Cannot use a pfx with no password file in a KeyManagerFactory

I have a pfx file that contains a private key and a corresponding self-signed certificate. The file pfx itself is not protected by a password. I can't use this pfx file to initialize a KeyManagerFactory to establish a SSL connection.

Here's some code that shows what I'm trying to do:

InputStream ksStream = ResourceReader.getResourceAsStream ("< pfx-file-location-on-file-system >");
Char [] password = null; given that the pfx file has no password on it
Keystore keyStore.load (ksStream, password);

KeyManagerFactory kmf is KeyManagerFactory.getInstance ("SunX509", "SunJSSE");.
KMF.init (keystore, password);

This operation fails with this exception:

java.security.UnrecoverableKeyException: Get Key failed: / by zero
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:270)
at java.security.KeyStore.getKey(KeyStore.java:763)
to com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl. < init > (SunX509KeyManagerImpl.java:113)
to com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$ SunX509.engineInit (KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at jsse.common.JsseSample.createKeyManagerFactory(JsseSample.java:294)
at jsse.common.JsseSample.createKeyManagerFactory(JsseSample.java:306)
at jsse.server.Simple.runSample(Simple.java:81)
at jsse.server.Simple.main(Simple.java:57)
Caused by: java.lang.ArithmeticException: / by zero
at com.sun.crypto.provider.PKCS12PBECipherCore.a(DashoA13*..)
at com.sun.crypto.provider.PKCS12PBECipherCore.a(DashoA13*..)
at com.sun.crypto.provider.PKCS12PBECipherCore.a(DashoA13*..)
at com.sun.crypto.provider.PKCS12PBECipherCore.a(DashoA13*..)
to com.sun.crypto.provider.PKCS12PBECipherCore$ PBEWithSHA1AndDESede.engineInit(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:251)
... 8 more

This code works fine if I set a password for the pfx file, and then use this password to load the keystore and then use in the KeyManagerFactory.

My question is: why can I not use a pfx file that doesn't have a password on it?

Thank you
R.

Published by: 907570 on January 12, 2012 01:01

Published by: 907570 on January 12, 2012 01:18

The actual code used to extract the key private key file is in the sun.security.pkcs12.PKCS12KeyStore.engineGetKey () method and the private key decryption code fragment OpenJDK version

               SecretKey skey = getPBEKey(password);
            Cipher cipher = Cipher.getInstance(algOid.toString());
            cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
            byte[] privateKeyInfo = cipher.doFinal(encryptedKey);

            PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(privateKeyInfo);

There is therefore no conditional autour decryption he always tries to generate a PBE key, even if no key is scheduled and then decrypt with it. Of course, it could be a password less pfx file actually has a default password, there must be a request for change (PKCS12 perhaps) that covers it, but I bet that means really that without encryption is done. Assuming that the PVE in JDK1.7 code differs little of this and that have no password really means that there is no password so that there will be no way in which we can use the Sun provider to access the private key.

Like you, I found that BouncyCastle can handle this situation but if you really cannot work with BouncyCastle then the only alternative I can think of (that do not required a ton of code to write) is to use OpenSSL to change the pfx to a default password password. If all the machines that use your installed OpenSSL code it could be done within your Java ProcessBuilder using code. Not very attractive, I know, but given that the PVE cannot handle the password less pfx files you have to use a very attractive solution.

Published by: sabre150 on January 13, 2012 12:28

To create a new pfx file with a different password seems to take two OpenSSL commands: -.

OpenSSL pkcs12 - in cert.pfx - by fred
followed by
OpenSSL pkcs12-export - in fred-out fred.pfx

Tags: Java

Similar Questions

  • I downloaded the new version and it says: you cannot use this application with this version of Mac os how can I download the older version?

    I downloaded the new version and it says: you cannot use this application with this version of Mac os how can I download the older version? My os is 10.4.11

    You can read this article: Firefox no longer works with Mac OS X 10.4 or PowerPC processors to read about the EOL for Mac 10.4 support and what the best options going forward.

  • Cannot use iTunes Radio with my new Apple ID HELP!

    Help!

    cannot use the radio with my new id

  • Cannot use my dvd drive. c:\Program Files (x 86) \sMedio\WinDVD11\SQPlus.dll is missing on your computer

    Cannot use my dvd player... computer box that says c:\Program Files (x 86) \sMedio\WinDVD11\SQPlus.dll is missing on your computer is displayed. Try reinstalling the program to fix this problem. I don't know how to do this. Help, please. Thank you...

    Original title: (x86)\smedio\WinDVD11\SQPlus.dll

    Hi David,

    Answer the following questions to learn more about the subject, you are faced with.

    1. What player are you running the DVD?
    2. What is the brand and model, the computer?
    3. Windows Media Center is installed on your computer?

    If you use an application of part 3rd to run the DVD. Uninstall, reinstall the 3rd party DVD running the application, this should solve the problem. See the following procedure to uninstall the application.

    a. press Windows + X on your keyboard.

    b. click Control Panel.

    c. on the Control Panel, select display large icons and open programs and features.

    d. right-click on the program and click Uninstall.

    Hope this helps you. Please let us know if you need assistance.

  • Connecting to a remote database (slowed down) with the password file authentication

    Hi all

    I was wondering if it is possible to connect to a remote database is stopped (idle instance) as user sys with sysdba privileges? It is said in the Oracle book - one to page 210 in the section - operating system and the file password authentication:

    Connection with authentication by password file or operating system is always possible, any State of the instance and the database are in and it is necessary to issue commands to START or STOP.

    Above indicates that it is possible, but I can't do it.

    I managed to connect to the remote database that was in mode nomount (see below for more details).

    When I first tried to connect to a remote database (idle instance) using the password file authentication, it gave due to error:
    sqlplus sys@ORCL as sysdba
    SQL * more: Production of the version 11.2.0.3.0 Fri dec 21 13:59:28 2012

    Copyright (c) 1982, 2011, Oracle. All rights reserved.

    Enter the password:
    ERROR:
    ORA-12514: TNS:listener is not currently of service requested in connect
    descriptor of

    Enter the user name:

    After the start of the database in nomount mode I was getting following error:
    sqlplus sys@ORCL as sysdba
    SQL * more: Production of the version 11.2.0.3.0 Fri dec 21 13:48:36 2012

    Copyright (c) 1982, 2011, Oracle. All rights reserved.

    Enter the password:
    ERROR:
    ORA-12528: TNS:listener: all appropriate instances are blocking new connections

    Enter the user name:

    Then I added the clause (UR = A) my listener.ora file and after that it work and I was able to connect:
    sqlplus sys@ORCL as sysdba
    SQL * more: Production of the version 11.2.0.3.0 Fri dec 21 14:04:49 2012

    Copyright (c) 1982, 2011, Oracle. All rights reserved.

    Enter the password:

    Connected to:
    Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
    With partitioning, OLAP, Data Mining and Real Application Testing options


    SQL >

    I have all the entries of necessairly in tnsnames.ora on my local host.

    Also, I have no problems when connecting as user sys with sysdba when the DB is open, but can't get it working on an idle instance.

    I know I can use OS authentication but want to know if there is a mistake in the book or I'm doing something wrong.

    Kind regards
    Dawid

    Edited by: 978239 2012-12-21 06:24

    I was wondering if it is possible to connect to a remote database is stopped (idle instance) as user sys with sysdba privileges?

    You can, but you need to statically register the database with the listener.

  • Problem with the password file / restore

    I have a big problem. My laptop [Win XP] had a hardware problem, and I have no external data backup.
    The hard drive is always perfect and I have now connected it as external drive to another laptop [Win Vista].
    Now, I like to use / recover the password file and copy it from the external drive on the new laptop so I have all the passwords again.

    How can I do this?
    Where can I find the encrypted file and where should I put it?
    Depends on this version? I have an older version on the old laptop [I think than 3.4] and now I have 3.6.

    A BIG Thank YOU in advance
    Arthur

    Recovering password files is treated in this article.
    http://support.Mozilla.com/en-us/KB/recovering+important+data+from+an+old+profile

  • Cannot use recovery DVD with my Satellite Pro A300D

    When I arrived at my laptop set up the way I like it, and I created a recovery disk which took the 2 DVD s.
    Then Vista started to slow down a lot so I decided to use the disc and everything started to go well then he asked for two drive and it came with an error message saying that the file was missing to complete the Setup program couldn't t.

    So now I can t get in the menu to restore it to the State when I had and the disks that I don t work.
    Any help is appreciated.

    Thanks in advance

    Hello buddy

    It is badly located now. Please try to do it once more.
    If the same thing happen there is nothing you can do. I'm not an expert for this kind of thing, but I noticed the image recovery recovery DVD will be copied to the HARD second partition disk) first and then the installation of recovery will go from there.

    If the adaptation procedure is not done on the recovery of end procedure cannot be started.
    Sorry buddy. In my opinion, you can try to contact the nearest authorized maintainer and explain the situation. Take the DVD created as evidence and maybe they will order new media for free.

    Good luck!

  • Cannot use local shared with replica storage of SSD

    So I had my environment from view for a while and everything works fine, but I have a question on how discovers works with the local replica SSD disks.  I read in the forums and in the document architecture and design if you use a local SSD to store your replicas (that will give you a performance gain), you cannot have your host in a cluster, thus renouncing HA and all the features that come with in a cluster of ESXi.

    However, I meet me a further restriction that I couldn't find any mention of in the forums or documentation, namely that you cannot store the clones in a shared storage if you have a replica on the local disk.  Whenever I got to the stage of commissioning and selected a FC LUN shared as the storage for the linked clones container, the pool would tell me that there not available and there no validation.  However, if I create a LUN that ONLY the host which I use to store the replica on the SSD has access to, then the commissioning is fine.  So my question is this: Why can't place clones related on the shared with a local replica disk storage?  I understand that I will not be able to use the features of the HA, but I would rather just a LUN shared for all clones related to the ease of administration (instead of having to create one for each host).  If someone could tell me what I'm doing wrong or explain to me why this is the case, it would be great.

    OK, I found the documentation indicating that "If clone related data warehouses are shared, the replica data store must be shared. Replicas can reside on a store of local data only if you configure clones all connected on warehouses of local data on the same ESX host. "Who is on page 14 of the document storage considerations see here: http://www.vmware.com/files/pdf/view_storage_considerations.pdf. However, it does not explain why this is, he said only that it is so.

    So as a result of this requirement, it is logical that linked clones on a present at a single ESXi host LUN would support, but without link clones on a LUN present at multiple ESXi hosts.

    Dave

  • Cannot use Admin mode with the main user.

    One user, no PW with Admin properties but unable to launch the app, Hostess.exe, in administrator mode.

    It is the only program that you have problems with? If Yes, contact technical support of the program. What version of Internet Explorer you have installed? If you use IE8 you should be (IE6/7 are too vulnerable for use anymore), you really don't want in any case, the use of these «file managers» hosts IE8 has tightened security and using a third party host "file manager" as hostess or SpywareBlaster will actually slow things down because IE will need to list all entries first. There are better ways to manage the filtering of the web than to use a hosts file. One of the best ways is to useOpenDNS instead. It's free and extremely configurable. You can choose black and white areas list categories. If you let me know your situation and what you are trying to accomplish, maybe I can give you other suggestions too. Otherwise, contact the technical support of the hostess program or see if they have forums users for it. MS - MVP - Elephant Boy computers - don't panic!

  • Cannot use the scanner with Lion

    Hi, I just upgraded to Lion, then in v2.1 the All in one C7280 driver using the menu of updated apple softawe.

    The printer works fine but when I swtich to the scanner, it returns the following message:

    HP Scan cannot be opened because of a problem.

    Check with the developer to make sure that HP Scan works with this version of Mac OS X. You may need to reinstall the application. Don't forget to install the updates that are available for the application and Mac OS X.

    I could try to reinstall the driver but I do not know where apparently no longer in the software update list.

    Thank you for your help

    Stone

    Hi Pierre,.

    The HP Scan is not compatible with Lion, currently the scan software is provided by Apple Software Update and will allow you to scan by using the dialog box Print & scan (located under system preferences), Capture of Image or Preview (both located under Applications)

    Please specify if you can scan using these applications.

  • Cannot use the Upce with Centos64 comments or template customization

    Hello

    I'm trying to deploy a new Centos 6.X 64 comments using a technique of customization. I built the reference VM with a single ext3 partition and the swap partition. I installed the version of VM Tools that is listed as current. When I try to use the specification of customization, I prepared the selection is grayed out with the message:

    "The personalization of the guest operating system"centos64guest"is not supported in this configuration. Customers Microsoft Vista and Linux with a logical volume Manager are only for the recent host ESX and VMware Tools versions support"

    I am running:

    vCenter 5.0 build 913577

    ESXi 5.0 build 914586

    The customer does not use an LVM. Here is the output of "-l parted."

    Model: Virtual disk in VMware (scsi)
    Disk/dev/sda: 107 GB
    (Logical or physical) sector size: 512 512 b/b
    Partition table: msdos

    Number start end size Type file system flags
    1049kB 1 GB 101 101 GB ext3 primary bunch
    2 GB 101 107 GB 6443 MB linux-swap (v1) primary

    I review the comments of Linux requirements and have not been able to find out what I'm doing wrong here. Can someone tell me please in the right direction?

    Only the operating systems listed in this guide are officially supported for customizing the vCenter guest operating system:

    http://PartnerWeb.VMware.com/programs/guestOS/guest-OS-customization-matrix.PDF

    Unfortunately, CentOS is not among them and vCenter will refuse to apply the customization of virtual machines that are configured for CentOS. However, you can easily get around this by setting the configuration option of the machine virtual guest to the corresponding version of RHEL operating system. This should cause problems for normal operations of VM, but you can replace it on CentOS after customization if you want to be sure.

    LVM or normal partition scheme should without importance for the success of the customization process itself.

  • Re: Cannot use remote control with my Satellite P20

    I just got hold of a PSP20E and the remote control (2 of them) does not work, the light blinks but that's all. When I try to set up in the Media Center settings, I get the message unable to detect the remote sensor.

    I was told by the previous owner it was working, the only thing I've done is to adapt to a new DVD (TEAC DV-W28E) player and loads of recommended Windows updates. The BIOS version is 1.6 and I'm under Win XP MCE (sp2). Any ideas would be welcome.
    Either by the way, I write a BIOS updated on a CD, or do I have to buy a floppy drive?

    Hello, Alan

    I used Satellite P20 over 2 years and I never noticed any problem with the small remote control. I guess you bought second-hand laptop and in my opinion, the first things you need to do is install the OS via recovery CD.

    When the laptop to factory settings, you must test the operation of the equipment, in particular the use remote control. Recovery image is designed so that everything should work. If this isn't the case, it may be just because of a malfunction of the equipment. As I've already said I used this laptop long enough and never noticed any problems.

    To be honest I didn t make updates because the BONE was very well set up. As I said, you can test it with recovery image.

    The BIOS update you need floppy drive.

  • Cannot use the webcam with chat programs - Satellite A200-AH7 Vista

    Satellite A200-AH7/Vista Home Premim/Chicony USB 2.0 built in webcam

    I can't understand how get the audio works with built in chicony webcam when in a chat program or any program for that matter. I can record audio and reading later, but this isn't what I want to do. It's probably just something stupid that miss me... but any help would sure be appreciated... I tried with Windows Live and Yahoo messenger, and so far all I can do is wave to people LOL. I was never able to get it to work... any ideas?

    Today I bought a Logitech Quickcam for notebooks in case the problem is with the construction in camera. I don't want to install it unless absolutely necessary and think I would need to uninstall the Chicony to make it work... someone can point me in the right direction?

    I just want to be able to talk to my grandchildren...

    Thanks in advance,
    Sue

    Hello

    He is a Canadian for Toshiba laptop model.
    Please see the Toshiba Canada Web site to get the right webcam software:

    http://209.167.114.38/support/TechSupport/ln_TechSupport.asp

    First remove the old webcam software. Reboot the laptop. Clean the registry and the system using the CCleaner (it of free). Reboot the laptop again one and then install the new software of webcam!

    Welcome them

  • Cannot use the recovery with my Satellite A100 disc

    I have the Satellite Pro A100 Series, when I boot it up it tells me "Windows could not starte because the following file is missing or corrupt" \WINDOWS\SYSTEM32\CONFIG\SYSTEM
    I tried to restart with the recovery disk in and you press F12 for the boot menu, select CD/DVD and nothing happens.

    Any help or ideas would be great.

    Nothing happens?
    If I understand you well you are not able to boot from the disk? Have you tried another disc? I mean it might be that the recovery disk is noisy or something else.

    Check this box and give us feedback.

  • Satellite Pro L40: Cannot use special characters in the password Bios

    Hello

    Why I can't use special charters on password bios?

    If I but of special charters on password, System don't use the exp.
    Password: * Aur! nk0 system seems only * Aurnk0 * and do not give errors when I put the password!

    I hope that this case of fixed security...

    ARO
    Mikko

    Hello

    This isn't some sort of bug BIOS but you can only use letters and numbers for the BIOS password!

    You visit the user guide for the details!

Maybe you are looking for