Reading PKCS8 in PEM format: Cannot find provider
Trying to read a PKCS8 private key in PEM format with the following:
private static PrivateKey loadPrivateKey()
throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
FileReader fileReader = new FileReader(certsRoot + "/pep-client-key.pem");
PEMParser keyReader = new PEMParser(fileReader);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
InputDecryptorProvider decryptionProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().build("mypassword".toCharArray());
Object keyPair = keyReader.readObject();
PrivateKeyInfo keyInfo;
if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
keyInfo = ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(decryptionProv); // Exception thrown from here
keyReader.close();
return converter.getPrivateKey(keyInfo);
}
return null;
}
generates this error:
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
I've checked with OpenSSL that the file can be processed as PKCS8 PEM, with the password provided.
Any idea? I don't mind if there is a solution not involving BouncyCastle's libraries.
java bouncycastle
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
add a comment |
Trying to read a PKCS8 private key in PEM format with the following:
private static PrivateKey loadPrivateKey()
throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
FileReader fileReader = new FileReader(certsRoot + "/pep-client-key.pem");
PEMParser keyReader = new PEMParser(fileReader);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
InputDecryptorProvider decryptionProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().build("mypassword".toCharArray());
Object keyPair = keyReader.readObject();
PrivateKeyInfo keyInfo;
if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
keyInfo = ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(decryptionProv); // Exception thrown from here
keyReader.close();
return converter.getPrivateKey(keyInfo);
}
return null;
}
generates this error:
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
I've checked with OpenSSL that the file can be processed as PKCS8 PEM, with the password provided.
Any idea? I don't mind if there is a solution not involving BouncyCastle's libraries.
java bouncycastle
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
add a comment |
Trying to read a PKCS8 private key in PEM format with the following:
private static PrivateKey loadPrivateKey()
throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
FileReader fileReader = new FileReader(certsRoot + "/pep-client-key.pem");
PEMParser keyReader = new PEMParser(fileReader);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
InputDecryptorProvider decryptionProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().build("mypassword".toCharArray());
Object keyPair = keyReader.readObject();
PrivateKeyInfo keyInfo;
if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
keyInfo = ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(decryptionProv); // Exception thrown from here
keyReader.close();
return converter.getPrivateKey(keyInfo);
}
return null;
}
generates this error:
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
I've checked with OpenSSL that the file can be processed as PKCS8 PEM, with the password provided.
Any idea? I don't mind if there is a solution not involving BouncyCastle's libraries.
java bouncycastle
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
Trying to read a PKCS8 private key in PEM format with the following:
private static PrivateKey loadPrivateKey()
throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
FileReader fileReader = new FileReader(certsRoot + "/pep-client-key.pem");
PEMParser keyReader = new PEMParser(fileReader);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
InputDecryptorProvider decryptionProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().build("mypassword".toCharArray());
Object keyPair = keyReader.readObject();
PrivateKeyInfo keyInfo;
if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
keyInfo = ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(decryptionProv); // Exception thrown from here
keyReader.close();
return converter.getPrivateKey(keyInfo);
}
return null;
}
generates this error:
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
I've checked with OpenSSL that the file can be processed as PKCS8 PEM, with the password provided.
Any idea? I don't mind if there is a solution not involving BouncyCastle's libraries.
java bouncycastle
java bouncycastle
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
asked Oct 16 '17 at 9:44
lilezeklilezek
4,3041230
4,3041230
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f46767281%2freading-pkcs8-in-pem-format-cannot-find-provider%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
add a comment |
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
add a comment |
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
edited Jan 19 at 6:11
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
answered Oct 16 '17 at 12:13
dave_thompson_085dave_thompson_085
13.2k11632
13.2k11632
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
add a comment |
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
I am facing the same problem. I am settting as you said but in my case it only happening when runing from outside of the intelij IDE. My enviroment has several restrictions to set those configurations to all JVM. any help !?
– Herbert Pimentel
Jan 17 at 23:00
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
@HerbertPimentel: you don't say which method you tried, but if it's in the code (my 2nd or 3rd bullet) it should work as long as the BCprov jar is available, which depends on where you put the jar and how you set the classpath. And of course as long as you're running the correct class files; complicated IDEs can sometimes be running something other than what you think.
– dave_thompson_085
Jan 19 at 6:07
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f46767281%2freading-pkcs8-in-pem-format-cannot-find-provider%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
