UnrecoverableKeyException on trying to read key using alias from keystore

Question

I am getting the following error on Line #4 of code below in IBM Websphere Liberty Profile 16.0.0

InputStream keystoreStream = EncryptionUtility.class.getResourceAsStream(keyStoreLocation);         
KeyStore keystore = KeyStore.getInstance("JCEKS");
keystore.load(keystoreStream, storePass.toCharArray());
Key key = keystore.getKey(alias, keyPass.toCharArray());

Which results in the following exception:

Caused by: java.security.UnrecoverableKeyException: com.ibm.crypto.provider.AESSecretKey
at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:358)
at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:133)
at java.security.KeyStore.getKey(KeyStore.java:804)
at com.comdata.base.helper.EncryptionUtility.initSymmetricKey(EncryptionUtility.java:134)

Any ideas why this is happening? Is anything need to be configured for cryptography?

I poked through the code of keyProtector.java in JDK 7 and UnrecoverableKeyException is triggered by ClassNotFoundException com.ibm.crypto.provider.AESSecretKey

Do we need to install any feature via installUtility?

score 0 · Accepted Answer · answered Jan 13 '17 at 16:29

Any ideas why this is happening? Is anything need to be configured for cryptography?

The class not being found (com.ibm.crypto.provider.AESSecretKey) is from the IBM JDK.

It looks like your keystore was created using the IBM JDK and thus has a key packaged in it that uses the AESSecretKey from the IBM JDK.

At runtime, your Liberty server is probably using a non-IBM JDK, which would not have this IBM JDK specific class in it.

Do we need to install any feature via installUtility?

Nope. The missing class should be provided by the JDK, as opposed to a Liberty feature.

great! after using ibm jdk initialization of crypto module is successful! — Balaji, Jan 16 '17 at 11:00

UnrecoverableKeyException on trying to read key using alias from keystore

1 Answers1