain[1], certChain[0]};
FileOutputStream fos = new FileOutputStream("pkcs12");
KeyStore pkcs_rev = KeyStore.getInstance("PKCS12");
pkcs_rev.load(null, "changeit".toCharArray());
pkcs_rev.setKeyEntry("changeit", outKey,
"changeit".toCharArray(), revCertChain);
pkcs_rev.store(fos, "changeit".toCharArray());
// Now try using original order
FileOutputStream fos2 = new FileOutputStream("pkcs12.try");
KeyStore pkcs = KeyStore.getInstance("PKCS12");
pkcs.load(null, "changeit".toCharArray());
pkcs.setKeyEntry("changeit", outKey,
"changeit".toCharArray(), certChain);
pkcs.store(fos2, "changeit".toCharArray());
}
}
This should be more flexible in allowing either order. Or
if there is an ordering required by the methods, it's not in the API.
The API probably needs updating in either case. Neither setKeyEntry
method talk about this.
###@###.### 2003-06-11
JKS keytstore. They are trying to copy to a PKCS 12 keystore using code below.
c[0] = client cert
c[1] = ca cert
Getting the following exception in engineSetKeyEntry.
wetmore@summer] 221 >java template
Exception in thread "main" java.security.KeyStoreException: Key protection algorithm not foundjava.security.KeyStoreException: Certificate chain is not validate
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:409)
at java.security.KeyStore.setKeyEntry(KeyStore.java:397)
at template.main(template.java:34)
Caused by: java.security.KeyStoreException: Certificate chain is not validate
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:396)
... 2 more
Code is trying to match subject of c[0] and issuer c[1], which don't match.
If certs were in reverse order, this would work fine.
import java.io.*;
import java.util.*;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.*;
public class template {
public static void main(String args[]) throws Exception {
KeyStore jks = KeyStore.getInstance("JKS");
FileInputStream fis = new FileInputStream("clientAuthStore");
jks.load(fis, "changeit".toCharArray());
Certificate[] certChain = jks.getCertificateChain("gu_client");
Key outKey = jks.getKey("gu_client", "changeit".toCharArray());
System.out.println(certChain[0]);
System.out.println(certChain[1]);
Certificate [] revCertChain = new Certificate [] {
certChain[1], certChain[0]};
FileOutputStream fos = new FileOutputStream("pkcs12");
KeyStore pkcs_rev = KeyStore.getInstance("PKCS12");
pkcs_rev.load(null, "changeit".toCharArray());
pkcs_rev.setKeyEntry("changeit", outKey,
"changeit".toCharArray(), revCertChain);
pkcs_rev.store(fos, "changeit".toCharArray());
// Now try using original order
FileOutputStream fos2 = new FileOutputStream("pkcs12.try");
KeyStore pkcs = KeyStore.getInstance("PKCS12");
pkcs.load(null, "changeit".toCharArray());
pkcs.setKeyEntry("changeit", outKey,
"changeit".toCharArray(), certChain);
pkcs.store(fos2, "changeit".toCharArray());
}
}
This should be more flexible in allowing either order. Or
if there is an ordering required by the methods, it's not in the API.
The API probably needs updating in either case. Neither setKeyEntry
method talk about this.
###@###.### 2003-06-11