0

So I have this old keystore (mykeystore.p12) with a certificate that expires any day now + some other keys that I need to keep.

Then I got this new certificate.txt + privatekey.txt + bundle.txt from my CA. From what I can find I need to import all these files into a new keystore and then import the new keystore into my old keystore. (I tried importing it to my old keystore straight away but it wrote over the old store).

So to create the new keystore I do this:

openssl pkcs12 -export -in certificate.txt -inkey privatekey.txt -out newkeys.p12 -name com -CAfile bundle.txt -caname root

The newkeys.p12 works if I try to use it, but it is missing all my old keys that I still need so then to import it to my current old keystore (that worked fine but certificate expires) I do this:

keytool -importkeystore -deststorepass PASSWORD -destkeystore mykeystore.p12 -srckeystore newkeys.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias com

But then it all stops working and I can't even start my webapp because I get this error:

at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:934) ~[spring-context-5.3.4.jar!/:5.3.4]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:585) ~[spring-context-5.3.4.jar!/:5.3.4]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:144) ~[spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:767) [spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759) [spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:426) [spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:326) [spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1311) [spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1300) [spring-boot-2.4.3.jar!/:2.4.3]
        at com.aquaass.aquadb.AquaassApplication.main(AquaassApplication.java:17) [classes!/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_275]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_275]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_275]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_275]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [aquadb.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:107) [aquadb.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [aquadb.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [aquadb.jar:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Jetty server
        at org.springframework.boot.web.embedded.jetty.JettyWebServer.start(JettyWebServer.java:194) ~[spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) ~[spring-boot-2.4.3.jar!/:2.4.3]
        at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-5.3.4.jar!/:5.3.4]
        ... 23 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Private key not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:338) ~[na:1.8.0_275]
        at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_275]
        at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) ~[na:1.8.0_275]
        at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_275]
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_275]
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1243) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2267) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.springframework.boot.web.embedded.jetty.SslServerCustomizer$SslValidatingServerConnector.doStart(SslServerCustomizer.java:265) ~[spring-boot-2.4.3.jar!/:2.4.3]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
        at org.springframework.boot.web.embedded.jetty.JettyWebServer.start(JettyWebServer.java:174) ~[spring-boot-2.4.3.jar!/:2.4.3]
        ... 25 common frames omitted
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285) ~[na:1.8.0_275]
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:320) ~[na:1.8.0_275]
        at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_275]
        at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[na:1.8.0_275]
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:137) ~[na:1.8.0_275]
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:119) ~[na:1.8.0_275]
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:393) ~[na:1.8.0_275]
        at sun.security.pkcs.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:80) ~[na:1.8.0_275]
        at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:327) ~[na:1.8.0_275]
        ... 46 common frames omitted

At first I thought there might be some conflict between the private keys, that they were in different formats so that there was some conflict or something (since they only don't work when they are all in the same keystore), but it appears they are all RSA 2048. So now I must think I am importing it wrong, but this is how it is done according to my research online so I'm stumped and kind of in a hurry to solve this. My CA was nice enough to generate a new cert but still the same problem so I'm leaning towards the import going wrong or something.

It doesn't seem to matter if I import the new keystore to my oldkeystore or the other way around, still the same problem. Why do I get this error? Please help!

Edit 1: Now I even tried to generate a new keypair (99% sure I did it exactly like last year) in my own working keystore and then exported a signing request (.csr) which I got signed. I then imported the new signed cert and bundle to that keypair alias but still I get this same error!

Command for generating new keypair and cert:
keytool -genkey -alias com -keystore mykeystore.p12 -storetype PKCS12 -keyalg RSA -storepass PASSWORD -validity 366 -keysize 2048

Command for exporting csr:
keytool –keystore mykeystore.p12 –certreq –alias com –keyalg rsa –file sign-request.csr

Edit 2: Info on keystores in different stages:

mykeystore.p12 -info:
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag


newkey.p12 -info:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048


merged mykeystore.p12 -info:
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag

And this is the original keystore (from edit 1) where I created the keys
+ csr and imported signed cert (I thought I generated the keys the same 
way as last year but it appears maybe not):

MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag

Edit 3:

java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 1.8.0_241-b07)
Java HotSpot(TM) 64-Bit Server VM (build 25.241-b07, mixed mode)
Vanheden
  • 582
  • 5
  • 14
  • 1
    What version `keytool` are you using? If that is new enough, maybe and/or if you're using OpenSSL 3.0.x, the encryption in the PKCS12 uses PBES2, and 8u275 has a bug that doesn't handle it. See (my) links and summary at https://stackoverflow.com/questions/70244066/keytool-error-java-io-ioexception-parsealgparameters-failed-objectidentifier . – dave_thompson_085 Dec 23 '21 at 14:17
  • Thank you for the links, I will check them out! My Keytool version is 8.0.2410.7. I don't know how to check the version of my openssl though – Vanheden Dec 23 '21 at 16:49
  • That's the Windows .exe version? Java versions are actually: premodular (like yours) 1.v.0 update u, with the 1. and .0 usuallly omitted, v 1 to 8, and update often abbreviated u or _; or postmodular v.0.u for v 9 and up and .0.0 suppressed. If no one messed up, yours is 8u241, which I have on an old test system, and that won't even do the `-importkeystore` with a PBES2 input, which would obviate the OpenSSL version, but you can get it by running `openssl version`, and if you're using the shininglight build it also has the Windows .exe attributes just like your keytool. ... – dave_thompson_085 Dec 25 '21 at 06:14
  • 1
    ... Anyway, on both the `mykeystore.p12` input to your `keytool` (assuming you saved or can recover a copy) and the output, please do `openssl pkcs12 -in $file -nokeys -nocerts -info` and show the results. – dave_thompson_085 Dec 25 '21 at 06:16
  • My openssl version is 'OpenSSL 1.0.2u-fips 20 Dec 2019'. In the last attempt with the CSR request I didn't involve openssl. I added the info you asked for above in the original post. It is so weird to me that a key generated with the same keytool as last year in the very same keystore gives this private key error :/ – Vanheden Dec 25 '21 at 11:36
  • The keytool is from my windows java 1.8.0_241. – Vanheden Dec 25 '21 at 11:51
  • To be perfecetly honest I don't understand what all of this means, but this seems kind of out of place, is this the problem? Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256 – Vanheden Dec 25 '21 at 12:16
  • 1
    Yes, a 'bag' encrypted with PBES2 is exactly the problem -- but keytool in 8u241 should not be able to create such, unless the standard providers are replaced by _very_ odd ones. Are you sure you don't have another, newer java on that machine that you might somehow invoke, perhaps as part of an IDE or SDK or something? Does `where keytool` point anywhere unexpected? Creating PBES2 both for -importkeystore _and_ for -genkeypair,-certreq,-import(reply) would certainly be consistent with 8u301 or up. – dave_thompson_085 Dec 27 '21 at 04:15
  • I actually copied keytool + some other file it needed to a more accessible folder last year, where I do my work on my keystores because I didnt successfully find or added keytool to "path". I did download a new JDK recently but I didn't replace the old version, but perhaps that versions keytool is in "Path" so that it gets chosen even when I work in a folder with my same old keytool. I will see if I can run a keytool command in "any folder", otherwise it should be the same old version I used for everything – Vanheden Dec 27 '21 at 09:52
  • It does seem like some other keytool version is in path so that it doesnt' actually run my old faithful copy when I work in its foder! So I just have to remove this newer version from "path" so that I get the right version when I work with it. Thank you for your help! – Vanheden Dec 27 '21 at 10:11
  • Although, when I write "where keytool" it only list my "workshop folder copy" and the original from java 1.8.0_241 folder where I copied it from so they are both version 8.0.2410.7. I think the orace java update I ran by suggestion from windows like a month ago might have been something else – Vanheden Dec 27 '21 at 10:24
  • Yes, that could do it; see at-least-semianswer. – dave_thompson_085 Dec 28 '21 at 09:17

1 Answers1

1

Okay, it finally develops you are on Windows and have tried to move and change parts of the installed Java. Since you apparently have the updater, I assume you used the Oracle executable installer (for JRE, or for JDK containing 'public' JRE), rather than the tgz 'installer' (really just an archive) for JRE or Server-JRE.

Copying pieces of Java around, especially on Windows, is not supported. Java utilities like keytool rmid javac jar jlink jconsole are provided as .exe files on Windows but those don't contain the actual functionality, they are only stubs that load and run Java code to do the actual functionality, and at least on Windows this code may sometimes be found not in the same directory but via the registry, which records where the installer put it, not any manual changes you made.

I suspect the Java Updater (which isn't part of Windows) did at least try to install an update to 8u301 or higher, and as a result you're now running a sort of Franken-Java with parts from at least two different versions, making it basically impossible to accurately predict or understand what it's doing. You might look at controlpanel / Programs&Features (aka appwiz.cpl) to see what is recorded as installed, but if you have manually changed things this record may not be correct / complete.

I think you have 4 options:

  • restore this machine to a single proper version of Java below 8u301. Given your vague description the only method I have confidence is to remove everything you have now and start from scratch. (IIRC you can't actually exclude the updater from the .exe installer, but you can disable it, to prevent it getting you back into the same mess again. Or maybe use one of the tgz packages which doesn't have the updater.) If you have problems using standardly-installed Java, you might want to ask about that; I don't, and I see very few Qs from other people that do, and given the many Qs about other aspects of Java this strongly suggests that the standard install works for many people.

  • use a different machine that has, or on which you get, a proper version below 8u301. The machine running the app apparently has 8u275, which is probably an OpenJDK release because there appears to be no record of an Oracle 27x release other than 271; maybe you can use that. On Win 10 up, you could use WSL, which is actually a (small, convenient) virtual machine (that you could delete afterwards if you don't want to keep it).

  • use JKS format instead of PKCS12, if the nonstandard and somewhat lower security is acceptable. Java support of JKS was not changed like PKCS12 was, so even a mixed-up Java should produce a usable JKS.

  • upgrade the app-running machine (or environment e.g. container) to 8u301 or higher -- or maybe even 11 or 17, but there may be issues with Spring in moving to modular Java -- so it can handle PBES2. This is the best long-term solution; Java is conforming to an industry trend to move, although not uniformly, to better security, and if you stick in the past you will eventually (and perhaps abruptly) have more and more problems of this type.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • You are probably right. But if I delete the 2 files I moved to my "workshop" folder, the rest should be "default"? I did try to set keytool to path at first but it didn't seem to work, but as I mentioned it does work now, which makes this "workshop" folder copy unnecessary. Maybe I should look into running Java 11 on spring boot, but I work with Java 8 on my android app and it is what I am most used to and I assume upping to Java 11 would mean a lot of work and changes Thank you for your help! – Vanheden Dec 28 '21 at 11:37
  • 1
    You said the updater installed a new version, or tried to. Even if you go back to the original path for 8u241, as I said I don't have confidence you're getting a _consistent_ 8u241. I thought of one thing you can check: try `[path\to\]keytool -J-version`; if that's wrong, it definitely explains the problem, although if it's right, there could still be some other mixup _within_ the Java. You don't need 11 to fix this problem, 8u301 is enough (as I said); 11 or 17 is just an option, and if you don't want it for other reasons that's okay. – dave_thompson_085 Dec 30 '21 at 13:47
  • I added the result to "Edit 3". The update that I got from oracales update assistant was jre1.8.0_311 which I installed for some other project. I'm sure you are right that things might not be right with the installation on my computer or something because that would explain a lot – Vanheden Jan 01 '22 at 15:20