Oracle Java 7 keytool cannot import pkcs11 keystore into JKS: not PKCS 8 encoded

Question

I have followed the Oracle guide to try to import my PKCS#11 keystore in my smartcard into a JKS keystore in my filesystem, in Ubuntu 16.04. I have Oracle JDK 7 installed, and the driver file of my Izenpe card.

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

And I have encountered this bug with Open JDK 7:

java keytool with opensc pkcs#11 provider only works with debug option enabled

stating that with Open JDK the implementation has a bug and you should get around it. The post doesn't solve my problem and I switch to Oracle JDK 7 and I can list the private key entry in my card:

keytool -keystore NONE -storetype PKCS11 \
        -providerClass sun.security.pkcs11.SunPKCS11 \
            -providerArg $JAVA_HOME/config.ini \
        -v -list

where the config.ini is:

name=Izenpe-static
library=/usr/lib/libbit4ipki.so
showInfo=true

So, I get:

easternfox@easternfox-Ubuntu:~/下载/electronic-wechat-production$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/easternfox/文档/config.ini -v -list 

Information for provider SunPKCS11-Izenpe-static
Library info:
  cryptokiVersion: 2.20
  manufacturerID: bit4id srl                      
  flags: 0
  libraryDescription: bit4id PKCS#11                  
  libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
  slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00       
  manufacturerID: unknown                         
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 0:
  label: IZENPE                          
  manufacturerID: Oberthur Technologies           
  model: Cosmo ID ONE (L)
  serialNumber: 1550001000002654
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 0
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
  ......

Enter keystore password:  

Keystore type: PKCS11
Keystore provider: SunPKCS11-Izenpe-static

Your keystore contains 1 entry

Alias name: CIUDADANO FICTICIO ACTIVO
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=92920000T, SURNAME=FICTICIO, GIVENNAME=CIUDADANO, CN=CIUDADANO FICTICIO ACTIVO, DNQ=-dni 92920000T, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Herritar ziurtagiria - Certificado de ciudadano, OU=Ziurtagiri onartua - Certificado reconocido, C=ES
Issuer: CN=Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (4), OU=NZZ Ziurtagiri publikoa - Certificado publico SCI, O=IZENPE S.A., C=ES
......

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 DE A8 79 08 14 F9 FA   05 2C BF 8B 65 99 69 91  ...y.....,..e.i.
0010: EA 5D 70 45                                        .]pE
]
]

*******************************************
*******************************************

And, when I try keytool -importkeystore, I have several errors:

Running keytool -importkeystore --help gives me a lot of useful information:

keytool -importkeystore [OPTION]...

Imports one or all entries from another keystore

Options:

 -srckeystore <srckeystore>            source keystore name
 -destkeystore <destkeystore>          destination keystore name
 -srcstoretype <srcstoretype>          source keystore type
 -deststoretype <deststoretype>        destination keystore type
 -srcstorepass <arg>                   source keystore password
 -deststorepass <arg>                  destination keystore password
 -srcprotected                         source keystore password protected
 -srcprovidername <srcprovidername>    source keystore provider name
 -destprovidername <destprovidername>  destination keystore provider name
 -srcalias <srcalias>                  source alias
 -destalias <destalias>                destination alias
 -srckeypass <arg>                     source key password
 -destkeypass <arg>                    destination key password
 -noprompt                             do not prompt
 -providerclass <providerclass>        provider class name
 -providerarg <arg>                    provider argument
 -providerpath <pathlist>              provider classpath
 -v                                    verbose output

Use "keytool -help" for all available commands

If I omit srckeypass/destkeypass, I have:

easternfox@easternfox-Ubuntu:$ keytool -srckeystore NONE -srcstoretype PKCS11 \
    -destkeystore /home/easternfox/my.new.jks -deststoretype jks -deststorepass qwerqwer \
    -providerClass sun.security.pkcs11.SunPKCS11 \
         -providerArg $JAVA_HOME/config.ini 
    -v -importkeystore


Information for provider SunPKCS11-Izenpe-static
Library info:
  cryptokiVersion: 2.20
  manufacturerID: bit4id srl                      
  flags: 0
  libraryDescription: bit4id PKCS#11                  
  libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
  slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00       
  manufacturerID: unknown                         
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 0:
  label: IZENPE                          
  manufacturerID: Oberthur Technologies           
  model: Cosmo ID ONE (L)
  serialNumber: 1550001000002654
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 0
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
  ulMaxPinLen: 8
  ulMinPinLen: 4
  ulTotalPublicMemory: 65535
  ....
Enter source keystore password:  
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: non-null password required to create PrivateKeyEntry.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
Do you want to quit the import process? [no]:  n
Import command completed:  0 entries successfully imported, 1 entries failed or cancelled
[Storing /home/easternfox/my.new.jks]

So, I see the non-null password required error, and I try to specify the srckeypass and destkeypass, and get another error:

keytool error: java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
    at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1864)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:1024)
    at sun.security.tools.KeyTool.run(KeyTool.java:340)
    at sun.security.tools.KeyTool.main(KeyTool.java:333)

So, I must add srcalias. So I do it, and:

Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
[Storing /home/easternfox/my.new.jks]

Another error has occurred, suggesting that the private key in the card is not PKCS#8 encoded.

How to solve this? Is this a bug? Or just manufacturer-related issue?

---

What I have tried:

• I tried to specifying the argument -providerpath to change to another sunpkcs11.jar, of Oracle JDK 8, to no avail.
• I changed the driver coming with the card to another version. Not working.

EDIT：

I have tried to code a little and get the same error, with some stacktraces:

java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
    at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
    at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:259)
    at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
    at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
    at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.constructJKSKeyStore(PKCS11KeyStoreConstuctor.java:66)
    at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.main(PKCS11KeyStoreConstuctor.java:22)