"Wrong version of key store" error. How can I create a version=1 keystore certificate?
Asked Answered
S

4

8

I am having trouble using SSL, as I am getting the following error related to my keystore (self-created and self-signed using keytool per: http://developer.android.com/tools/publishing/app-signing.html):

08-14 20:55:23.044: W/System.err(5430): java.io.IOException: Wrong version of key store. 08-14 20:55:23.060: W/System.err(5430): at org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(JDKKeyStore.java:812) ...

The error thrown in the JDKKeyStore.java class arises in the following code:

Blockquote From JDKKeyStore.java:
if (version != STORE_VERSION) { if (version != 0) { throw new IOException("Wrong version of key store."); } }

Blockquote

In this case STORE_VERSION = 1, and my version=3 based on reading the details of the certificate held by the keystore I have created. I do not know how to generate a keystore containing a version=1 certificate.

I found this answer helpful: wrong version keystore when doing https call

however it calls for creating the keystore using the following parameters:

-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar

However, when I try to create the keytool (using the terminal app on Mac) using these parameters:

keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize 2048 -validity 10000 -keypass android -keystore /Users/djames/dropbox/bc146keystore/debug.keystore -storepass android -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/

(where /Users/djames/dropbox/bc146keystore/ is the path to the bouncy castle jar: bcprov-jdk16-146.jar)

I get the following error:

keytool error: java.lang.RuntimeException: Usage error, ?providerpath is not a legal command java.lang.RuntimeException: Usage error, ?providerpath is not a legal command at sun.security.tools.KeyTool.parseArgs(KeyTool.java:375) at sun.security.tools.KeyTool.run(KeyTool.java:171) at sun.security.tools.KeyTool.main(KeyTool.java:166)

I do not understand what this is telling me. If I use: keytool -help it tells me that the following are valid options for the -genkeypair option:

-genkeypair [-v] [-protected] [-alias ] [-keyalg ] [-keysize ] [-sigalg ] [-dname ] [-validity ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] ... [-providerpath ]

But in the Oracle docs java version 6 that I am using (http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
it tells me that these are the options:

-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}

which does not include the -providerpath option. Why the discordance? (If I do not use the -providerpath option, then I get an unknown class exception at the option: "-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider"...)

When I google: keytool -providerpath
I get nothing helpful to resolve this.

I am not sure how to solve my keystore version problem without solving my keytool problem. Any suggestions appreciated.

Jim

(Mac OSX 10.6.8 if relevant)
Syconium answered 15/8, 2012 at 3:46 Comment(1)
Possible duplicate of Wrong version of keystore on android callIsabel
S
5

I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command

Syconium answered 27/8, 2012 at 2:18 Comment(0)
C
14

My problem was using a version of bouncy castle that was too new. I had to use 146 - any later and it gave me this error.

Civilly answered 17/4, 2013 at 3:7 Comment(3)
Same here, version 148 gives me the same error, thanks a lot!Karelian
This works, but I'm puzzled as to why Eclipse bundles a version (148) that doesn't work...Profanity
Using an old version of bouncycastle sucks. You could also simply chose the BKS-V1 format instead of BKS as explained in https://mcmap.net/q/422048/-wrong-version-of-keystore-on-android-callIsabel
S
5

I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command

Syconium answered 27/8, 2012 at 2:18 Comment(0)
G
1

The version mismatch is for the key store version, not the certificate version (which should have the value 2 for a v3 X.509 certificate).

What version of the JDK did you use keytool from? Did you specify a full path to the command, or use what was in your PATH? Are you sure that you are using JKS key stores, and not JCEKS stores?

Getz answered 15/8, 2012 at 3:53 Comment(5)
1) not sure exactly how to tell the version of keytool I am using. I am using Java SE runtime enviroment = 1.6.0_33, and presumably the corresponding JDK that goes with it (since I did not perform any separate installation that I know of). Based on my $PATH the keytool I am using comes out of the following subdirectory: System/Library/JavaVM.framework/Versions/A. I don't know why it doesn't come out of the: .../JavaVM.framework /Versions/1.6.0 subdirectory…Syconium
2) I did not specify a path but rather used the default. As stated above, the default path would find keytool in: System>Library/JavaVM.framework/Versions/A. When I do specify a path and run "System>Library/JavaVM.framework/Versions/1.6.0/keytool -help" it shows me the same display as my default keytool, i.e. -genkeypair includes the option for -providerpath.Syconium
3) Keystore type: first I was playing around with the default debug.keystore that is created for android when you use Eclipse for your IDE. When I encountered issues, I created my own keystore using keytool as previously described. I did not specify any storetype when I did that so I would presumably get the default type. Is there a way to display this?Syconium
I was able to verify that I am creating JKS key stores with my keytool (using the keytool -list command).Syconium
This seems to be a correct answer to one of my questions. I think I asked to many questions at once, since I still can't create an appropriate keystore...Syconium
Y
0

In order to complete Ryan answer as I had to dig in to find out how to generate a BKS with Bouncy Castle 1.46, you can use Portecle to generate the BKS.

  1. Download Boucycastle Provider 1.46
  2. Install or unzip it.
  3. Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
  4. Restart Portecle and generate your BKS truststore.

This explained here.


Edit:

Since Portecle 1.8, you can use BKS-V1 type to generate your truststore without to replace bcprov.jar.

You can select it after clicking on New keystore or change the type via the menu Tools -> Change KeyStore Type.

Yacketyyak answered 9/12, 2015 at 10:38 Comment(1)
Since Portecle v1.8 you can simply select BKS-V1 in the "New KeyStore" dialog or convert between BKS and BKS-V1 via "Tools -> Change KeyStore Type". No need to replace jars.Bloodshot

© 2022 - 2024 — McMap. All rights reserved.