2

I'm trying to use java.security.Keystore in scala application

Below is how my code looks like -

    val ks: KeyStore = KeyStore.getInstance("PKCS12")
    val keyManagerFactory: KeyManagerFactory = KeyManagerFactory.getInstance("SunX509")
    val tmf: TrustManagerFactory = TrustManagerFactory.getInstance("SunX509")
    val sslContext: SSLContext = SSLContext.getInstance("TLS")
      case Some(password) =>
        val pwdChars: Array[Char] = password.toCharArray
        val keystore: InputStream = KEYSTORE match { // for live override dev certificate
          case Some(path) =>
            new FileInputStream(path)
          case None =>
            getClass.getClassLoader.getResourceAsStream("myResource")
        }
        ks.load(keystore, pwdChars)
        keyManagerFactory.init(ks, pwdChars)
        tmf.init(ks)
        sslContext.init(keyManagerFactory.getKeyManagers, tmf.getTrustManagers, new SecureRandom)
        Some(ConnectionContext.https(sslContext))

But when I publish this particular package on my mac & try to use it in a different service I'm getting this particular ERROR -

[error] java.io.IOException: public key protected PKCS12 not supported
[error]         at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1958)
[error]         at java.security.KeyStore.load(KeyStore.java:1445)
[error]         at com.f1000.baseservice.BaseMicroService$.createHTTPSContext(BaseMicroService.scala:69)
[error]         at com.f1000.StaticInfomicroservice.StaticInfoMicroService$.createWebServer(StaticInfoMicroService.scala:36)
[error]         at com.f1000.StaticInfomicroservice.StaticInfoMicroService$.$anonfun$main$1(StaticInfoMicroService.scala:61)
[error]         at com.f1000.StaticInfomicroservice.StaticInfoMicroService$.$anonfun$main$1$adapted(StaticInfoMicroService.scala:58)
[error]         at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
[error]         at java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(ForkJoinTask.java:1402)
[error]         at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
[error]         at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
[error]         at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
[error]         at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)

This error is generally occuring if I publish the package on a mac machine but when I publish the same on a Windows machine, it works perfectly fine.

Do you think that this might be something specific to Mac?

Amey Lokhande
  • 402
  • 5
  • 11
  • Does it work when you use JKS format instead of P12? You can convert your P12 to JKS with keytool `keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks` – applewil Apr 29 '21 at 14:40
  • Are you sure you're using the same PKCS12 file in both systems? Where does it come from or how was it created? (Although the 'public key protected' option is in the RFC I've never seen anything that implements or uses it.) – dave_thompson_085 Apr 30 '21 at 08:31
  • 1
    Hi, @applewil I think there's something wrong with the P12 file which I currently have. I'm trying to format it & see if that works. But thanks for commenting. – Amey Lokhande Apr 30 '21 at 12:16

2 Answers2

0

Just FYI since a I and a coworker spent a couple of hours figuring this out. We got this message when loading a Java Keystore with a cert from a consultant our company hired.

The consultant's cert was the next level up in the trust chain, so the Keystore had our cert and the consultant's cert. The problem was that the consultant had included two of its certs, one with signature encrypted with SHA-1 and one with SHA-256. Our cert had its signature encrypted with SHA-256. We saw this error intermittently (the kind that drives you nuts) until we removed the SHA-1 encrypted cert from the keystore.

jgoyer
  • 63
  • 5
0

I faced the same error in situation when keystore binary file was corrupted by jinja2 templating engine in ansible. Disabling templating for keystore fix the issue.

As well, you can check file corruption by opening keystore via keytool JDK util.

keytool -list -v -keystore yourkeystore

In my case, keytool swow me the same error message.

public key protected PKCS12 not supported