2

I know this issue looks like a known one (many questions on this here), several bugs have been reported on different JDK versions and the situation has been very well summarized in this post: https://stackoverflow.com/a/72501767

I happen to fall in what I think is another case, not yet answered. I must be doing something wrong, but I cannot see what.

I have a certificate and a private key in PEM format, and I want to create a JKS from that. I have read that the JKS format might not be needed anymore, but I do not control that part.

I process the files in command line. Things go like this, nothing special nor esoteric:

openssl pkcs12 -export -in cert.crt -passout pass:changeit -inkey pkey.key -out keystore.p12

keytool -importkeystore -srckeystore  keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeystore keystore.jks

I get:

Importing keystore keystore.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect

Now, the thing is that I have tried that with many versions of the JDK, and it never succeeds.

Facts:

  • the input files are both correct (checked with openssl x509 -in cert.crt -text -noout and openssl rsa -in pkey.key -text -noout)
  • the generated PKCS12 can be checked with openssl : openssl pkcs12 -in keystore.p12 -info -noout -passin pass:changeit
  • Ubuntu 22.04, openssl v3 (OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

From that point, I thought I stumbled on the known JDK issue.

I have tried with those versions, all fail with the exact same message:

  • openjdk version "11.0.15" 2022-04-19
  • openjdk version "17.0.3" 2022-04-19
  • openjdk version "18-ea" 2022-03-22

Finally, I could also try with the following combo: openssl 1.1.1n + openjdk 11.0.15, yields same error. All the JDK I have tried are above version 11.0.12.

I am stuck and desperate, have spent far too much time on this. (For the record, I try to set up the bitnami keycloak chart with an existing secret containing PEM certificates, and the container responsible for importing it fails. I have tried to do the same thing manually, and here I am).

Edit:

Thanks dave_thompson_085 for the suggestion. Here is the backtrace of the keytool error:

java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
    at java.base/java.security.KeyStore.load(KeyStore.java:1503)
    at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2319)
    at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1234)
    at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
    at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

and the output of openssl pkcs12 -info:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

I am going to follow the path shown by that evil-looking java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates message...

P1B0
  • 41
  • 1
  • 8
  • Have you tried `-srcstorepass pass:changeit`? – user207421 Jul 05 '22 at 10:02
  • 1
    Add `-J-showversion -v` to the `keytool -importkeystore` command(s) to confirm what you're running and get more complete error info (especially the 'Caused by:' section of the stacktrace). And confirm the metadata shown by `openssl pkcs12 -info -noout` especially if it is PBES2, PBKDF2, and hmacwithSHA256. – dave_thompson_085 Jul 05 '22 at 11:06
  • @dave_thompson_085, thank you for your response. This makes me think I have also seen this: https://ec.europa.eu/digital-building-blocks/wikis/display/CEKB/Could+not+load+keystore%3A+keystore+password+was+incorrect+with+java+1.8.301+for+Domibus+running+on+open+jdk I have tried adding ```-J-Dkeystore.pkcs12.legacy```, but this did not work. I am updating the question with the output of your commands. – P1B0 Jul 05 '22 at 12:40
  • 1
    Okay, stacktrace shows this is NOT a password/encryption problem such as the one in the previous Q; **it's the _input_ certificate(s?)** (which OpenSSL doesn't check strictly), and indeed you need to look there. Someone might have confused the fact that (at least for SSL/TLS) a leaf cert can have _Subject_ empty if SAN is present, but not _Issuer_, and if this is selfsigned Issuer and Subject must be the same. `keystore.pkcs12.legacy` only matters when Java/keytool is _creating_ the PKCS12, not reading it. – dave_thompson_085 Jul 05 '22 at 22:52
  • Yes, thank you. The certificates involved are generated by cert-manager, from a self-signed issuer. I'm going to dig from there : https://github.com/cert-manager/cert-manager/issues/3634 – P1B0 Jul 06 '22 at 12:54

1 Answers1

1

Thanks to the comment by @dave_thompson_085, I could use the -J-showversion flag to the keytool -importkeystore command, and get a useful message from that Java tool.

As you can see from the backtrace in my post, the resulting message keystore password was incorrect was the result of a deeper Empty issuer DN not allowed in X509Certificates exception... The error message was very misleading and made me lose time.

My problem came from how the issuer for my keycloak certificate was declared. I have referred to the cert-manager documentation, fixed my issue, and keycloak finally accepted my PEM as input to create a keystore.

Thanks and best regards,

Pierre

P1B0
  • 41
  • 1
  • 8