search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.67k stars 271 forks source link

Keystore Explorer claims that JKS or PC12 are corrupted or password is invalid #435

Closed aleknasz closed 1 year ago

aleknasz commented 1 year ago

Describe the bug Create key store or PC12 with mix of openssl and keytool on platform using JDK11. Then run KeyStore Explorer with JRE1.8 and try to open keystore.

To Reproduce Steps to reproduce the behavior:

  1. Get some docker image with JDK11
  2. Generate keystore with keytool -genkey -storepass changeit -keypass changeit -dname "CN=SOMETHING" -alias key -keystore truststore.jks -J-Duser.language=en -keyalg DSA
  3. Open trustore.jks with Keystore Explorer
  4. Provide password when prompted
  5. You will see: Could not open the .... Possible reasons include: password is not correct / file is corrupt (ed - should be)

Expected behavior When you list the truststore.jks with keytool itself via -list option you will be able to see the actual content (of course you will be prompted for password during that process):

keytool -list -keystore truststore.jks 
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

key, Apr 26, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): B6:49:05:55:1D:1E:36:72:2D:D6:89:F5:64:7D:DB:2E:A5:A8:87:61:2A:C9:DA:7D:D3:AC:03:E0:CF:C4:6D:BB

From my experience there might be also too weak encryption policy (Java by default has some limit on how long the keys of PKI can be - https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.3.0/nifi-security/content/java-cryptography-extension-jce-limited-strength-jurisdiction-policies.html or something like this)

Environment

aleknasz commented 1 year ago

I have managed to generate such keystore that it is possible to open with KeyStore Explorer. For that I had to use:

keytool -genkey -storepass changeit -keypass changeit -dname "CN=SOMETHING" -alias key -keystore truststore.jks -J-Duser.language=en -keyalg DSA -keysize 1024

Of course such key size is not recommended anymore as it can be compromised easily.

aleknasz commented 1 year ago

I was able to fix that on Mac by editing the /Applications/KeyStore Explorer.app/Contents/Info.plist and adding

<string>-Dcrypto.policy=unlimited</string>

to

<key>JVMOptions</key>

option

jpstotz commented 1 year ago

@aleknasz -Dcrypto.policy=unlimited should only be necessary for very old Java 8 versions as since Java 8 Update 161 (released 2018) unlimited crypto policy is always active.

aleknasz commented 1 year ago

OK. But the problem exists on Windows anyway.

aleknasz commented 1 year ago

I was able to fix that by explicitly providing -storetype jks like:

keytool -genkey -storepass changeit -keypass changeit -dname "CN=SOMETHING" -alias key -keystore truststore.jks -J-Duser.language=en -keyalg DSA -storetype jks

kaikramer commented 1 year ago

The problem is your Java runtime, not KSE.

You have the following options:

For security reasons I strongly recommend the first option. Having a five year old Java runtime on your system that contains lots of security issues is rather concerning.