0

I've generated a pfx file following the nexts steps:

openssl pkcs8 –in CSD01.key –inform DER –out CSD01.pem

openssl x509 –in CSD01.cer –inform DER –out CSD01cer.pem

openssl pkcs12 –export –inkey CSD01.pem –in CSD01cer.pem –out CSD01.pfx

Now, I'm trying to read this CSD01.pfx file with this Java code:

public static PrivateKey getPrivateKey(File file)
        throws KeyStoreException,
        IOException,
        CertificateException,
        NoSuchAlgorithmException,
        UnrecoverableKeyException {
    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(new FileInputStream(file), pwdPFX);
    String alias = ks.aliases().nextElement();

    return (PrivateKey) ks.getKey(alias, pwdPFX);
}

where pwdPFX is:

final static char[] pwdPFX = "12345678a".toCharArray();

but the line ks.load throws the following error:

Exception in thread "main" java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at Main.getCertificate(Main.java:105)
    at Main.main(Main.java:51)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    ... 4 more

I'm sure that the password is correct, because i tried with "openssl pkcs12 -in CSD01.pfx -noout" and works fine.

If I open the PFX file winth openssl info I get:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: CA D8 B0 AA 79 40 AE C6 65 D9 DB 97 55 B9 95 B8 63 14 09 C4
subject=CN = BERENICE XIMO QUEZADA, name = BERENICE XIMO QUEZADA, O = BERENICE XIMO QUEZADA, C = MX, emailAddress = pruebas@pruebas.gob.mx, x500UniqueIdentifier = XIQB891116QE4, serialNumber = XIQB891116MGRMZR05
issuer=CN = AC UAT, O = SERVICIO DE ADMINISTRACION TRIBUTARIA, OU = SAT-IES Authority, emailAddress = oscar.martinez@sat.gob.mx, street = 3ra cerrada de cadiz, postalCode = 06370, C = MX, ST = CIUDAD DE MEXICO, L = COYOACAN, x500UniqueIdentifier = 2.5.4.45, unstructuredName = responsable: ACDMA-SAT
-----BEGIN CERTIFICATE-----
MIIF1DCCA7ygAwIBAgIUMzAwMDEwMDAwMDA0MDAwMDIzMTEwDQYJKoZIhvcNAQEL
BQAwggErMQ8wDQYDVQQDDAZBQyBVQVQxLjAsBgNVBAoMJVNFUlZJQ0lPIERFIEFE
TUlOSVNUUkFDSU9OIFRSSUJVVEFSSUExGjAYBgNVBAsMEVNBVC1JRVMgQXV0aG9y
aXR5MSgwJgYJKoZIhvcNAQkBFhlvc2Nhci5tYXJ0aW5lekBzYXQuZ29iLm14MR0w
GwYDVQQJDBQzcmEgY2VycmFkYSBkZSBjYWRpejEOMAwGA1UEEQwFMDYzNzAxCzAJ
BgNVBAYTAk1YMRkwFwYDVQQIDBBDSVVEQUQgREUgTUVYSUNPMREwDwYDVQQHDAhD
T1lPQUNBTjERMA8GA1UELRMIMi41LjQuNDUxJTAjBgkqhkiG9w0BCQITFnJlc3Bv
bnNhYmxlOiBBQ0RNQS1TQVQwHhcNMTkwNTI4MjE1ODQyWhcNMjMwNTI3MjE1ODQy
WjCByTEeMBwGA1UEAxMVQkVSRU5JQ0UgWElNTyBRVUVaQURBMR4wHAYDVQQpExVC
RVJFTklDRSBYSU1PIFFVRVpBREExHjAcBgNVBAoTFUJFUkVOSUNFIFhJTU8gUVVF
WkFEQTELMAkGA1UEBhMCTVgxJTAjBgkqhkiG9w0BCQEWFnBydWViYXNAcHJ1ZWJh
cy5nb2IubXgxFjAUBgNVBC0TDVhJUUI4OTExMTZRRTQxGzAZBgNVBAUTElhJUUI4
OTExMTZNR1JNWlIwNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJL
U6Iu3cOyJ14hkh9mjCy3XN5i1M36+60vnwTap8Uv1vQQxJqIB4WK85CSJxujhZE0
XY2OT6QPJMQ3kqcuMk8Yz+KptHq51Uhs4jiShI0GGoVUqZ/8qSmY+DnYM/WGvSzu
aMMm+cMwgMVYusKHE5FI+K39ht9aSP045KIR84ImnDuVp6DJeUaHEtlqspnQfMvZ
HfmT71IT7niBJOWYThjmCKMX6Y5tnlng8pOs9hjwHzlpUhVlGRjjUSJjeIZZY66k
gbQcpOFCUsoyR2SbOZDMWSqlsXNsRZ5sjICxFrMqZ6GoCzobx7tn6WYisTVvMIvk
NHzi8a8idyAMVrDhNb0CAwEAAaNPME0wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC
A9gwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF
BQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAFFyKKTbclgM9SellL9BCWusArCHwtERU
XnaFzQzVbcXzZ9rrXoiXLo8OCCkE5fT4ig8FcWiH1bkh6ZABQSHKcEEY9ewJWZpD
3bA8E7DLHfDHmG1EqRKStajIG1aq3GSvFAetMvJE2epFsWvkO7CkN2hNT9SwsFkB
Yl+aiCP27LzQ4uD+mXJ6Pg79nD/ayuQDa7RGJ6u5KHY1I66xcpVxOegQr+zolYQ6
RfAye6Fk6JxUnYBVXtnsC3GLpB0fMb+53NZGzARVD9/762A3dy3GHlMWs9FVoRN7
DBJyNsVSlAodi9ClETC3Tr7WuXIzPZTbu17JEcqgL6Ovrk6L/SLULvhDe89eBmZH
GIm5Vaye2X1OeY+CmpKZ0nMzu16+hOhE3ecRTmxHFUCWzyHuH8qyBetiJY64vyHM
wgbyqwM3Lk7lEQowhYb4s8vGyJgb0qQoyt0lACbtkM73CwzasPTtxnHZFKzt0C9a
YIZvSVQidmK5EbGNh5YWL8tk352Sqjk4yxlZRqH8SkKHoMjPOrTcBJJwzWWQtz9h
Ol78kLqcYi+TK4ZWvunGXtZqDyQ2omhZBokSAHqUDjcRmOnuMpazF68j8U73Bz2v
oQtimMJlB/yyT6luFlzUbEK3ckUYBkk0PKxDe/6T7NXj+H4UWhpTivKnrqNWL7qA
HLSP1tnmG8s=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
    localKeyID: CA D8 B0 AA 79 40 AE C6 65 D9 DB 97 55 B9 95 B8 63 14 09 C4
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIhs0ebbW1sEUCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDxOi/SPLOi3i/67n4/XN8uBIIE
0K8Mf9M+g8JycHvNARou/+RiO6UHdmaU7zi9IA4PzO/l4oAme5diCANtSe4UHiXr
e0dynCWOiJzVZ1DZOxE1oMalZI2+FTC/J8/IVLvwQLe08CWUB/30tE0sn2uF4DHd
+o3/sUnAyt78EYJ8hXiA3OZ6np14qvPCbdayEYhsblkIHriOG0KDNxutDtlpc/LB
7t/xmUpF1ZleQx/hnLza3449xxYmSIV/bwjgVJb/VpTG+rWSw+jnjhvHGzDSxsfa
4zehk5oqr1RUdr3bP994ncU8ARSx6Psjq4EomWih27gWmdZNG/YEuh8QcDidZYBr
8KoiVqUQsDtF/ZefslAdAt/VBROr63XrLEMBZgl9osPGXqEbRxGV2p+lyvS0kVhk
d3OnM/+vJZgmTrfxsYfcZ8gFLbtkkATr4jZ1+kAYcS0hidKpl34M3k22NzAaYodV
9S12ZVhGm3QW2NGsmHCCSjt65017ZZ+JIGZQHbDpRkeIaQRG/ZuzVoEKLsDX6Urp
dOnq27ZisonJhbJ6DOr3M/STp43VU1MZYhCJ4c7Sc6jDVqykbCSWXnTDMfY462JC
MU4ffSK0tps7ZAgLQkz8J4rEwYvYinndM9/75kcXZbNyuKd57pNe80L5UqtbHe9P
7iuJYuN609Bz6xBbkMQrdwnUxirvQuIQ9qBeV8p4zQBjKi93WHM1DSeyckq6U/aj
5s1PvB9XMrkN3fIC5b3cYyBywMzxRMrOUbRTiCei4nCDbAm4lfz2Vp5s+K68f3ak
5aPpMV0ssmKfV5otApHuGLq1S16YYXVAWso2I7e7Ngovn2Gk/gPBCE5EXa9bF+7T
6Bi+8Cv5n0WNQrpe9++A29k8ji/Dw+ps2g5woaN3UWsMdntgjndIlpKJbf09J6xi
CXhl3ycC8bzmvm/dNfVqXgUkLpkmMm+Fah4mCd/u7sEcMSzNyeEwMU8pyVvshOeQ
yd/HnrpHOKdLrFLGll+X91CQjuPl7Z6/k6+/j6/raekiAHW0T8469Vog0gt2v391
UT6QKlC8JyBoVXsF8DYTGhsDXceYMFmpWqmyB/Iqp04/dLRXf+Cdibc4u8GD9LaS
6fZcxb3jbOctxsVxmJyIzASTTt3fTN5C4alTVejo/Pis/U3ae5SaX3y1Fjt1xhvw
/y2aaS0HyDSo9/+Yibj/F/QOLSn4Czd6KymGgye53jApQULpkeg0tA/HAuy7kpCJ
ucHdH3aUfHUgqo6IQqR8dWH1rxcGEqbPNRYIKn/+Db+1598effYaCbgQzQ1TnN3S
eEDSkh8NtzwOWtmQDYWrFKuicHa1W/QybdUfHYFtjpiVknil0a89WkTBbvjzU5Ux
5lU3dozkH/ZLwV1bl7RnaYrS+/U6Kwx9TAJNhP/MpDJsZXigQ/gAdleC9Pi3pfHV
3t2Pn40GoYTvrdPIOWJTeG7fJCoS0eBXxAcemrEsawbxTCrNwyuWNLZkFFblDmLZ
MMn0wu2LXb3zbBpfSEvVSsBszuATZPfvKs+2jbdAQnEyGnltZLXO2ELhHKISWSWq
+7/3qXuEcfhmp5IBP/zRrZvkXj6nnjnDB03FZtRgyeDIzlQN+m0NX8nd0fo/vMlS
CvlBrSNct3Z23u8EoCCYAGRd9XRtJ9Dh/9AxCIDqi03m
-----END ENCRYPTED PRIVATE KEY-----

What Am I doing wrong?

Tomeu Rubi
  • 11
  • 1
  • 5
  • Your code is correct, and should work with the correct password Can you create a file with a test key (that you don't need to keep secure) that has the problem and let us look at it? (Don't directly post binary on Stack; either encode in base64 or hex -- openssl commandline can do base64 -- or use something like pastebin.) Also specify version and package of Java, in case it is due to a bug there. – dave_thompson_085 Feb 23 '22 at 07:27
  • Thanks for answers, not sure if I´ve done what you tell me, I´ve updated my question with the output of openssl pkcs12 -in example. Pfx -info. This certificate and all keys are for test purpose, so I don´t care about sharing it – Tomeu Rubi Feb 24 '22 at 10:10
  • No; the problem (which I can't reproduce) is occurring in the Java decryption, so I wanted the/an encrypted (PKCS12, binary) file to try to debug that decryption. `openssl pkcs12 -info` just confirms that openssl _can_ decrypt which you already told us -- although it shows you are apparently using 3.0, which _could_ be relevant although at this point I don't think so. – dave_thompson_085 Feb 25 '22 at 08:03
  • So, I'm using OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) and jdk is in corretto-1.8.0.312 – Tomeu Rubi Feb 25 '22 at 09:00
  • Okay, it does appear to be a bug. On my system I normally use Oracle Java which works in 8u301 up (below that had a different problem that didn't parse PKCS12 with PBES2 at all) but adoptium 8u322-b06 fails and on EC2 both openjdk and corretto (from extras) fail. It looks like the same as https://bugs.openjdk.java.net/browse/JDK-8278989 . – dave_thompson_085 Feb 26 '22 at 16:05
  • after changing to the oracle jdk 8u311, the problem is solved, thanks @dave_thompson_085 – Tomeu Rubi Mar 03 '22 at 10:21

1 Answers1

1

as @dave_thompson_085 mentioned, the problem is due to the version of jdk. The solution would be to use jdk 8u311 from oracle instead of corretto

Tomeu Rubi
  • 11
  • 1
  • 5