0

As part of a JAR code-signing process I'm running into the following issue when trying to use a P12 keystore I'm creating using keytool

I have the 2 following files:

my_private_key.key

cert_signed_by_ca.pem (corresponds with my_private_key.key)

First, I'm using the following command in order to create a p12 format keystore:

openssl pkcs12 -export -in cert_signed_by_ca.pem -inkey my_private_key.key -certfile cert_signed_by_ca.pem -out my_keystore.p12

when prompted: "Enter pass phrase for my_private_key.key" I'm typing in the password associated with my_private_key.key

then I'm prompted: Enter Export Password: to which I'm entering a new password (let's call it export_password for the sake of this example)

then I'm prompted "Verifying - Enter Export Password:" to which I'm retyping my export_password

I can see that a my_keystore.p12 file has been successfully generated in my working directory.

from this point onwards, any action I try to perform with keytool on my_keystore.p12 results in an an "invalid password" error. For example when trying to list the keystore's properties using:

keytool -v -list -storetype pkcs12 -keystore my_keystore.p12

I'm being prompted Enter keystore password:

No matter what I type in here, weather it's the password associated with my_private_key.key or the export_password I chose when generating the keystore, I get the same exception:

keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
    at java.base/java.security.KeyStore.load(KeyStore.java:1479)
    at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1064)
    at java.base/sun.security.tools.keytool.Main.run(Main.java:409)
    at java.base/sun.security.tools.keytool.Main.main(Main.java:402)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    ... 6 more

As I mentioned, I'm getting this same issue when trying to run other keytool commands on my_keystore.p12

What am I missing here? Is there another password related to my keystore which I'm not aware of?

P.S: I'm using java 11 on an M1 Monterey Mac.

itaydafna
  • 1,968
  • 1
  • 13
  • 26
  • 1
    Is that OpenSSL 3.0.x and Java 11 _below 11.0.12_? If so, dupe https://stackoverflow.com/questions/72412346/java-keytool-importing-pkcs12-to-jks-getting-error-keystore-password-was-inc and yes the 'export password' is the only one that should be needed. (PS: I assume you mean code-signing, not signing of female secondary-school students.) – dave_thompson_085 Dec 01 '22 at 15:27
  • Thanks @dave_thompson_085 for pointing out the answer! (lol, thought I did mention it's for code-signing) – itaydafna Dec 01 '22 at 20:27

0 Answers0