Error when using a key store with EC key pair

[Footur]

When I use ssltest with a key store containing a key pair based on an elliptic curves algorithm, I get the following error:

$ java -jar ~/acme-test/ssltest/build/ssltest.jar -hiderejects -showhandshakeerrors -showsslerrors -showcerts -showerrors -keystore ~/SoapUI-Projects/foo_client_keystore.p12 -keystorepassword keystore_password 10.210.248.76:8743
Exception in thread "main" java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:465)
        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
        at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
        at net.christopherschultz.ssltest.SSLTest.main(SSLTest.java:329)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
        at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
        at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
        at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:406)
        at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:295)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:400)

java -version
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)

Please let me know if you have any questions.

[ChristopherSchultz]

Can you give me some steps-to-reproduce a keystore which fails in this way? There is no communication, so it doesn't matter if the key store won't ultimately allow a connection to the IP address you have given. Hopefully, a simple "this is the keytool command you need to use" is possible.

[Footur]

I've used Key Store Explorer in this case to generate the key pair, based on NIST Curve P-384. Furthermore, I tried the connection with an RSA-based key pair. In this case, a TLS connection could be established without any problems.

[ChristopherSchultz]

Can you post the output of:

$ java -showversion -jar ssltest.jar -client-info

and

$ java -showversion -jar ssltest.jar -list-curves

Can you also show the output of:

$ keytool -list -v -keystore your_ec_keystore_file.jks

[Footur]

Of course!

$ java -showversion -jar ssltest.jar -client-info
penjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
Dumping Clilent Info
Supported TLS Protocols: 
  TLSv1.3
  TLSv1.2
  TLSv1.1
  TLSv1
  SSLv3
  SSLv2Hello
Supported cipher suites:                            [Enabled by Default]
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA                 *
  SSL_DHE_DSS_WITH_DES_CBC_SHA
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 *
  SSL_DHE_RSA_WITH_DES_CBC_SHA
  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
  SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  SSL_DH_anon_WITH_DES_CBC_SHA
  SSL_DH_anon_WITH_RC4_128_MD5
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  SSL_RSA_WITH_3DES_EDE_CBC_SHA                     *
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_RSA_WITH_NULL_MD5
  SSL_RSA_WITH_NULL_SHA
  SSL_RSA_WITH_RC4_128_MD5
  SSL_RSA_WITH_RC4_128_SHA
  TLS_AES_128_GCM_SHA256                            *
  TLS_AES_256_GCM_SHA384                            *
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA                  *
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256               *
  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256               *
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA                  *
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256               *
  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384               *
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  *
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               *
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               *
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  *
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               *
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               *
  TLS_DH_anon_WITH_AES_128_CBC_SHA
  TLS_DH_anon_WITH_AES_128_CBC_SHA256
  TLS_DH_anon_WITH_AES_128_GCM_SHA256
  TLS_DH_anon_WITH_AES_256_CBC_SHA
  TLS_DH_anon_WITH_AES_256_CBC_SHA256
  TLS_DH_anon_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA             *
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              *
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256           *
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           *
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              *
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384           *
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           *
  TLS_ECDHE_ECDSA_WITH_NULL_SHA
  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               *
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                *
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             *
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             *
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                *
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             *
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             *
  TLS_ECDHE_RSA_WITH_NULL_SHA
  TLS_ECDHE_RSA_WITH_RC4_128_SHA
  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA              *
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA               *
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256            *
  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256            *
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA               *
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384            *
  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384            *
  TLS_ECDH_ECDSA_WITH_NULL_SHA
  TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA                *
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA                 *
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256              *
  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256              *
  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA                 *
  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384              *
  TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384              *
  TLS_ECDH_RSA_WITH_NULL_SHA
  TLS_ECDH_RSA_WITH_RC4_128_SHA
  TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  TLS_ECDH_anon_WITH_NULL_SHA
  TLS_ECDH_anon_WITH_RC4_128_SHA
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV                 *
  TLS_RSA_WITH_AES_128_CBC_SHA                      *
  TLS_RSA_WITH_AES_128_CBC_SHA256                   *
  TLS_RSA_WITH_AES_128_GCM_SHA256                   *
  TLS_RSA_WITH_AES_256_CBC_SHA                      *
  TLS_RSA_WITH_AES_256_CBC_SHA256                   *
  TLS_RSA_WITH_AES_256_GCM_SHA384                   *
  TLS_RSA_WITH_NULL_SHA256

[Trust All Server Certificates]

$ java -showversion -jar ssltest.jar -list-curves
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
Provider: SunEC version 11
[brainpoolP160r1,1.3.36.3.3.2.8.1.1.1]
[brainpoolP192r1,1.3.36.3.3.2.8.1.1.3]
[brainpoolP224r1,1.3.36.3.3.2.8.1.1.5]
[brainpoolP256r1,1.3.36.3.3.2.8.1.1.7]
[brainpoolP320r1,1.3.36.3.3.2.8.1.1.9]
[brainpoolP384r1,1.3.36.3.3.2.8.1.1.11]
[brainpoolP512r1,1.3.36.3.3.2.8.1.1.13]
[secp112r1,1.3.132.0.6]
[secp112r2,1.3.132.0.7]
[secp128r1,1.3.132.0.28]
[secp128r2,1.3.132.0.29]
[secp160k1,1.3.132.0.9]
[secp160r1,1.3.132.0.8]
[secp160r2,1.3.132.0.30]
[secp192k1,1.3.132.0.31]
[secp192r1,NIST P-192,X9.62 prime192v1,1.2.840.10045.3.1.1]
[secp224k1,1.3.132.0.32]
[secp224r1,NIST P-224,1.3.132.0.33]
[secp256k1,1.3.132.0.10]
[secp256r1,NIST P-256,X9.62 prime256v1,1.2.840.10045.3.1.7]
[secp384r1,NIST P-384,1.3.132.0.34]
[secp521r1,NIST P-521,1.3.132.0.35]
[sect113r1,1.3.132.0.4]
[sect113r2,1.3.132.0.5]
[sect131r1,1.3.132.0.22]
[sect131r2,1.3.132.0.23]
[sect163k1,NIST K-163,1.3.132.0.1]
[sect163r1,1.3.132.0.2]
[sect163r2,NIST B-163,1.3.132.0.15]
[sect193r1,1.3.132.0.24]
[sect193r2,1.3.132.0.25]
[sect233k1,NIST K-233,1.3.132.0.26]
[sect233r1,NIST B-233,1.3.132.0.27]
[sect239k1,1.3.132.0.3]
[sect283k1,NIST K-283,1.3.132.0.16]
[sect283r1,NIST B-283,1.3.132.0.17]
[sect409k1,NIST K-409,1.3.132.0.36]
[sect409r1,NIST B-409,1.3.132.0.37]
[sect571k1,NIST K-571,1.3.132.0.38]
[sect571r1,NIST B-571,1.3.132.0.39]
[X9.62 c2tnb191v1,1.2.840.10045.3.0.5]
[X9.62 c2tnb191v2,1.2.840.10045.3.0.6]
[X9.62 c2tnb191v3,1.2.840.10045.3.0.7]
[X9.62 c2tnb239v1,1.2.840.10045.3.0.11]
[X9.62 c2tnb239v2,1.2.840.10045.3.0.12]
[X9.62 c2tnb239v3,1.2.840.10045.3.0.13]
[X9.62 c2tnb359v1,1.2.840.10045.3.0.18]
[X9.62 c2tnb431r1,1.2.840.10045.3.0.20]
[X9.62 prime192v2,1.2.840.10045.3.1.2]
[X9.62 prime192v3,1.2.840.10045.3.1.3]
[X9.62 prime239v1,1.2.840.10045.3.1.4]
[X9.62 prime239v2,1.2.840.10045.3.1.5]
[X9.62 prime239v3,1.2.840.10045.3.1.6]

$ keytool -list -v -keystore xta_client_keystore.p12
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: xta-client 1
Creation date: Nov 6, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=XTA-Client 1, OU=AS4XTA2 AP REF, O=ACME, L=Hamburg, ST=Hamburg, C=DE
Issuer: CN=XTA-Client 1, OU=AS4XTA2 AP REF, O=ACME, L=Hamburg, ST=Hamburg, C=DE
Serial number: 5d6e1d6d
Valid from: Tue Sep 03 09:59:41 CEST 2019 until: Mon Sep 03 09:59:41 CEST 2029
Certificate fingerprints:
     SHA1: AB:18:2A:82:FB:AA:77:DD:1F:6A:7C:08:1C:F9:21:9E:BE:9C:EE:C8
     SHA256: 32:35:DE:17:3A:55:DC:1A:1B:1D:8C:21:B4:7C:2F:7F:68:9B:DC:18:A2:C1:6A:FD:CF:E1:B6:7D:9C:21:39:01
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Data_Encipherment
  Key_Agreement
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 77 20 8D 1A 52 7A 99 08   A4 4D 56 D9 FD E0 D7 3A  w ..Rz...MV....:
0010: 0E 7F B8 9B                                        ....
]
]

*******************************************
*******************************************

Alias name: xta-client1
Creation date: Jun 8, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xta-client1
Issuer: CN=xta-client1
Serial number: 60bf7d02
Valid from: Tue Jun 08 16:21:54 CEST 2021 until: Wed Jun 08 16:21:54 CEST 2022
Certificate fingerprints:
     SHA1: 90:A4:C5:11:93:72:AB:A5:FE:B9:45:82:45:26:42:FB:A1:AA:8A:A6
     SHA256: 18:7F:64:3B:52:6C:9D:B6:E1:3C:18:6F:D7:B4:06:06:80:11:C0:E9:5F:68:88:8F:C6:E1:BA:7B:3A:2F:09:4A
Signature algorithm name: SHA512withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48 4B F0 EB AF 4C 24 27   BA 3B 4E 52 6E 87 1C AB  HK...L$'.;NRn...
0010: AC 7C 55 21                                        ..U!
]
]

*******************************************

[ChristopherSchultz]

I wonder what could be wrong.

This works for me:

$ keytool -genkeypair -keyalg EC -alias "ssltest" -keystore ssltest.p12 -validity 30 -groupname secp384r1 -storetype PKCS12 -dname 'CN=ssltest'
Enter keystore password:  
Re-enter new password: 
Generating 384 bit EC (secp384r1) key pair and self-signed certificate (SHA384withECDSA) with a validity of 30 days
    for: CN=ssltest

$ java -showversion -jar build/ssltest.jar -keystore ssltest.p12 -keystorepassword changeit -connectonly www.example.com:443
java version "11.0.10" 2021-01-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.10+8-LTS-162)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.10+8-LTS-162, mixed mode)
Host [www.example.com] resolves to addresses [93.184.216.34], [2606:2800:220:1:248:1893:25c8:1946]
Auto-detected client-supported protocols: [DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
Given this client's capabilities ([DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]), the server prefers protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384

[Footur]

Thank you for the test. Maybe the problem is on the server side. I have to figure that out.

[ChristopherSchultz]

Were you able to get any more information on this issue? I can't seem to reproduce it.

[ChristopherSchultz]

No reply for a year. Closing.