0

In the course of using Client certificates for authentication, I decided to use not-yet-commons-ssl-0.3.11.jar. That has resulted in another issue - the simple act of invoking the constructor on EasySSLProtocolSocketFactory or StrictSSLProtocolSocketFactory will produce an exception.

The code, as isolated in a simple cmd line app:

public class CertTest {

public static void main(String[] args) {

    System.setProperty("javax.net.debug", "ssl,handshake"); // SSL DEBUG INFO
    String keystore = "/usr/java/jdk1.6.0_11/jre/lib/security/cacerts";
    String keystorePassword = "changeit";

System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
//        System.setProperty("javax.net.ssl.trustStore", keystore);
//        System.setProperty("javax.net.ssl.trustStorePassword", keystorePassword);

    try {
        org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory factory = 
            new     org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory();
    }
    catch (Exception e) {
        System.out.println (e);
    }

} }

To isolate issues with older libs, I put the above code in a directory with these jars (these are the ONLY jars in the classpath):

  1. httpclient-4.0.1.jar
  2. not-yet-commons-ssl-0.3.11.jar
  3. commons-httpclient-3.1.jar
  4. httpcore-4.0.1.jar

So, with some client certificates in the cacerts keystore, I get: org.apache.commons.ssl.ProbablyBadPasswordException: Probably bad JKS-Key password: java.security.UnrecoverableKeyException: Password must not be null

If I use keytool to delete all the client certificates that I have loaded, then the exception changes to

**Caused by: java.security.KeyStoreException: No private keys found in keystore!**
at org.apache.commons.ssl.KeyStoreBuilder.validate(KeyStoreBuilder.java:269)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:129)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:179)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:170)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:160)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:64)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:114)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:89)
at org.apache.commons.ssl.SSL.(SSL.java:142)
at org.apache.commons.ssl.SSLClient.(SSLClient.java:59)
at org.apache.commons.ssl.HttpSecureProtocol.(HttpSecureProtocol.java:55)
at org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory.(EasySSLProtocolSocketFactory.java:94)

Snippets in the output:

keyStore is : /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f

whole bunch of default trusted certs snipped here...
trigger seeding of SecureRandom
done seeding SecureRandom
@@@@@@@@@@ EXCEPTION
java.security.KeyStoreException: No private keys found in keystore!

Any ideas?

Community
  • 1
  • 1
Sunny
  • 1,129
  • 4
  • 13
  • 25

1 Answers1

1

java.security.KeyStoreException: No private keys found in keystore!

This exception specifically complains that there are no private keys in the keystore you are trying to load.
In the case of cacerts which is Java's default truststore this is true!

But with the code you have posted (meaning you have not posted any code really) or the fact that you don't say anything about the keystore you are trying to load it is not possible to help you on this.

user207421
  • 305,947
  • 44
  • 307
  • 483
Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • 1
    The client certificate (and its private key) must be in the client's key store, not trust store. There is no default key store in Java (only a default trust store). – Bruno Jan 01 '12 at 17:24
  • @ Bruno:Yes I agree.It is just with the code he posted it is not clear what his keystore is. – Cratylus Jan 01 '12 at 17:35
  • I had loaded the client cert/pvt key in cacerts, and then I get "org.apache.commons.ssl.ProbablyBadPasswordException: Probably bad JKS-Key password: java.security.UnrecoverableKeyException: Password must not be null". Removing the entries from the keystore will result in " java.security.KeyStoreException: No private keys found in keystore!"

    No luck either way!!     – Sunny Jan 02 '12 at 21:37
  • @Synny The first exception you got means that you didn't associate a password with your key entry. What you should do is create a new keystore for you private key and client certificate and load that as your keystore in your code. – Cratylus Jan 02 '12 at 23:06
  • 1
    @Sunny You should certainly not put private keys into any truststore, let alone the one that comes with Java. You should put them into a private file created with the keytool, and use it as your keystore. Don't confuse keystores and truststores. They serve very different purposes, even though they are the same format and managed with the same tool. – user207421 Sep 18 '14 at 22:49