In the course of using Client certificates for authentication, I decided to use not-yet-commons-ssl-0.3.11.jar. That has resulted in another issue – the simple act of invoking the constructor on EasySSLProtocolSocketFactory or StrictSSLProtocolSocketFactory will produce an exception.
The code, as isolated in a simple cmd line app:
public class CertTest {
public static void main(String[] args) {
System.setProperty("javax.net.debug", "ssl,handshake"); // SSL DEBUG INFO
String keystore = "/usr/java/jdk1.6.0_11/jre/lib/security/cacerts";
String keystorePassword = "changeit";
System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
// System.setProperty("javax.net.ssl.trustStore", keystore);
// System.setProperty("javax.net.ssl.trustStorePassword", keystorePassword);
try {
org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory factory =
new org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory();
}
catch (Exception e) {
System.out.println (e);
}
}
}
To isolate issues with older libs, I put the above code in a directory with these jars (these are the ONLY jars in the classpath):
- httpclient-4.0.1.jar
- not-yet-commons-ssl-0.3.11.jar
- commons-httpclient-3.1.jar
- httpcore-4.0.1.jar
So, with some client certificates in the cacerts keystore, I get:
org.apache.commons.ssl.ProbablyBadPasswordException: Probably bad JKS-Key password: java.security.UnrecoverableKeyException: Password must not be null
If I use keytool to delete all the client certificates that I have loaded, then the exception changes to
**Caused by: java.security.KeyStoreException: No private keys found in keystore!**
at org.apache.commons.ssl.KeyStoreBuilder.validate(KeyStoreBuilder.java:269)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:129)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:179)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:170)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:160)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:64)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:114)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:89)
at org.apache.commons.ssl.SSL.(SSL.java:142)
at org.apache.commons.ssl.SSLClient.(SSLClient.java:59)
at org.apache.commons.ssl.HttpSecureProtocol.(HttpSecureProtocol.java:55)
at org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory.(EasySSLProtocolSocketFactory.java:94)
Snippets in the output:
keyStore is : /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA – G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA – G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4fwhole bunch of default trusted certs snipped here…
trigger seeding of SecureRandom
done seeding SecureRandom
@@@@@@@@@@ EXCEPTION
java.security.KeyStoreException: No private keys found in keystore!
Any ideas?
java.security.KeyStoreException: No private keys found in keystore!
This exception specifically complains that there are no private keys in the keystore you are trying to load.
In the case of cacerts which is Java’s default truststore this is true!
But with the code you have posted (meaning you have not posted any code really) or the fact that you don’t say anything about the keystore you are trying to load it is not possible to help you on this.