Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Error getting keys into a KeyManagerFactory from a PKCS12 KeyStore

843811Jul 19 2009 — edited Jul 20 2009
Hi, below is a script demonstrating how I'm creating a signed X.509 certificate using OpenSSL then failing to load it properly into a Java app. Why am I getting that exception? I have also tried almost every combination of null, "", "serverpass", and "capass" into each of the two places in the Java code that ask for a passphrase char array, and those attempts only result in division by zero errors. Thanks in advance for any help!
#!/usr/bin/env bash

set -o errexit -o nounset

cat > ssl.cfg << EOF
[ req ]
prompt = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C                      = US
EOF

# CA
openssl genrsa -des3 -out ca.key -passout pass:capass 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -passin pass:capass -config ca.cfg

# cert
openssl genrsa -des3 -out server.key -passout pass:serverpass 4096
openssl req -new -key server.key -out server.csr -passin pass:serverpass -config server.cfg

# sign
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -passin pass:capass

# convert to pkcs12
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:serverpass -passout pass:

# try to use from java
cat > SslTest.java << EOF
import java.io.*; import java.security.*; import javax.net.ssl.*;
public class SslTest {
  public static void main(String[] args) throws Exception {
    FileInputStream fis = new FileInputStream(args[0]);
    KeyStore ks = KeyStore.getInstance("pkcs12");
    ks.load(fis, null);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
    kmf.init(ks, "serverpass".toCharArray());
  }
}
EOF
javac SslTest.java
java SslTest server.p12

######
# Output:
#
# Generating RSA private key, 4096 bit long modulus
# ..++
# ..................................++
# e is 65537 (0x10001)
# Generating RSA private key, 4096 bit long modulus
# .++
# ...................................................................++
# e is 65537 (0x10001)
# Signature ok
# subject=/C=US
# Getting CA Private Key
# Exception in thread "main" java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
#         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:288)
#         at java.security.KeyStore.getKey(KeyStore.java:779)
#         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
#         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
#         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
#         at SslTest.main(SslTest.java:9)
# Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
#         at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
#         at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
#         at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:345)
#         at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:378)
#         at javax.crypto.Cipher.doFinal(Cipher.java:1813)
#         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:270)
#         ... 5 more
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 17 2009
Added on Jul 19 2009
#cryptography
5 comments
4,805 views