[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-jce] java.security.UnrecoverableKeyException: excess private key trying to retrieve Key from the KeyStore.



hello,

I have successfully managed to extract the private key and certificate chain
from a pfx file and store that as a KeyEntry in the KeyStore object.

Now I am trying to retrieve the same from the keystore using the following
piece of code

  private static void doHttps(String args[]) throws Exception {
    demo.DemoUtil.initDemos();

  // register the https URL handler
  System.getProperties().put("java.protocol.handler.pkgs", "iaik.protocol");

  String urlString = "https://jcewww.iaik.at/";

  // the connection is automatically established through proxies
  // if the properties have been set, see
iaik.security.ssl.Utils.proxyConnect()
  URL url = new URL(urlString);
  System.out.println("Connecting to " + url + "...");
  HttpsURLConnection con = (HttpsURLConnection)url.openConnection();

  SSLClientContext context = new SSLClientContext();
  KeyStore keystore = KeyStore.getInstance("JKS");
  char[] passphrase = "password".toCharArray();
  // create a new  keystore
  keystore.load(new FileInputStream("KeyStore_11_08"), passphrase);

  PrivateKey privKey = (java.security.PrivateKey)keystore.getKey("New
Person", "password".toCharArray());
  java.security.cert.X509Certificate[] chain =
(java.security.cert.X509Certificate[])keystore.getCertificateChain("New
Person");

  KeyAndCert kc = new KeyAndCert(chain, privKey);
  context.addClientCredentials(kc);

  con.setSSLContext(context);

  InputStream in = con.getInputStream();
  BufferedReader reader = Utils.getASCIIReader(in);

  System.out.println("Secure connection established.");
  System.out.println();

  // read SSL properties from the socket
  System.out.println("Connected using: " +
con.getSSLSocket().getActiveCipherSuite());
  // everything else is standard HTTP URL stuff
  System.out.println("ResponseCode: "+con.getResponseCode());
  System.out.println("ResponseMessage: "+con.getResponseMessage());
  System.out.println("ContentEncoding: "+con.getContentEncoding());
  System.out.println("ContentLength: "+con.getContentLength());
  System.out.println("ContentType: "+con.getContentType());
  System.out.println("Date: "+con.getDate());
  System.out.println("Server: "+con.getHeaderField("Server"));
  System.out.println();

  while( true ) {
    String line = reader.readLine();
    if( line == null ) {
      break;
    }
    System.out.println(line);
  }
 }

  public static void main(String args[]) {
    try {
      doHttps(args);
    } catch( Exception e ) {
      System.err.println("An exception occured:");
      e.printStackTrace(System.err);
    }
    DemoUtil.waitKey();
  }




I get the following error.
---------------------------------------------------------------------------

Connecting to https://jcewww.iaik.at:443/...
An exception occured:
java.security.UnrecoverableKeyException: excess private key
        at sun.security.provider.KeyProtector.recover(KeyProtector.java:314)
        at
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106)
        at java.security.KeyStore.getKey(KeyStore.java:250)
        at IAIkHttps.doHttps(IAIkHttps.java:54)
        at IAIkHttps.main(IAIkHttps.java:108)
--------------------------------------------------------------------------

What am I doing wrong ?

thanx
Anuja
> -----Original Message-----
> From: SUPPORT-JCE [mailto:jce@iaik.at]
> Sent: Wednesday, November 08, 2000 9:57 AM
> To: Anuja Gokhale; SUPPORT-JCE
> Subject: AW: Exception trying to parse decrypt a pfx file
> exported by IE
> 5.0
>
>
> Hello,
>
> there may be some jars in the ext directory of your jre not
> shown by the
> classpath output (so, for instance you have installed SunJSSE
> but it is not
> seen in the classpath).
> However, the message
> "no KeyGenerator could be found for this algorithm -
> PKCS#12-MAC - amongst
> any of the providers."
> is not originated from our JCE interface implementation.
> Please investigate
> the contents of the ext directory.
>
> Regards,
> Dieter Bratko
>
> -----Ursprüngliche Nachricht-----
> Von: Anuja Gokhale [mailto:anujag@fornova.com]
> Gesendet: Mittwoch, 8. November 2000 15:22
> An: SUPPORT-JCE
> Betreff: RE: Exception trying to parse decrypt a pfx file
> exported by IE
> 5.0
>
>
> My classpath only has the IAIK jce jar file.
>
> I still get the same error.
>
> I tried to use the example to verify the decrypt the pkcs by
> adding the
> following lines
>
> 	if (!mp12.verify(passphrase))
> 	{
> 	  System.out.println("Verification error!");
> 	  System.exit(0);
> 	}
> 	mp12.decrypt(passphrase);
>
>
> in the following code :
>
>
> 		try {
> 			//Test to see if the Cipher is available
>
> 			PKCS12 mp12 = new PKCS12(new
> FileInputStream(certFile));
> 			System.out.println(mp12);
> 			char[] passphrase = password.toCharArray();
>
> 			if (!mp12.verify(passphrase))
> 			{
> 			  System.out.println("Verification error!");
> 			  System.exit(0);
> 			}
>
> 			mp12.decrypt(passphrase);
> 			System.out.println(mp12);
> 			// extract private key and certificates:
> 			PKCS8ShroudedKeyBag pkcs8certKeys =
> (PKCS8ShroudedKeyBag)mp12.getKeyBag();
> 			MyKeyBag certKeys = new MyKeyBag(pkcs8certKeys);
> 			certKeys.decrypt(passphrase);
> 			System.out.println("Shrouded key bag : \n" +
> certKeys.toString());
> 			java.security.PrivateKey privKey =
> certKeys.getPrivateKey();
> 			if (privKey != null)
> 			{
> 				System.out.println("private key :" +
> privKey.toString());
> 			}
>
> 			// extract the cert chain from the pfx file
> 			CertificateBag[]  certBag =
> mp12.getCertificateBags();
>
> 			if (certBag != null) {
> 				System.out.println("CertificateBag :" +
> certBag.toString());
> 				X509Certificate[] certs =
> CertificateBag.getCertificates(certBag);
>
> 				//get the user certificate -
> corresponding
> to the private key -
> 				//from the last position of the chain:
> 				X509Certificate userCert =
> certs[certs.length - 1];
>
> 				System.out.println("Found chain
> of length =
> " + certs.length);
>
> 				keystore.setKeyEntry(alias, privKey,
> passphrase, certs);
> 			}
>
> 		} catch (Exception e) {
> 			e.printStackTrace();
> 		}
>
>
> but I still get an NoSuchAlgorithm for the PKCS#12-MAC algorithm for a
> KeyGenerator :
> The output is as follows:
> (The output also shows the classpath)
>
> --------------------------------------------------------------
> --------------
> -----------------
> adding Provider IAIK...
>
> Java version number: 1.3.0rc2
> Java compiler: null
> Java vendor-specific string: Sun Microsystems Inc.
> Java vendor URL: http://java.sun.com/
> Java installation directory: d:\jdk1.3\jre
> Java class format version number: 47.0
> Java class path: .;D:\Program Files\Certificate
> Software\IAIK-JCE2.61eval\lib\iaik_jce_full.jar
> Operating system name: Windows NT
> Operating system architecture: x86
> Operating system version: 4.0
>
> Installed security providers providers:
>
> Provider 1: IAIK  version: 2.61
> Provider 2: SUN  version: 1.2
> Provider 3: SunRsaSign  version: 1.0
> Provider 4: SunJSSE  version: 1.02
> PKCS#12 object:
> Version: 3
> AuthenticatedSafe: 0
> mode: UNENCRYPTED
>
> SafeBag: 0
> PKCS8ShroudedKeyBag: not decrypted yet!
>
> AuthenticatedSafe: 1
> mode: PASSWORD_ENCRYPTED
> Content encrypted with: PbeWithSHAAnd40BitRC2-CBC
> No SafeBags or not decrypted yet.
>
>
> iaik.pkcs.PKCSException: java.security.NoSuchAlgorithmException:
> KeyGenerator::getInstance(String) -
>  no KeyGenerator could be found for this algorithm -
> PKCS#12-MAC - amongst
> any of the providers.
>         at iaik.pkcs.pkcs12.PKCS12.verify(Unknown Source)
>         at IECertConverter.parseCert(IECertConverter.java:36)
>         at IECertConverter.main(IECertConverter.java:109)
>
>
>
> thanx
> anuja
> > -----Original Message-----
> > From: SUPPORT-JCE [mailto:jce@iaik.at]
> > Sent: Wednesday, November 08, 2000 4:05 AM
> > To: Anuja Gokhale; jce-info@iaik.tu-graz.ac.at
> > Subject: AW: Exception trying to parse decrypt a pfx file
> > exported by IE
> > 5.0
> >
> >
> > Hello,
> >
> > maybe you use another JCE interface implementation not
> > compatible IAIK-JCE.
> > Please look at your classpath and try to remove any other provider.
> >
> > Regards,
> > Dieter Bratko
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Anuja Gokhale [mailto:anujag@fornova.com]
> > Gesendet: Montag, 6. November 2000 21:44
> > An: jce-info@iaik.tu-graz.ac.at
> > Betreff: Exception trying to parse decrypt a pfx file
> > exported by IE 5.0
> >
> >
> > Hello,
> >
> > I have exported my certificate (including the private key) in
> > a ofx file
> > from IE.
> >
> > I am trying to use the iaik PKCS12 class to decrypt this and
> > extract the
> > private key and certificate chain.
> >
> > I get the following exception when I try to verify it.
> >
> > iaik.pkcs.PKCSException: java.security.NoSuchAlgorithmException:
> > KeyGenerator::getInstance(String) - no KeyGenerator could be
> > found for this
> > algorithm - PKCS#12-MAC - amongst any of the providers.
> > IECertConverter.parseCert(IECertConverter:53)	at
> > IECertConverter.parseCert(IECertConverter.java:29)
> > 	at IECertConverter.main(IECertConverter.java:85)
> >
> >
> >
> > If I comment out the verify call and just try and decrypt the
> > file, I get
> > the following error
> >
> > iaik.pkcs.PKCSException: Unable to decrypt PrivateKey!
> > 	at iaik.pkcs.pkcs12.AuthenticatedSafe.decrypt(Unknown Source)
> > 	at iaik.pkcs.pkcs12.PKCS12.decrypt(Unknown Source)
> > 	at IECertConverter.parseCert(IECertConverter.java:30)
> > 	at IECertConverter.main(IECertConverter.java:85)
> >
> > I am using the iaik_jce_full.jar jar file....
> >
> >
> > The source code is:
> >
> >
> > 	public static void parseCert(String certFile, String password,
> > String alias) {
> >
> > 		try {
> >
> > 		  	IAIK.addAsProvider(true);
> > 		  	// get a new KeyStore onject
> >
> > 			keystore = KeyStore.getInstance("IAIKKeyStore",
> > "IAIK");
> > 			char[] passphrase = "password".toCharArray();
> >
> > 		            // create a new  keystore
> > 		            keystore.load(null, passphrase);
> >
> > 			//parse the certificate file
> > 			PKCS12 mp12 = new PKCS12(new
> > FileInputStream(certFile));
> > 			System.out.println(mp12);
> > 			char[] passphrase = password.toCharArray();
> >
> > 			System.out.println("verify: " +
> > mp12.verify(passphrase));
> > 			mp12.decrypt(passphrase);
> > 			System.out.println(mp12);
> > 			// extract private key and certificates:
> > 			KeyBag certKeys = mp12.getKeyBag();
> > 			java.security.PrivateKey privKey =
> > certKeys.getPrivateKey();
> >
> > 			// extract the cert chain from the pfx file
> > 			CertificateBag[]  certBag =
> > mp12.getCertificateBags();
> > 			X509Certificate[] certs =
> > CertificateBag.getCertificates(certBag);
> >
> > 			//get the user certificate -
> > corresponding to the
> > private key -
> > 			//from the last position of the chain:
> > 			X509Certificate userCert =
> > certs[certs.length - 1];
> >
> > 			System.out.println("Found chain of length = " +
> > certs.length);
> >
> > 			keystore.setKeyEntry(alias, privKey, passphrase,
> > certs);
> >
> > 		} catch (Exception e) {
> > 			e.printStackTrace();
> > 		}
> >
> >
> > What am  I doing wrong ?
> >
> > thanx,
> > Anuja
> >
> > --------------------------------------------------------------
> > --------------
> > -----------------
> > Anuja Gokhale                           anujag@roguewave.com
> > Roguewave Software Inc.            phone: 508 624 5277
> > Southboro
> >
> >
> >
>
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce