0

Writing code to generate digital certificate

And when installing in browser getting the error

Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or the password you entered was incorrect.

But I don't have any idea how to add that password to satisfy PKCS #12 format. How to go with it?

public KeyPair generateKeyPair() {
        KeyPair pair = null;
         try {
            String password = "1234";
            KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
            SecureRandom random = Utils.createFixedRandom(); 
            keyGen.initialize(1024, random);
            pair = keyGen.generateKeyPair();
            PrivateKey privkey1 = pair.getPrivate();
            PublicKey pubKey1 = pair.getPublic();

            byte[] privateKeyBytes = pair.getPrivate().getEncoded();
            byte[] encryptedPrivateKeyBytes = passwordEncrypt(
                    password.toCharArray(), privateKeyBytes);

                   //Problem might be here  

            Signature dsa = Signature.getInstance("SHA1withRSA");
            dsa.initSign(privkey1);
            Cipher cipher = Cipher
                    .getInstance("RSA");
            cipher.init(Cipher.ENCRYPT_MODE, pubKey1, random);
            byte[] input = new byte[] { (byte) 0xbe, (byte) 0xef };
            System.out.println("input : " + Utils.toHex(input));
            byte[] cipherText = cipher.doFinal(input);
            System.out.println("cipher: " + Utils.toHex(cipherText));
            cipher.init(Cipher.DECRYPT_MODE, privkey1);
            byte[] plainText = cipher.doFinal(cipherText);
            System.out.println("plain : " + Utils.toHex(plainText));
        } catch (Exception e) {
            System.err.println("Caught exception " + e.toString());
        }

        return pair;

    }

Certificate generated successfully and stuck here.

You can see full code here.

Thanks for any hints.

Suresh Atta
  • 120,458
  • 37
  • 198
  • 307
  • Are you installing this as a personal (client) certificate in your browser, or as a trusted server certificate in your browser? If it's a certificate to be trusted, you should only need the cert file, not a PKCS12. For example, in Firefox, when you go to the Certificate Manager and the "Authorities" tab, and click import, it expects a certificate. If you go to the "Your Certificates" tab, it expects a P12 because the P12 will contain the private key as well to be used in proving your identity to another server. – gtrig Oct 10 '13 at 03:06
  • @gtrig Thanks for the detailed comment gtrig. What I'm trying to achieve is I'l provide a certificate to user(customer) which has a private and public key. He installs that ceritificate in his browser and when my app launches I'l get that and use for encryption and decryption of data. Please give me some hints..I'm unable to move from this point. – Suresh Atta Oct 10 '13 at 06:11
  • @SURESH It sounds like you indeed will need the private key. What I'm not clear about is how your app is interacting with the browser keystore. Is your app running on his server (the same server his browser is running on?) Or is your app running on another server that his browser is connecting to? – gtrig Oct 10 '13 at 18:09
  • @gtrig seems I am missing many details here I guess , as per your comment. May I please talk with you for seeking clarification through email Id?. My task is to provide a self signed certificate to user which contains a private and public key. He provides one password to me. While installing in his browser it asks for that password. After he installs thats it. Later our application contacts that certificates using applets in our web application. Can you please help me in this ? – Suresh Atta Oct 11 '13 at 09:54

1 Answers1

1

I've looked at your code, and I think the problem is that you're outputting the cert in raw binary DER format using certificate.getEncoded() when the browser expects PKCS #12 format. I've never done this programatically, I've always used keytool or openssl to convert between formats so I can't help more than that.

eta: this explains how to create, sign and export a PKCS12 in java: http://www.mayrhofer.eu.org/create-x509-certs-in-java (note: it's an old post and requires bouncycastle and a bit of hacking :( - a modern version of bouncycastle may simply provide this functionality)

tom
  • 2,704
  • 16
  • 28
  • Thanks for the hint tom, I'l look in that direction. Just started with cryptography – Suresh Atta Oct 09 '13 at 15:15
  • Good luck. Dealing with PKI can be a nightmare :D – tom Oct 09 '13 at 15:16
  • this explains how to output a PEM, which I thought would be consumable by the browser: http://stackoverflow.com/questions/3313020/write-x509-certificate-into-pem-formatted-string-in-java (header, base64encodedbytes, footer) – tom Oct 09 '13 at 15:21
  • That's really close.Thanks again. As we are programmers every issue is a Nightmare for us :( – Suresh Atta Oct 09 '13 at 15:24
  • Aha, this explains how to do it: http://www.mayrhofer.eu.org/create-x509-certs-in-java (it creates a pkcs12 and signs it programatically) – tom Oct 09 '13 at 15:27
  • tom, that's a great blog, haven't found in my search. Thanks alot. That seems promising. I'l accept the answer soon. – Suresh Atta Oct 09 '13 at 15:28