8

I am having trouble using SSL, as I am getting the following error related to my keystore (self-created and self-signed using keytool per: http://developer.android.com/tools/publishing/app-signing.html):

08-14 20:55:23.044: W/System.err(5430): java.io.IOException: Wrong version of key store. 08-14 20:55:23.060: W/System.err(5430): at org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(JDKKeyStore.java:812) ...

The error thrown in the JDKKeyStore.java class arises in the following code:

Blockquote From JDKKeyStore.java:
if (version != STORE_VERSION) { if (version != 0) { throw new IOException("Wrong version of key store."); } }

Blockquote

In this case STORE_VERSION = 1, and my version=3 based on reading the details of the certificate held by the keystore I have created. I do not know how to generate a keystore containing a version=1 certificate.

I found this answer helpful: wrong version keystore when doing https call

however it calls for creating the keystore using the following parameters:

-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar

However, when I try to create the keytool (using the terminal app on Mac) using these parameters:

keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize 2048 -validity 10000 -keypass android -keystore /Users/djames/dropbox/bc146keystore/debug.keystore -storepass android -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/

(where /Users/djames/dropbox/bc146keystore/ is the path to the bouncy castle jar: bcprov-jdk16-146.jar)

I get the following error:

keytool error: java.lang.RuntimeException: Usage error, ?providerpath is not a legal command java.lang.RuntimeException: Usage error, ?providerpath is not a legal command at sun.security.tools.KeyTool.parseArgs(KeyTool.java:375) at sun.security.tools.KeyTool.run(KeyTool.java:171) at sun.security.tools.KeyTool.main(KeyTool.java:166)

I do not understand what this is telling me. If I use: keytool -help it tells me that the following are valid options for the -genkeypair option:

-genkeypair [-v] [-protected] [-alias ] [-keyalg ] [-keysize ] [-sigalg ] [-dname ] [-validity ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] ... [-providerpath ]

But in the Oracle docs java version 6 that I am using (http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
it tells me that these are the options:

-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}

which does not include the -providerpath option. Why the discordance? (If I do not use the -providerpath option, then I get an unknown class exception at the option: "-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider"...)

When I google: keytool -providerpath
I get nothing helpful to resolve this.

I am not sure how to solve my keystore version problem without solving my keytool problem. Any suggestions appreciated.

Jim

(Mac OSX 10.6.8 if relevant)
Community
  • 1
  • 1
gymshoe
  • 7,495
  • 5
  • 20
  • 21
  • Possible duplicate of [Wrong version of keystore on android call](https://stackoverflow.com/questions/11117486/wrong-version-of-keystore-on-android-call) – Cukic0d May 14 '19 at 23:21

4 Answers4

14

My problem was using a version of bouncy castle that was too new. I had to use 146 - any later and it gave me this error.

Ryan
  • 3,579
  • 9
  • 47
  • 59
  • Same here, version 148 gives me the same error, thanks a lot! – vk.edward.li May 23 '13 at 07:56
  • This works, but I'm puzzled as to why Eclipse bundles a version (148) that doesn't work... – Michael Jul 14 '14 at 21:16
  • Using an old version of bouncycastle sucks. You could also simply chose the **BKS-V1** format instead of **BKS** as explained in https://stackoverflow.com/a/33197845/5459467 – Cukic0d May 14 '19 at 23:25
5

I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command

Community
  • 1
  • 1
gymshoe
  • 7,495
  • 5
  • 20
  • 21
1

The version mismatch is for the key store version, not the certificate version (which should have the value 2 for a v3 X.509 certificate).

What version of the JDK did you use keytool from? Did you specify a full path to the command, or use what was in your PATH? Are you sure that you are using JKS key stores, and not JCEKS stores?

erickson
  • 265,237
  • 58
  • 395
  • 493
  • 1) not sure exactly how to tell the version of keytool I am using. I am using Java SE runtime enviroment = 1.6.0_33, and presumably the corresponding JDK that goes with it (since I did not perform any separate installation that I know of). Based on my $PATH the keytool I am using comes out of the following subdirectory: System/Library/JavaVM.framework/Versions/A. I don't know why it doesn't come out of the: .../JavaVM.framework /Versions/1.6.0 subdirectory… – gymshoe Aug 16 '12 at 02:44
  • 2) I did not specify a path but rather used the default. As stated above, the default path would find keytool in: System>Library/JavaVM.framework/Versions/A. When I do specify a path and run "System>Library/JavaVM.framework/Versions/1.6.0/keytool -help" it shows me the same display as my default keytool, i.e. -genkeypair includes the option for -providerpath. – gymshoe Aug 16 '12 at 02:45
  • 3) Keystore type: first I was playing around with the default debug.keystore that is created for android when you use Eclipse for your IDE. When I encountered issues, I created my own keystore using keytool as previously described. I did not specify any storetype when I did that so I would presumably get the default type. Is there a way to display this? – gymshoe Aug 16 '12 at 02:45
  • I was able to verify that I am creating JKS key stores with my keytool (using the keytool -list command). – gymshoe Aug 16 '12 at 03:00
  • This seems to be a correct answer to one of my questions. I think I asked to many questions at once, since I still can't create an appropriate keystore... – gymshoe Aug 18 '12 at 01:27
0

In order to complete Ryan answer as I had to dig in to find out how to generate a BKS with Bouncy Castle 1.46, you can use Portecle to generate the BKS.

  1. Download Boucycastle Provider 1.46
  2. Install or unzip it.
  3. Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
  4. Restart Portecle and generate your BKS truststore.

This explained here.

Edit:

Since Portecle 1.8, you can use BKS-V1 type to generate your truststore without to replace bcprov.jar.

You can select it after clicking on New keystore or change the type via the menu Tools -> Change KeyStore Type.

L. G.
  • 9,642
  • 7
  • 56
  • 78
  • 1
    Since Portecle v1.8 you can simply select BKS-V1 in the "New KeyStore" dialog or convert between BKS and BKS-V1 via "Tools -> Change KeyStore Type". No need to replace jars. – Omikron Dec 14 '15 at 15:33