8

I am using Sun's keytool to create a Bouncy castle keystore and import a certificate into it. The keytool does produce a keystore in the Bouncy castle format.

I then attempt to import the Bouncy castle keystore into an Android program. I am able to get an instance of the "BKS" keystore but calling load on the keystore throws 

"java.io.IOException: Wrong version of key store".

This is the code 

KeyStore keyStore = KeyStore.getInstance("BKS");
InputStream is = new FileInputStream("/mnt/sdcard/ArcGIS/mystore.bks");
keyStore.load(is, "abcdef".toCharArray());

I tried various versions of the Bouncy castle JAR downloaded from http://www.bouncycastle.org/latest_releases.html

What am I doing wrong?

Thanks, Ranjit

Ranjit
  • 179
  • 3
  • 7

3 Answers3

22

It seems the version of BouncyCastle shipped with Android 4.0.3 (API version 15) fails when trying to open keystores produced using the most recent BouncyCastle library. When I created a keystore using bcprov-jdk15on-147.jar, my sample Android app failed with the java.io.IOException: Wrong version of key store error.

However, if the keystore was created with the bcprov-jdk16-146.jar library, then it could be loaded by the application. My solution was to create the keystore with this older library.

Presumably this will also be the case for older API versions; try older versions of BouncyCastle when creating the keystore.

marco
  • 221
  • 2
  • 3
  • 1
    +1 This solved my problem so far.. but it also leads me to the question what happens with devices running android 4.2 as they update it to bouncycastle 1.47 (source: http://developer.android.com/about/versions/jelly-bean.html ) – Martin Christmann Jan 23 '13 at 14:11
  • That was the solution of my problem too. Thanks for valuable info. – koders May 16 '14 at 13:58
  • When I try to use the 146 library to create the certificate it says me exactly the same "wrong keystore version". If I use the latest version it imports ok. on Android Device it occurs exactly the oposite. the problem is that the *.csr certificate come from a server where the client asks to maintain it as it is now.? is there an option I can use without having to regenerate the csr file with older version on server? – Pedro Teran May 26 '14 at 14:27
4

Resolved. The keytool command was missing the "-storetype BKS" argument, so although the BKS keystore file was generated, it was probably invalid.

Ranjit
  • 179
  • 3
  • 7
1

This problem is due to your BKS-certificate password length, it must be less than or equal to 7 characters. This is a matter of U.S. policy and U.S. export controls (not due to technical reasons).

Re-export your certificate using a 7-character lenght and it will work.

Hope it helps

Corbella
  • 1,791
  • 14
  • 24