Search   Recent Topics     Member Listing   Register /  Login 
NoSuchAlgorithmException: This key store instance do only support RSA and DSA keys.
Forum Index -> General Issues
Author Message
fstarnaud
Visitor

Joined: Aug 26, 2015
Messages: 3
Offline

Hello,

I'm looking into JCAPI as a solution to avoid having to export certs from MS stores and import them into JKS stores. I would like to get the certs directly from the MS stores from Java.

I managed in the past to get the certs I needed directly from the MS stores using SunMSCAPI, but these were certs created from a typical AD CS web server template using typical crypto.

However, I now need, as per my client's requirements, to get certs generated using modern crypto, specifically ECDH with SHA383. To test, I generated a cert via AD CS for my machine, moved it to my user store, exported it to a .pfx file and created a .jks file by importing this .pfx file.

I then created two test methods (see attached .zip file, a NetBeans project, containing the .pfx, .jks and Certificates.java files):

Method Certificates.Standard() uses standard JDK mechanisms to load keys from the .jks file. With this code, I manage to get a secured HTTPS connection using Chrome (which also confirms the connection uses "modern crypto").

Method Certificates.JCAPI() tries to do the same, but using JCAPI to get the cert directly from the MS store instead of the .jks file. Unfortunately, I get the following exception (BTW, note the grammatic error in the message) :

Code:
 java.security.NoSuchAlgorithmException: This key store instance do only support RSA and DSA keys.
 	at com.pheox.jcapi.f.n(Unknown Source)
 	at com.pheox.jcapi.JCAPIKeyStore.engineGetKey(Unknown Source)
 	at java.security.KeyStore.getKey(KeyStore.java:1023)
 	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
 	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
 	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
 	at ca.logisphere.Certificates.JCAPI(Certificates.java:79)
 	at ca.logisphere.Certificates.main(Certificates.java:14)
 


Am I doing something wrong? Is what I'm trying to do possible with JCAPI?

Thanks,

François

Certificates.zip
 Description NetBeans project Download
 Filesize 59 kb
 Downloaded:  298 time(s)

tommy
Pheox Support

Joined: May 30, 2005
Messages: 148
Offline

Hi François,

Sorry for the late reply. Many things in the pipe right now.
I'll take a look at it asap.
Thanks for attaching code to reproduce the problem.

Regards,
Tommy
tommy
Pheox Support

Joined: May 30, 2005
Messages: 148
Offline

Hi again François,

I did read your post too quickly.
The reason why it doesn't work is quite obvious. JCAPI v2 only support DSA and RSA asymmetric keys and their respective crypto engines through MS CAPI. Support for ECDH is part of the coming JCAPI v3 which is to be released next year.

I am afraid that you have to choose another JCE provider meanwhile.

Regards,
Tommy
fstarnaud
Visitor

Joined: Aug 26, 2015
Messages: 3
Offline

Hey Tommy,

Thanks for your reply, and sorry also for my late answer (I never got / never saw an email to alert me of a new message in this thread).

Great! When do you plan to have a first of JCAPI v3.0 out? Which quarter of 2016 are you targeting for release?

In the meantime, I would very much like to try another JCE provider alternative to SunMSCAPI that supports modern crypto, but I know of no other. Do you?

BTW, I posted this in Stack Overflow:

http://stackoverflow.com/questions/32239859/is-it-possible-to-load-next-generation-certificates-from-the-microsoft-keystore

François
fstarnaud
Visitor

Joined: Aug 26, 2015
Messages: 3
Offline

Hello Tommy,

Any news on when JCAPI v3.0 will be released?

Cheers,

Francois
 
  Forum Index -> General Issues
Go to: