1

I have a Java KeyStore (JKS) and I need to read it with BouncyCastle.

I've added BC provider at the top of providers list:

Security.insertProviderAt(new BouncyCastleProvider(), 1);

If I create KeyStore this way:

final KeyStore keystore = KeyStore.getInstance("JKS", "BC");

I get an error:

java.security.KeyStoreException: JKS not found

If I don't specify a provider, the KeyStore will be created with Sun provider and keystore.aliases() will contain EmptyEnumeration.

As I saw in this topic, BouncyCastle can work with JKS

How can I read JKS with BouncyCastle?

Community
  • 1
  • 1
Kirill
  • 1,540
  • 4
  • 18
  • 41
  • 1
    Did you add the following line at the top of your program: `Security.addProvider(new BouncyCastleProvider());`? Refer to [Section 6.0](https://www.bouncycastle.org/specifications.html). – Mr. Polywhirl Nov 29 '16 at 14:12
  • @Mr.Polywhirl Yes. I've edited the description – Kirill Nov 29 '16 at 14:14
  • 1
    You are confusing "working with" and "implementing". You normally should not specify the provider in any of the `getInstance()` methods of JCE. Just add the provider with `Security.addProvider()` and the let the JCE find the implementations from any provider. Only the Oracle providers implement the JKS keystore but your `KeyStore.getInstance("JKS", "BC");` forces the JCE to look only at BouncyCastle's for a JKS implementation which it doesn't have. Also, don't add the BouncyCastle provider at a particular position unless you really know what you're doing. – President James K. Polk Nov 29 '16 at 19:16

1 Answers1

6

Use BKS instead of JKS

 KeyStore keystore = KeyStore.getInstance("BKS", "BC");

See section 6.4-Keystore of https://www.bouncycastle.org/specifications.html

The Bouncy Castle package has three implementation of a keystore. The first "BKS" is a keystore that will work with the keytool in the same fashion as the Sun "JKS" keystore.

The result will be the same as the Sun provider. If you get an empty list, check the JKS is not empty and you are reading It properly

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • I have tried this and in this case `keystore.aliases()` returns `EmptyEnumeration` – Kirill Nov 30 '16 at 07:53
  • 1
    Does your keystore have a certificate? Check with `keytool -list -v -keystore keystore.jks` Are you reading the keystore in this way?: `keystore.load(inputStream, password);` – pedrofb Nov 30 '16 at 08:03
  • Yes I can see this cert using keytool with the same parameters – Kirill Nov 30 '16 at 08:15
  • 1
    Please, check if the `InputStream` provided to `keystore.load(inputStream, password);` is not null. This method will reset the keystore if the inputstream is null – pedrofb Nov 30 '16 at 08:25
  • I had the wrong path to keystore. KeyStore.getInstance("JKS") works. Thank you – Kirill Nov 30 '16 at 08:54