I found this in the netbeans IDE:
I was pretty excited because up until this point I've been code signing my JavaFX projects like this:
<fx:signjar keystore = "${comodo.key.store}"
alias = "${comodo.key.alias}"
storetype = "PKCS12"
keypass = "${comodo.key.pass}"
storepass = "${comodo.key.storepass}"
jar = "${JFX.build.dir}/${JFXProject.name}.jar"
destdir = "${JFX.sign.dir}"/>
Which is fine. I mean, it works great and all and there's nothing wrong with it but I would really love to be able to use the Netbeans API code signer interface directly rather than drop the XML into the build file. I filled in the information in the way that seemed correct by taking the values I had in place in the XML and putting them into the interface but it didn't work and I got an error:
Going to create default keystore in "/*Not saying but it was the file name*/"
Generating Key for 3d637e48-f0d8-11e3-825a-20cf305e6ed4
keytool error: java.io.IOException: Invalid keystore format
This shouldn't even need to happen should it? I mean, I've been using this certificate for a while directly in the ant script for a while with no problem, so why is it happening now?
A bit more information: this is a Comodo certificate (if that helps).
What am I doing wrong here?
Related
I am looking for ways to remove all aliases and certificates, and have a fresh start.
I tried searching for the keystore file but I am not able to find it.
I have no idea about the result of deleting 'cacerts' file in my java home.
Currently I am getting this exception:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
I am using Java 8.
I will appreciate your help. Thanks !
We have an application that is creating a KeyStore programmatically. We create the KeyStore in the following manner (sample code, suppressing Exception handling for brevity),
KeyStore ks = KeyStore.getInstance( "JKS" );
ks.load( null, null );
... // Add crypto material here
keystore.store( new FileOutputStream( "keystore.ks" ), "password" );
Method store(OutputStream stream, char[] password) throws the following exception,
java.lang.NullPointerException
at sun.security.provider.JavaKeyStore.engineStore(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineStore(Unknown Source)
at java.security.KeyStore.store(Unknown Source)
The keystore.ks file is created in the file system. But when we try to inspect it with keytool we get,
keytool -list -keystore nms.keystore
keytool error: java.io.EOFException
Funny thing is, the same code works perfectly on every other machine that we have tested it. In the actual code, none of the arguments passed to the store method are null, we have triple-checked that.
Some details about the misbehaved machine,
CentOS 5.8 32 bits
Sun's JRE 1.6.0_43
The best explanation so far for what was happening is that something in the certificates that were being saved to the Keystore was triggering a NPE inside the method
sun.security.provider.JavaKeyStore.engineStore().
The certificates that are being generated are saved in the keystore with their full trust chain. For example, the entry for a certificate A would be of the form,
Cert A alias : Cert A -> Intermediate CA Trust -> Root CA Trust
The error went away after the whole trust chain was re-created. This is consistent with our previous observations because the chain of trust was the only thing different between the systems that were working and the systems that were not.
I've looked at the source of class sun.security.provider.JavaKeyStore at both Grep Code and Java Source Code but I'm unable to tell what could be causing the NPE in that code.
In the end we have a solution but we don't actually know the root cause.
I have a problem with signing my jar files with jarsigner. I used this tutorial to sign my jar files, but with the last step(signing the jar), I got this error:
jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore format
and I didn't use step #10, I used instead step #5 from this site since, I'm using a real certificate not a fake one ...
Note:
I'm having my certificate in .spc & .pvk format...
But, since I'm using jarsigner, I have to convert them to .p12 format. So, I convert them first to .pfx using pvkimprt.exe then to .p12. I used the method that I specified in the link that I mentioned it before.
Also, I tried to create a fake certificate to make sure that the problem is not from the pvkimprt.exe tool or from the certificate. It gave me the same error.
The certificate is just fine. So, where is the problem came from?
The error you are facing indicates that jarsigner does not understand the format of the keystore containing the key.
If you converted your key & certificate into a PKCS#12 file you have to specify the type of used keystore to jarsigner with the -storetype PKCS12 command line option and the P12 password with -storepass mystorepassword
(actually most of the time .pfx and .p12 are used for the same file format therefore I am not sure that the firefox import/export step in the tutorial is mandated)
Not really an answer, just a comment - I found that the upper case was crucial - "pkcs12" didn't work but "PKCS12" did, using Jcs's answer.
This is what I did and that worked:
<ant:signjar alias="le-f0b73c88-1f82-4497-8c3f-e10d399b4c9c" storetype="pkcs12"
storepass="fount-current"
keystore="/vobs/oam_base/loadbuild_tools/common/src/conf/kunal.pfx">
Store pass should be the lower case, this is the working order or arguments, some time wrong order with throw the runtime padding exception.
[signjar] jarsigner error: java.lang.RuntimeException: keystore load:
We have signed a JAR file using a certificate generated by MS Active Directory Certificate Services. However, when accessing it via Java Web Start we are getting the prompt that the digital signature cannot be verified even though we've installed the root CA into the certificate store on the client machine.
Now trying to look at the root CA on the client machine, using "keytool -list", I'm seeing an exception (invalid URI:file://\my_msadcs_server\path\to\CRL.crl). So now I'm not sure exactly what is going wrong.
Anyone have a suggestion or sample Java code on how I can test the downloaded JAR file's signature on the client machine in an attempt to figure out exactly why JWS is complaining? It could be that the root CA certificate has a problem (and I will chase down that avenue when my AD admin gets in) but I'd like to rule out other possibilities first. Currently the only thing I have to go on is the exception from "keytool -list", but keytool had no issues importing the root CA certificate in the first place.
Thanks in advance!,
mG.
I use jarsigner with the -verify, -verbose and -certs options. You may have to specify your -keystore, too.
I think the invalid URI message is a clue. Java file URI takes the following form: file://host/path
Does anyone know how to solve this java error?
java.io.IOException: Invalid keystore format
I get it when I try and access the certificate store from the Java option in control panels. It's stopping me from loading applets that require elevated privileges.
Error Image
I was able to reproduce the error by mangling the trusted.certs file at directory
C:\Documents and Settings\CDay\Application Data\Sun\Java\Deployment\security.
Deleting the file fixed the problem.
Do not include special characters in organization name and unit
Seems to be a missing certificate or an invalid format.
Did you already generate a certificate with keytool?
for me it meant that my key file I was trying to import was invalid (it was actually a 404 page not a valid key)
For you guys who can't find the 'Documents and Settings' (whatever reason there may be) here is another path where the trusted.certs can be found:
C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\security
Hope this helps!