1

I have created two different DSA keys using java keytool (defaults to 2048 and SHA256, so the 2nd one is explicitly created with length 1024):

keytool -genkey -keystore c:\test\dsa2048.p12 -storetype pkcs12 -storepass password -keypass password -alias dsa2048

keytool -genkey -keystore c:\test\dsa1024.p12 -storetype pkcs12 -storepass password -keypass password -alias dsa1024 -keysize 1024

I then imported these keys into the windows keystore.

When I read the windows keystore, Keystore.aliases() does not return these ids. It works fine when I use RSA as the keyalg, but DSA doesn't work. I am also able to load these ids if I create the keystore from the file system, but I need to load them from the windows cert store.

Is this expected or is there something else I need to do to see them? Is it possible that keytool is creating invalid ids? When I try to sign with these ids in Acrobat I'm getting an error there as well...

import java.io.FileInputStream;
import java.security.KeyStore;
import java.util.Enumeration;

public class WindowsKeyStoreTest
{
    public static void main(String [] args) throws Exception
    {
        windowsKeystore();
    }
    
    public static void windowsKeystore() throws Exception
    {
        KeyStore keyStore = KeyStore.getInstance("Windows-MY");
        keyStore.load(null, null);
        Enumeration<String> aliases = keyStore.aliases();
        while(aliases.hasMoreElements())
        {
            String alias = aliases.nextElement();
            if(keyStore.isKeyEntry(alias))
            {
                System.out.println(alias);
            }
        }
    }
}
Amber
  • 2,413
  • 1
  • 15
  • 20
  • 1
    As Arte Johnson used to say on Laugh-In, "verry interesting". I have DSA keys&certs created with OpenSSL, and on W10(home) I can import them and they show correctly in certmgr.msc and powershell (gci cert:\currentuser\my) but Java doesn't see one at all, and sees the other two as cert-only (i.e. TrustedCertEntry not PrivateKeyEntry) -- you might change your code to check for that also. On W8.1 one doesn't import, and the other two don't appear at all in Java. Looks like a Java bug to me. – dave_thompson_085 Mar 19 '21 at 23:38
  • That's helpful to know it's not just my keytool-created certificates. I guess I ought to try the latest version of java as well before submitting a bug! – Amber Mar 20 '21 at 03:07

0 Answers0