CODEWITHSUNDEEP
javakeystorekeytool
Sushil
Sushil

Reputation: 31

KeyStore.load not working but KeyStore.getkey is working with same password

Using java Keystore class. 

 InputStream keystoreStream = new FileInputStream(strKeystorePath); 
 KeyStore keystore = KeyStore.getInstance("JCEKS"); 
 keystore.load(keystoreStream, strTrustStorePwd.toCharArray()); 
 Key key = keystore.getKey(strAliasName, strTrustStorePwd.toCharArray());

The load() method is throwing keytool error:

java.io.IOException: Keystore was tampered with, or password was incorrect.

But when : use 

InputStream keystoreStream = new FileInputStream(strKeystorePath); 
KeyStore keystore = KeyStore.getInstance("JCEKS"); 
keystore.load(keystoreStream, null); 
Key key = keystore.getKey(strAliasName, strTrustStorePwd.toCharArray());

it is working fine. Please see that the same passwords are used by load and getKey methods.

When the load() and getKey methods are used with passwords , the load() method is throwing error, but when load() is used with null password and getKey with same password, it is working.

Upvotes: 3

Views: 1364

Answers (1)

dave_thompson_085
dave_thompson_085

Reputation: 38781

JCEKS, like JKS, uses the store-level password (only) for integrity-checking the entire store; if you call .load(instream,null) it does not check integrity but still loads the contents -- or tries to: if the data has in fact been tampered with or damaged the load may fail in any number of ways, or appear to succeed but cause other problems later; but if the data is correct it does load. (Note this is not necessarily true of other keystore types, like PKCS11.)

The certificates in either JCEKS or JKS are unencrypted, and can be accessed without any (further) password. The privatekeys (if any) are individually password-encrypted, and to a access a privatekey you need to supply the correct key-level password, which can be the same as the store password or different. It is usually less confusing to make the key password(s) the same as the store password, and less confusing is usually desirable, but it is not required.

You apparently have a JCEKS whose store password differs from the value you know, but containing a key whose password matches that value. If you want to change this, after .load(instream,null) re-write it with .store(outstream,desiredpassword).

Upvotes: 3

Related Questions