Java Keytool的收益“密钥库密码不正确”试图将PKCS12导入JKS

发布于 2025-02-12 21:06:25 字数 2802 浏览 0 评论 0原文

我知道这个问题看起来像是一个已知的问题（这里有很多问题），在不同的JDK版本上已经报道了一些错误，并且在这篇文章中总结了情况： https://stackoverflow.com/a/72501767

我碰巧陷入了我认为是另一种情况，尚未回答的情况。我一定做错了什么，但是我看不到什么。

我有一个以PEM格式的证书和私钥，我想从中创建一个JK。我读到可能不再需要JKS格式，但是我不控制该部分。

我处理命令行中的文件。事情像这样，没什么特别的，也没有深奥的：

openssl pkcs12 -export -in cert.crt -passout pass:changeit -inkey pkey.key -out keystore.p12

keytool -importkeystore -srckeystore  keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeystore keystore.jks

我得到了：

Importing keystore keystore.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect

现在，我已经尝试了许多版本的JDK尝试过，而且它永远不会成功。

事实：

输入文件都是正确的（使用openssl x509 -in cent.crt -text -noout和openssl rsa -in in pkey.key.key -text -noout
）可以使用OpenSSL检查生成的PKCS12：openssl pkcs12 -in keystore.p12 -info -NOOUT -PASPIN PASS：ChangeIt
Ubuntu 22.04，Openssl V3（OpenSSL 3.0.2 2022年3月15日（库：OpenSSL 3.0.2 15 Mar 2022）

，我以为我偶然发现了已知的JDK问题上

在

。 “ 11.0.15” 2022-04-19
OpenJDK版本“ 17.0.3” 2022-04-19
OpenJDK版本“ 18-ea” 2022-03-22

最后，我也可以尝试以下组合：OpenSSL 1.1.1.1n + OpenJDK 11.0.15产生相同的错误。我尝试过的所有JDK均高于版本11.0.12。

我被困和绝望，花了太多时间在这方面。（根据记录，我尝试设置Bitnami KeyCloak图表，其中包含PEM证书的现有秘密，以及负责导入其失败的容器。我试图手动执行相同的操作，在这里我是）。

编辑：

感谢Dave_thompson_085的建议。这是键盘错误的回溯：

java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
    at java.base/java.security.KeyStore.load(KeyStore.java:1503)
    at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2319)
    at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1234)
    at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
    at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

以及OpenSSL PKCS12 -Info的输出：

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

我将遵循该邪恶的java.security.cert.certificateparsingexception的邪恶的路径：x509certificates dn不允许/代码>消息...

原文

I know this issue looks like a known one (many questions on this here), several bugs have been reported on different JDK versions and the situation has been very well summarized in this post:
https://stackoverflow.com/a/72501767

I happen to fall in what I think is another case, not yet answered. I must be doing something wrong, but I cannot see what.

I have a certificate and a private key in PEM format, and I want to create a JKS from that. I have read that the JKS format might not be needed anymore, but I do not control that part.

I process the files in command line. Things go like this, nothing special nor esoteric:

openssl pkcs12 -export -in cert.crt -passout pass:changeit -inkey pkey.key -out keystore.p12

keytool -importkeystore -srckeystore  keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeystore keystore.jks

I get:

Importing keystore keystore.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect

Now, the thing is that I have tried that with many versions of the JDK, and it never succeeds.

Facts:

the input files are both correct (checked with openssl x509 -in cert.crt -text -noout and openssl rsa -in pkey.key -text -noout)
the generated PKCS12 can be checked with openssl : openssl pkcs12 -in keystore.p12 -info -noout -passin pass:changeit
Ubuntu 22.04, openssl v3 (OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

From that point, I thought I stumbled on the known JDK issue.

I have tried with those versions, all fail with the exact same message:

openjdk version "11.0.15" 2022-04-19
openjdk version "17.0.3" 2022-04-19
openjdk version "18-ea" 2022-03-22

Finally, I could also try with the following combo: openssl 1.1.1n + openjdk 11.0.15, yields same error.
All the JDK I have tried are above version 11.0.12.

I am stuck and desperate, have spent far too much time on this.
(For the record, I try to set up the bitnami keycloak chart with an existing secret containing PEM certificates, and the container responsible for importing it fails. I have tried to do the same thing manually, and here I am).

Edit:

Thanks dave_thompson_085 for the suggestion. Here is the backtrace of the keytool error:

java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
    at java.base/java.security.KeyStore.load(KeyStore.java:1503)
    at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2319)
    at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1234)
    at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
    at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

and the output of openssl pkcs12 -info:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

I am going to follow the path shown by that evil-looking java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates message...

分享到QQ

分享到微博