CODEWITHSUNDEEP
javakeystorejks
Rajesh Narravula
Rajesh Narravula

Reputation: 1463

getting private key from keystore

I have .cer which is signed by others. from that i create private key file.jks using below tool.

keytool -importcert -file aaa.cer -keystore aaa.jks -alias abcd

Output:

Owner: CN=Sample, [email protected], C=IN, OU=Director, O=ABCDEF
Issuer: C=IN, O=ABCDEF, CN=Owner
Serial number: 1
Valid from: Fri Feb 20 17:11:48 IST 2015 until: Mon Feb 19 17:11:48 IST 2018
Certificate fingerprints:
         MD5:  59:9A:1C:FA:F7:F3:45:CA:06:1D:FA:AA:13:B7:68:1C
         SHA1: 3B:4E:4B:5A:57:9E:DC:D6:3E:3C:EB:18:91:60:B6:EA:9D:FB:6E:DA
         SHA256: 37:04:49:08:0A:2E:1D:5D:58:51:0E:69:C3:85:5C:45:55:F0:D9:6B:27:EE:99:6B:E7:08:B7:4A:EA:E0:83:EC
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

same certificate i need sign on XML for that i wrote below code,

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document inputDocument = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(xmlDoc)));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("../cer/aaa.jks"), "xxxxxxx".toCharArray());
KeyStore.PrivateKeyEntry keyEntry =(KeyStore.PrivateKeyEntry) ks.getEntry("abcd", new KeyStore.PasswordProtection("xxxxxxx".toCharArray()));
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate();
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate();
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(MEC_TYPE);
Reference ref = fac.newReference(WHOLE_DOC_URI, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)), null, null);
SignedInfo sInfo = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,(C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),Collections.singletonList(ref));
KeyInfo kInfo = getKeyInfo(x509Cert, fac);
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),inputDocument.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(sInfo,kInfo);
signature.sign(dsc);
Node node = dsc.getParent();
Document signedDocument = node.getOwnerDocument();  
StringWriter stringWriter = new StringWriter();
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.transform(new DOMSource(signedDocument), new StreamResult(stringWriter));
return stringWriter.getBuffer().toString();

But I'm getting Exception at line no 6.

stack trace:

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
    at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
    at java.security.KeyStore.getEntry(Unknown Source)

please help how to fix this problem thanks.

Upvotes: 0

Views: 4822

Answers (1)

piet.t
piet.t

Reputation: 11911

A .cer file only contains the public key together with some signing-information from the CA, so you don't have a private key in your keystore to retrieve. What you did with importing the .cer file is to add it to the set of certificates your JVM will trust.

What you need to make this work is the private-key-file that was used to generate the certificate-signing-request for this certificate. If it wasn't created in a java-keystore using keytool you might have to do some extra-steps since you can#t directly import private-key and certificate into a .jks-file but e.g. have to create an intermediate PKCS12-keystore. Using openssl it might work like this:

# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in certificate.cer -inkey server.key -out keystore.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias abcd

Upvotes: 1

Related Questions