Reputation: 29990
What causes keytool error "Failed to decrypt safe contents entry"?
I am trying to convert a standard PKCS #12 (.p12) key store into a Java JKS key store with this command:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
It is failing with:
keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
Do you have any idea how to solve this problem?
Upvotes: 42
Views: 140824
Answers (15)
Reputation: 150
In my case in Android Studio I was actually using a wrong key alias. It was "key1" while I was putting "key0". Silly mistake on my part.
Upvotes: 1
Reputation: 2170
In our case, the issue was trying to process a p12 file generated using a OpenSSL version 3.x using a JDK 11.0.1. The issue does not happen:
- using a JDK 11.11.x or above
- using OpenSSL version 1.1.x (our choice, because JDK could not be changed)
Upvotes: 0
Reputation: 329
I've seen this exact error with Open JDK 1.8.0_332-b09 and it was solved with 1.8.0_342-b07 and higher. I saw the error with both with keytool on the command-line and in the Java code trying to open a jetty SSL socket. It was not a corrupt cert or bad password because just upgrading java solved it.
Upvotes: 0
Reputation: 398
Almost lost my mind around it, if you generate the password, make sure it's in ASCII and not include chars other than letters, number and symbols. UTF-8 special chars might broke it.
Upvotes: 0
Reputation: 1449
In my case, it was because of the password contains some special characters at the start or at the end (it's correct but not supported), just make sure you use normal words with numbers if it didn't work for your upload key
Cause: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Upvotes: 0
Reputation: 7754
My issue was somewhat unique. When I tested locally in my dev environment, it seemed to work fine. However, when i deployed to our live environments, it was giving the root error javax.crypto.BadPaddingException:
After some debugging it turned out due to the jdk i was using in my docker image. It seems to me some jdks (e.g., some 1.8 packages) aren't compatible. With some tests I found a jdk (11.0.21) that worked with it. If you've attempted all the options and nothing has worked, then try this option and check if its the jdk.
Upvotes: 1
Reputation: 1911
simply type the correct password on the build signed APK wizard form. ( it worked with me on android studio 4.2 canary 15++)
As I came to find out, when you change app on said wizard, spite the password remains, somehow it does not sign correctly, so you need to clear the password and type it again.
Upvotes: 0
Reputation: 99
I had the same problem i entered the password manually and problem got resolved
Upvotes: 8
Reputation: 1024
From my side I forget to check language when you type password :)
Upvotes: 0
Reputation: 41
I had a similar issue when i was trying to export certs as pfx from JKS.It worked when i excluded deststorepass attribute in keytool command & gave the destination store password at runtime.
keytool -importkeystore -srckeystore Keystore.jks -destkeystore dv163.pfx -srcstoretype JKS -deststoretype PKCS12 -srcalias alias1-destalias alias1
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Upvotes: 4
Reputation: 61
I had the same issue today(BadPaddingException). It seems keytool had a problem with certain characters in the password. I solved it by adding double-quotes around the password.
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass "PFX_P12_FILE" -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass "PASSWORD" -destalias ALIAS_NAME
Upvotes: 3
Reputation: 5155
I've never attempted to do this before, but I did find instructions on google here.
This thread asks a similar question.
EDIT (Based on comment)
Here is the full content of the linked reference:
PFX/P12 to JKS (Java KeyStore)
Question: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)?
Answer: keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
Note: To find the srcalias, list the contents of the PFX/P12 file:
keytool -v -list -storetype pkcs12 -keystore PFX_P12_FILE > FILENAME.TXT As this writes the output of the command to a file with the name of FILENAME.TXT.
Upvotes: 9
Reputation: 21
I did this command (opposite to yours) to export a private key to PKCS12 from a JKS:
keytool -importkeystore -srckeystore DemoIdentity.jks -srcstoretype JKS -destkeystore demoidentity.p12 -deststoretype PKCS12
If I left off the seemingly redundant "-srcstoretype JKS", the generated demoidentity.p12 file gave me the same error when I tried to list the details in keytool even though the above command accepted the passwords and generated a file seemingly correctly!
For your issue, perhaps you did something similar when generating keystore.p12.
Upvotes: 2
Reputation: 1173
Sometimes this error is symptomatic of using an incorrect password for the p12 key.
Upvotes: 52
Related Questions
- Java keytool yields "keystore password was incorrect" when trying to import a PKCS12 to JKS
- keytool reports a pkcs12 keystore as 'jks'
- IOException in Java 8 when reading PKCS12 keystore created with keytool from OpenJDK16
- Java keytool : Importing PKCS12 to jks , getting error keystore password was incorrect
- Java keystore failed PKCS12 integrity checking but keytool works
- PKCS12 to JKS conversion failure
- Unable to convert .jks to .pkcs12: excess private key
- Java PKCS12 Keystore generated with openssl BadPaddingException
- jdk keytool exception while importing my certificate
- Keytool error: java.lang.Exception: Failed to parse input