Trouble instantiating a JavaKeyStore from file

java security cryptography keystore jks
Waltzy picture Waltzy · Apr 26, 2013 · Viewed 20.7k times · Source

I'm trying to get an instance of org.apache.ws.security.components.crypto.Merlin using org.apache.ws.security.components.crypto.CryptoFactory specifically the CryptoFactory.getInstance(properties) method.

This will consistantly throw

java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance

which evantually is caused by

java.security.UnrecoverableKeyException: Password verification failed

The password on the keystore file has been checked with the keytool on the command line and is correct.

the keystore is generated via the following process:

CMD Window detailing keytool -genkey -keystore testkeystore.jks

Which is in the root directory of the eclipse porject.

The test applciation is as follows:

public class App {
    public static void main(String[] args) throws CredentialException,
            IOException {
        System.out.println("Starting");
        Properties p = new Properties();
        p.setProperty("org.apache.ws.security.crypto.merlin.keystore.password",
                "password");
        p.setProperty("org.apache.ws.security.crypto.provider",
                "org.apache.ws.security.components.crypto.Merlin");
        p.setProperty("org.apache.ws.security.crypto.merlin.keystore.type",
                "jks");
        p.setProperty("org.apache.ws.security.crypto.merlin.file", "./testkeystore.jks");

        Crypto crypto = CryptoFactory.getInstance(p);
        System.out.println(" Complete ");

    }
}

and the following exception is generated:

Exception in thread "main" java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance
    at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:225)
    at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:180)
    at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:73)
    at com.restart.test.cryptotest2.App.main(App.java:22)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
    at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:211)
    ... 3 more
Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials.
    at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:174)
    at org.apache.ws.security.components.crypto.AbstractCrypto.<init>(AbstractCrypto.java:135)
    at org.apache.ws.security.components.crypto.Merlin.<init>(Merlin.java:71)
    ... 8 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1214)
    at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:168)
    ... 10 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
    ... 13 more

The password as indicated in the cmd window is set to "password" , but by all accounts the application is rejecting it, I can change the password using keytool -storepasswd with no issues, So i know the the password I am providing is correct; can anyone suggest what may be going wrong here? I've been trying to debug this unsuccessfully for full a day now.

If there is any additional information I can provide please let me know.

edit --

the folloing maven dependency is required to build this test:

   <dependency> 
      <groupId>org.apache.ws.security</groupId> 
      <artifactId>wss4j</artifactId> 
      <version>1.5.8</version> 
      <scope>provided</scope>
    </dependency>

Answer

Waltzy picture Waltzy · May 2, 2013

After reading the comments from User I built it against a different version of the JDK/JRE and it worked, after downloading the sources for rt.java and stepping through I found that the CryptoBase class was instantiating two JavaKeyStores, the first (being my .jks file) which instantiated fine, but the second was the cacerts keystore in jre\lib\security> which did not have the default password of changeit which was causing the failure;

I have now changed the password on the jre keystore and I'm working fine in my original jre/jdk.

Related questions

Encrypt Password in Configuration Files?

I have a program that reads server information from a configuration file and would like to encrypt the password in that configuration that can be read by my program and decrypted. Requirments: Encrypt plaintext password to be stored in the …

Read More
Why java.security.NoSuchProviderException No such provider: BC?

The jar (bcprov-jdk16-145.jar) has been added to the project, Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()) has been added to the class, and BouncyCastleProvider.PROVIDER_NAME does return "BC" but AesFileIo.writeFile() still throws java.security.NoSuchProviderException …

Read More
Difference between java.util.Random and java.security.SecureRandom

My team got handed over some server side code (in Java) that generates random tokens and I have a question regarding the same - The purpose of these tokens is fairly sensitive - used for session id, password reset links …

Read More