Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Trying to parse PKCS12 generated by WS2016 using Java Keystore: Failed PKCS12 integrity checking

Tags:

java

cryptography

keystore

pfx

pkcs#12

I am trying to parse a PKCS12 certificate into a x509 and a private key using the Java Keystore: 

final KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(pkcs12Certificate, password.toCharArray());
final Enumeration<String> aliases = keystore.aliases();
final String alias = aliases.nextElement();
final PrivateKey key = (PrivateKey) keystore.getKey(alias,
            password.toCharArray());
final X509Certificate publicCertificate = (X509Certificate) keystore
            .getCertificate(alias);
return create(clientId, key, publicCertificate);`

This has worked well for certificates built by windows-server-2012. We have updated VMs to windows-server-2016, which has broken this code with the following error: 

Exception in thread "main" java.io.IOException: Integrity check failed: 
java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2146)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at com.company.AsymmetricKeyCredential.create(AsymmetricKeyCredential.java:164)
at com.company.Main.main(Main.java:29)
Caused by: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2142)
... 3 more`

After some digging around it seems that windows-server-2016 has changed the way they format PKCS12 and PFX certificates. Specifically:

Pre-RS1, PKCS7 EncryptedData was used for the CertBag; in RS1, that was switched to PKCS7 Data. There are the multiple options of AUthSafe contents in a CertBag:

      AuthenticatedSafe ::= SEQUENCE OF ContentInfo
   -- Data if unencrypted
   -- EncryptedData if password-encrypted
   -- EnvelopedData if public key-encrypted

It seems like this switch might be causing the Java Keystore to fail, but I'm not sure how to fix it. I can parse the certificate with open ssl, so I know its not an issue with the certificate itself. We have to support certificates coming from WS2016, so any insight here is greatly appreciated.

like image 764
sgonzalez Avatar asked Feb 23 '26 14:02

sgonzalez

1 Answers

This was a bug with JDK 8 which has since been resolved. https://bugs.openjdk.java.net/browse/JDK-8202299

like image 164
sgonzalez Avatar answered Feb 25 '26 06:02

sgonzalez
Sign in to Comment

Related questions

How to get file from resources when blank space is in path [duplicate]
Why is Contextual Action Bar getting different style when calling startSupportActionMode inside onCreate method?
Spring - what is wrong with my Autowiring?
Public key authentication fails with JSch but work with OpenSSH with the same key
software.amazon.awssdk.core.exception.SdkClientException
unknown error: result.webdriverValue.value list is missing or empty in Runtime.callFunctionOn response
How can I pass a variable by value in Java?
Linux - Nimbus LookAndFeel : Table Grid Lines are not coming
How to call a paint method inside Applet extended class?
how to check multiple tables in spring security for authentication
Deprecation warning message with import android.hardware.SensorListener library
Java coloring characters GUI
Eclipse: Could not instrument class exception after upgrading to Spring Boot 2.0.1
Required variable, found value?
Handle Status Update In Even Sourcing Pattern

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!