I just found out that if I introduce another key in the keystore with some
password, I get following:
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at com.ibm.crypto.provider.s.recover(s.java:90)
at
com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256)
at java.security.KeyStore.getKey(KeyStore.java:803)
at com.ibm.jsse2.uc.<init>(uc.java:113)
at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16)
at
org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279)
If I delete the new entry from the keystore, my test works fine, so the
moment I have another protected key in keystore, I get
UnrecoverableKeyException.
Do I need to setup something in order to avoid it?
Thanks,
Giriraj.
On Thu, Jul 17, 2014 at 5:24 PM, Giriraj Bhojak <[email protected]> wrote:
> I did try that. I must have goofed up with the passwords. But it's working
> now.
> But I need to understand something. The entry looks something like this:
>
> <sec:keyManagers keyPassword="keyPassword" >
> <sec:keyStore file=".keystore"
> password="keyStorepassword" type="jks" />
> </sec:keyManagers>
>
> If there are more than one keys in the keystore with the same password,
> which entry is the correct entry as per CXF?
> How does it identify the correct one if we do not specify an alias?
> Perhaps I am missing something very elementary.
>
> Thanks,
> Giriraj.
>
>
>
> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <[email protected]>
> wrote:
>
>> Hi,
>>
>> "Unrecoverable key" usually means that your keystore password is
>> incorrect.
>> Have you tried to access keystore/truststore using JDK keytool?
>>
>> Regards,
>> Andrei.
>>
>> > -----Original Message-----
>> > From: Giriraj Bhojak [mailto:[email protected]]
>> > Sent: Dienstag, 15. Juli 2014 00:05
>> > To: [email protected]
>> > Subject: Re: Supplying passwords for key manager and trust manager to
>> > http:conduit
>> >
>> > Thank you Andrei.
>> > I ended up using Spring EL to supply the password.
>> > But I have noticed that if the keystore and key passwords are
>> different, I get
>> > "Unrecoverable key" exception.
>> > Is this some sort of bug with Merlin or am I missing something?
>> >
>> > Thanks,
>> > Giriraj.
>> >
>> >
>> > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <[email protected]
>> >
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > In spring configuration you can only specify password directly:
>> > > <httpj:engine-factory id="port-9001-tls-config">
>> > > <httpj:engine port="9001">
>> > > <httpj:tlsServerParameters>
>> > > <sec:keyManagers keyPassword="password">
>> > > <sec:keyStore type="JKS" password="password"
>> > >
>> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
>> > > </sec:keyManagers>
>> > > <sec:trustManagers>
>> > > <sec:keyStore type="JKS" password="password"
>> > >
>> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
>> > > </sec:trustManagers>
>> > > </httpj:tlsServerParameters>
>> > > </httpj:engine>
>> > > </httpj:engine-factory>
>> > >
>> > > But you can get password from the callback or other store using
>> > > programmatic initialization of tlsClientParameters:
>> > > TLSClientParameters tlsClientParameters = new
>> TLSClientParameters();
>> > > ...
>> > > String alg = KeyManagerFactory.getDefaultAlgorithm();
>> > > char[] keyPass = keyPassword != null
>> > > ? keyPassword.toCharArray()
>> > > : null;
>> > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
>> > > fac.init(keyStore, keyPass);
>> > > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
>> > > HTTPConduit http =
>> > > (HTTPConduit) client.getConduit();
>> > > http.setTlsClientParameters(tlsClientParameters);
>> > > ...
>> > >
>> > > Regards,
>> > > Andrei.
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Giriraj Bhojak [mailto:[email protected]]
>> > > > Sent: Freitag, 11. Juli 2014 22:16
>> > > > To: [email protected]
>> > > > Subject: Supplying passwords for key manager and trust manager to
>> > > > http:conduit
>> > > >
>> > > > Hello all,
>> > > >
>> > > > I am using http-conduit for SSL support in CXF 2.7.11.
>> > > > Is there a way I can specify a password callback for
>> > > > <sec:keyManagers>
>> > > and
>> > > > <sec:trustManagers>?
>> > > >
>> > > > Thanks,
>> > > > Giriraj.
>> > >
>>
>
>
