0

I am trying to create a PKCS 12 (P12) file using Java (and BouncyCastle). For some reason my code is not adding my password to the key entry that I add to the p12 file.

The password for the p12 file itself works. However the password for a specific key entry is not added.

My code:

        // open the file 
        fileName = "my_output.p12";
        OutputStream outFile = new FileOutputStream (fileName);

        // get privatekey and cert details ...
        // ...

        // initialize 
        // note: I have also tried:  KeyStore.getInstance("PKCS12", "BC");
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, null);

        // this line doesn't add my password "test_pass" !
        keyStore.setKeyEntry("test_alias", myExistingPrivateKey, "key_pass".toCharArray(), myExistingCertChain);  


        // store keystore and close file
        keyStore.store(outFile, "container_pass".toCharArray());
        outFile.close();

Note the same code works fine when the container type is JKS instead of PKCS12

picolo
  • 243
  • 1
  • 10
  • Do you have to do this with your own Java program? Can you not use ready tools such as `keytool` or `OpenSSL`? – Mick Mnemonic Oct 26 '16 at 23:11
  • Yes, this is a custom tool for a client. – picolo Oct 26 '16 at 23:17
  • So this custom tool does something that `keytool` and `OpenSSL` cannot do? I'm just trying to imply that there are numerous things that can go wrong here and it's hard to even start guessing unless you include all of the relevant code. – Mick Mnemonic Oct 26 '16 at 23:20
  • It does many of the tasks that keytool does but it has a UI and does many other tasks specific to clients requirments – picolo Oct 26 '16 at 23:23
  • The same code works fine (i.e. key entry pass is added) when the container type is JKS instead of PKCS12 – picolo Oct 26 '16 at 23:25
  • Okay. Did you try passing in the password to the [`load()`](https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html#load(java.io.InputStream,%20char[])) method, i.e. something like `keyStore.load(null, "key_pass".toCharArray());`? – Mick Mnemonic Oct 26 '16 at 23:30
  • the pass parameter of keyStore.load() is used to unlock an existing keystore. In my case I am creating a new one. Based on the specification I have to pass null for both parameters. But I still tried it and no luck. – picolo Oct 26 '16 at 23:35
  • I don't see the JavaDoc mentioning that both parameters should be `null`; only the first one should be, for new certificates. In any case, did you check out [Saving certificate chain in a pkcs12 keystore](http://stackoverflow.com/questions/13207378/saving-certificate-chain-in-a-pkcs12-keystore) already? – Mick Mnemonic Oct 26 '16 at 23:42
  • Note also that you're mentioning three different passwords in your snippet (`"test_pass"`, `"key_pass"` and `"container_pass"`); make sure you use the correct one(s) when you try out the `.p12` file. Or better, use the same pw for `load()`, `setKeyEntry()` and `store()`. – Mick Mnemonic Oct 26 '16 at 23:47
  • thanks, the generated p12 file requires 'container_pass' to open. but the key entry is password less. i.e. the private key is accessible without a pass. – picolo Oct 26 '16 at 23:51
  • How are you testing this? All of the `.p12` files I've used only contain a single private key (with the corresponding cert chain) and use a single password. – Mick Mnemonic Oct 26 '16 at 23:55
  • From the [BC spec](https://www.bouncycastle.org/specifications.html) (6.4 Keystore): `PKCS12 provides a slightly different situation from the regular key store, the keystore password is currently the only password used for storing keys.` – Mick Mnemonic Oct 26 '16 at 23:58

0 Answers0