Reputation: 9474
Java keystore failed PKCS12 integrity checking but keytool works
I have some PCKS12 certificate that is being served by two environments differently. When we upload it to a DEV environment, java can parse it. But it fails on a PRODuction. The server is Microsoft DotNet solution which is responsible for a certificate manipulation. The generated keystore has empty password. When I open the certificate in Windows I can successfully import it into the operating system - without a password.
I can list DEV certificate with keytool but the representation is strange:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: {8c6xx9f-8041-49d2-95f7-3bcffxxxc8bcf}
Creation date: 15.5.2018
Entry type: PrivateKeyEntry
*******************************************
*******************************************
But I can open it in java
KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load(fis, "".toCharArray());
And browse it with Keystore Explorer:
I can list the PROD certificate correctly with keytool:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: {9exx43e-83f8-405d-8f74-8b1xxxeaac37}
Creation date: 15.5.2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: OID.2.5.4.13=YCCere01, CN=CZ7, DC=CZ
Issuer: CN=EET CA 1, O=Česká Republika ? Generální finanční ředitelství, DC=CZ
Serial number: 84cxxxc6
Valid from: Wed May 09 16:11:43 CEST 2018 until: Sun May 09 16:11:43 CEST 2021
Certificate fingerprints:
MD5: 21:CB:24:AE:4D:F5:EE:4D:C9:6A:A0:DD:AA:2F:6F:A8
SHA1: 02:0F:6B:C2:B8:E5:18:16:F9:49:28:4F:9E:F6:63:5C:D0:6E:6B:95
SHA256: B8:37:57:66:1A:33:31:BD:DB:4E:AB:9C:E5:31:C3:18:2B:96:88:A9:1B:21:85:30:97:D9:BB:F7:84:7B:4A:52
Signature algorithm name: SHA256withRSA
Version: 3
But both java and Keystore Explorer fails to open it:
Exception in thread "main" java.io.IOException: Integrity check failed:
java.lang.SecurityException: Failed PKCS12 integrity checking
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2058)
at java.security.KeyStore.load(KeyStore.java:1445)
at Main.main(Main.java:17)
Caused by: java.lang.SecurityException: Failed PKCS12 integrity checking
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2054)
Any idea where is the problem? The password is really empty because I was able to import the key into Windows without it. Keytool can list its content - so why does java API fail to open it with PKCS12 integrity checking error?
Upvotes: 5
Views: 23259
Answers (1)
Reputation: 116
The password is incorrect or null. Also the password accepted can be base64
Upvotes: 5
Related Questions
- Java keytool yields "keystore password was incorrect" when trying to import a PKCS12 to JKS
- keytool reports a pkcs12 keystore as 'jks'
- IOException in Java 8 when reading PKCS12 keystore created with keytool from OpenJDK16
- added certificate to java keystore, still error
- Java keytool : Importing PKCS12 to jks , getting error keystore password was incorrect
- PKCS12 to JKS conversion failure
- Creating pkcs12 using Java API failes due to error: java.security.KeyStoreException: TrustedCertEntry not supported
- Error loading KeyStore(PKCS12)
- SSL certificate in keystore not working
- Java PKCS12 Keystore generated with openssl BadPaddingException