1

I'm using WSS4J to sign a soap message. When the WSSecSignature is being built I get the following error:

java.security.UnrecoverableKeyException: Cannot recover key

The error specifically happens here:

sun.security.provider.KeyProtector.recover(KeyProtector.java:328)

I have triple checked that I am using the correct password, it is identical. If I change it for a different password I get a different error about not being able to access keystore. After looking at the code, a copy of which can be seen here:

/*
 * Check the integrity of the recovered key by concatenating it with
 * the password, digesting the concatenation, and comparing the
 * result of the digest operation with the digest provided at the end
 * of <code>protectedKey</code>. If the two digest values are
 * different, throw an exception.
 */

md.update(passwdBytes);
Arrays.fill(passwdBytes, (byte)0x00);
passwdBytes = null;
md.update(plainKey);
digest = md.digest();
md.reset();
for (i = 0; i < digest.length; i++) {
    if (digest[i] != protectedKey[SALT_LEN + encrKeyLen + i]) {
        throw new UnrecoverableKeyException("Cannot recover key");
    }
}

It seems when the given password is being hashed and compared to the passwdBytes variable, it gets a different result and so it throws an error. I'm not sure what I've done wrong to get this result?

Seb
  • 959
  • 16
  • 29
  • Does the key entry have a password of its own? – user207421 Mar 01 '18 at 15:10
  • The key was stored in a pfx, which was password protected. Then I moved it to a .jks with some certificates. The password for the jks is different to the .pfx password. When I used the keytool to move it did it keep the original password? – Seb Mar 01 '18 at 15:34
  • It seems wss4j is using the default cryptographic provider of the JDK. It does not work with all types of PKCS12, specially if they were built with bouncycastle ( i do not know why). I suggest to repack the PFX ( create a new one and import the key) or force wss4j to use bouncycastle – pedrofb Mar 01 '18 at 19:20

0 Answers0