[EXTERNAL] Keytool issue with version 3.0.2.

Mark Hack markhack at markhack.com
Thu May 19 16:21:08 UTC 2022


I may have a mixed Java environment. I will recheck on a clean VM when
I get a few minutes.
Regards
Mark Hack
On Thu, 2022-05-19 at 16:46 +0200, Djordje Gavrilovic wrote:
>     Hm, not working here. 
> 
>       openjdk version "1.8.0_312" 
> 
>       OpenJDK Runtime Environment (build
>       1.8.0_312-8u312-b07-0ubuntu1-b07) 
> 
>       OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode) 
> 
>       
> 
>       Am I correct, the only thing you changed was leaving out the
>       -srcstoretype PKCS12 part? Also, you did not use -legacy option
> on
>       a previous command?
> 
>     
>     On 19.5.22. 16:18, Mark Hack wrote:
> 
>     
>     
> >       
> >       
> > 
> >       
> >       I installed java 8 and it seems to work there on the latest
> >         versions as well
> >       
> > 
> >       
> >        java -version
> >       openjdk version "1.8.0_312"
> >       OpenJDK Runtime Environment (build
> >         1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
> >       OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
> >       
> > 
> >       
> >       
> > 
> >       
> >       On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:
> >       
> > >         Thank you both for your answers! So much! Both of them
> > > very
> > >           helpful. We are stuck with openjdk8 right now...but it
> > > is good
> > >           to know that later versions will work as expected.
> > > 
> > >           Thank you guys
> > > 
> > >         
> > >         On 19.5.22. 15:41, Mark Hack wrote:
> > > 
> > >         
> > >         
> > > >           
> > > >           Works for me and since the later versions of java
> > > > accept
> > > >             both JKS and PKCS12 you do not have to specify the
> > > > input
> > > >             store type.
> > > >           
> > > > 
> > > >           
> > > >           
> > > > 
> > > >           
> > > >            java --version
> > > >           openjdk 11.0.15 2022-04-19
> > > >           OpenJDK Runtime Environment (build
> > > >             11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
> > > >           OpenJDK 64-Bit Server VM (build
> > > >             11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode,
> > > > sharing)
> > > >           
> > > > 
> > > >           
> > > >           
> > > > 
> > > >           
> > > >           keytool -importkeystore -srckeystore
> > > >               bmstore.pkcs12.pem   -srcstorepass changeit
> > > > -destkeystore
> > > >               bmstore.pkcs8.x509.jks  -deststorepass changeit
> > > >           Importing keystore bmstore.pkcs12.pem to
> > > >             bmstore.pkcs8.x509.jks...
> > > >           Entry for alias 1 successfully imported.
> > > >           Import command completed:  1 entries successfully
> > > >             imported, 0 entries failed or cancelled
> > > >           
> > > > 
> > > >           
> > > >           Warning:
> > > >           <1> uses the SHA1withRSA signature algorithm which
> > > >             is considered a security risk. This algorithm will
> > > > be
> > > >             disabled in a future update.
> > > >           
> > > > 
> > > >           
> > > >           
> > > > 
> > > >           
> > > >           Mark Hack
> > > >           
> > > > 
> > > >           
> > > >           
> > > > 
> > > >           
> > > >           On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via
> > > >             openssl-users wrote:
> > > >           
> > > > >             
> > > > >               Bonjour,
> > > > >               
> > > > > 
> > > > >               
> > > > >               OpenSSL 3 changed the default ciphers used to
> > > > > protect the
> > > > >               private keys and certificates when creating a
> > > > > PKCS#12, to
> > > > >               use something less aging.
> > > > >               
> > > > > 
> > > > >               
> > > > >               Try adding a "-legacy" when creating the
> > > > > PKCS#12 file
> > > > >                 with OpenSSL3 and see if keytool can read it.
> > > > >               
> > > > > 
> > > > >               
> > > > >             
> > > > >             
> > > > > 
> > > > >             
> > > > >               On Thu, May 19, 2022 at
> > > > >                 11:53 AM Djordje Gavrilovic <
> > > > > gavrilovicmdj at gmail.com>
> > > > >                 wrote:
> > > > > 
> > > > >               
> > > > >               
> > > > > > Hi guys,
> > > > > > 
> > > > > >                 I have a following issue with migrating
> > > > > > from version
> > > > > >                 1.1.1f to 3.0.2:
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 I generate bmstore.pkcs12.pem file with the
> > > > > > following
> > > > > >                 commands:
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 openssl req -newkey rsa:2048 -sha1 -keyout
> > > > > >                 bmstore.pkcs8.pem -nodes 
> > > > > > 
> > > > > >                 -x509 -days 999 -out bmstore.x509.crt
> > > > > > -subj 
> > > > > > 
> > > > > >                 "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
> > > > > > 
> > > > > >                 openssl pkcs12 -export -in bmstore.x509.crt
> > > > > > -inkey
> > > > > >                 bmstore.pkcs8.pem 
> > > > > > 
> > > > > >                 -out bmstore.pkcs12.pem -passin
> > > > > > pass:changeit -passout
> > > > > >                 pass:changeit
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 This file is genearted with different
> > > > > > openssl versions
> > > > > >                 differently. Both 
> > > > > > 
> > > > > >                 versions of the file are attached.
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 Based on that file I generate:
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >                 keytool -importkeystore -srckeystore
> > > > > > bmstore.pkcs12.pem
> > > > > >                 -srcstoretype 
> > > > > > 
> > > > > >                 PKCS12 -srcstorepass changeit -destkeystore
> > > > > >                 bmstore.pkcs8.x509.jks 
> > > > > > 
> > > > > >                 -deststorepass changeit
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 But keytool works only with the
> > > > > > bmstore.pkcs12.pem
> > > > > >                 generated with old 
> > > > > > 
> > > > > >                 version of openssl and creates
> > > > > > bmstore.pkcs8.x509.jks
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 The current version of openssl generates
> > > > > >                 bmstore.pkcs12.pem in another 
> > > > > > 
> > > > > >                 format and keytool throws an exception:
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >                 Importing keystore bmstore.pkcs12.pem to
> > > > > >                 bmstore.pkcs8.x509.jks...
> > > > > > 
> > > > > >                 keytool error: java.io.IOException:
> > > > > > keystore password
> > > > > >                 was incorrect
> > > > > > 
> > > > > >                 
> > > > > > 
> > > > > >                 ```
> > > > > > 
> > > > > >               
> > > > > 
> > > > >             
> > > > >             
> > > > > 
> > > > >             
> > > > > 
> > > > >             
> > > > >           
> > > > 
> > > >         
> > > 
> > >       
> > 
> >     
> 
>   
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/19d86e09/attachment-0001.htm>


More information about the openssl-users mailing list