Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

"Invalid DER-encoded certificate data" while loading KeyStore

843811May 12 2010 — edited Jul 27 2011
Hello,

Using JDK 1.6.0_20 on WinXP, I am attempting to create a KeyStore object containing a single trusted certificate, but keep running into the following error when running the program:

java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

I have tested several different root certificates (e.g. Verisign Class 3) to populate the keystore, and both keytool and OpenSSL seem to recognize them as DER-encoded and handle them fine. Keytool importcert and verbose list commands work fine, as does an OpenSSL list (openssl x509 -text -noout -inform DER -in certificate.cer).

I originally was using the sample code from the KeyStore API almost verbatim to attempt to load the KeyStore contents from a keystore file, just replacing a couple of placeholder items with command-line args:
try
        {
            // Create/load the keystore to use in the PKIXParameters
            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

            // get user password and file input stream
            char[] password = args[1].toCharArray();

            FileInputStream fis = null;
            try {
                fis = new FileInputStream(args[0]);
                ks.load(fis, password);            }
            finally {
                if (fis != null) {
                    fis.close();
                }
            }
I also tested loading an empty keystore and then adding the certificate within the code:
try
        {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");

            // Create/load the keystore to use in the PKIXParameters
            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

            // get user password and file input stream
            char[] password = args[1].toCharArray();

            FileInputStream fis = null;
            try {
                ks.load(fis, password);

                FileInputStream trustedCertStream = new FileInputStream(args[0]);
                X509Certificate trustedCert = (X509Certificate) cf.generateCertificate(trustedCertStream);

                ks.setCertificateEntry("trustroot",trustedCert);
            }
            finally {
                if (fis != null) {
                    fis.close();
                }
            }
Both code blocks give me that same "invalid DER-encoded certificate data" error.

If I just load a null FileInputStream, the code continues along fine until the point where you'd expect it to fail (when it's looking for trust anchors in the keystore and there are none).

To rule out issues with the command-line args being passed in, I tested passing a bogus keystore file (
yielding a FileNotFound error as expected), a straight X.509 cert to the code expecting a keystore file (got an IOException - Invalid keystore format - as expected), and an incorrect password (“There was an error parsing the truststore file: java.io.IOException: Keystore was tampered with, or password was incorrect” - as expected).

Any ideas what could be causing this error and/or how to fix it?

Thanks,

Julia
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 24 2011
Added on May 12 2010
#cryptography
7 comments
7,466 views