Login/Register
What causes keytool error "Failed to decrypt safe contents entry"?
Asked Answered
Solved javaopensslkeytoolpkcs#12jks
D

15

41

I am trying to convert a standard PKCS #12 (.p12) key store into a Java JKS key store with this command:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

It is failing with:

keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded

Do you have any idea how to solve this problem?

Dihedron answered 26/4, 2012 at 17:38 Comment(1)
It looks like your PCKS#12 keystore is corrupt. Can you verify it with openssl pkcs12 ...?Myrtia
D
16

The pkcs12 keystore was corrupt indeed.

Dihedron answered 27/4, 2012 at 10:3 Comment(0)
A
51

Sometimes this error is symptomatic of using an incorrect password for the p12 key.

Alexanderalexandr answered 4/12, 2013 at 18:45 Comment(3)
The pkcs12 keystore type doesn't differentiate between keypass and storepass. So in my case I just had to use the storepass (and not the keypass) when retrieving the key...Dome
I used the wrong password because WebSphere is using a different default password than most Java trust stores.Polygynist
That's what it was for me. Jesus, took me a while to get this to work.Korte
D
16

The pkcs12 keystore was corrupt indeed.

Dihedron answered 27/4, 2012 at 10:3 Comment(0)
S
9

I've never attempted to do this before, but I did find instructions on google here.

This thread asks a similar question.

EDIT (Based on comment)

Here is the full content of the linked reference:

PFX/P12 to JKS (Java KeyStore)

Question: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)?

Answer: keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

Note: To find the srcalias, list the contents of the PFX/P12 file:

keytool -v -list -storetype pkcs12 -keystore PFX_P12_FILE > FILENAME.TXT As this writes the output of the command to a file with the name of FILENAME.TXT.

Specialism answered 26/4, 2012 at 18:5 Comment(0)
C
8

I had the same problem i entered the password manually and problem got resolved

Cohbath answered 12/6, 2021 at 0:24 Comment(0)
S
4

I had a similar issue when i was trying to export certs as pfx from JKS.It worked when i excluded deststorepass attribute in keytool command & gave the destination store password at runtime.

keytool -importkeystore -srckeystore Keystore.jks -destkeystore dv163.pfx -srcstoretype JKS -deststoretype PKCS12 -srcalias alias1-destalias alias1

Enter destination keystore password:

Re-enter new password:

Enter source keystore password:

Straus answered 24/4, 2018 at 14:33 Comment(0)
F
3

I had the same issue today(BadPaddingException). It seems keytool had a problem with certain characters in the password. I solved it by adding double-quotes around the password.

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass "PFX_P12_FILE" -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass "PASSWORD" -destalias ALIAS_NAME

Fussell answered 21/10, 2015 at 9:54 Comment(0)
D
2

I did this command (opposite to yours) to export a private key to PKCS12 from a JKS:

keytool -importkeystore -srckeystore DemoIdentity.jks -srcstoretype JKS -destkeystore demoidentity.p12 -deststoretype PKCS12

If I left off the seemingly redundant "-srcstoretype JKS", the generated demoidentity.p12 file gave me the same error when I tried to list the details in keytool even though the above command accepted the passwords and generated a file seemingly correctly!

For your issue, perhaps you did something similar when generating keystore.p12.

Dizen answered 2/1, 2014 at 0:47 Comment(1)
I think you're on to something. Probably keytool assume the original key is something else.Milksop
U
1

My issue was somewhat unique. When I tested locally in my dev environment, it seemed to work fine. However, when i deployed to our live environments, it was giving the root error javax.crypto.BadPaddingException:

After some debugging it turned out due to the jdk i was using in my docker image. It seems to me some jdks (e.g., some 1.8 packages) aren't compatible. With some tests I found a jdk (11.0.21) that worked with it. If you've attempted all the options and nothing has worked, then try this option and check if its the jdk.

Uneven answered 20/11, 2023 at 12:5 Comment(0)
B
0

From my side I forget to check language when you type password :)enter image description here

Babushka answered 1/12, 2020 at 15:50 Comment(0)
N
0

simply type the correct password on the build signed APK wizard form. ( it worked with me on android studio 4.2 canary 15++)

As I came to find out, when you change app on said wizard, spite the password remains, somehow it does not sign correctly, so you need to clear the password and type it again.

Narrow answered 6/7, 2021 at 12:36 Comment(0)
R
0

Almost lost my mind around it, if you generate the password, make sure it's in ASCII and not include chars other than letters, number and symbols. UTF-8 special chars might broke it.

Rocketeer answered 21/2 at 16:23 Comment(2)
ANSI? Do you mean ASCII?Myrtia
fixed it. thank you for point it outRocketeer
S
0

In my case, it was because of the password contains some special characters at the start or at the end (it's correct but not supported), just make sure you use normal words with numbers if it didn't work for your upload key

Cause: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Suilmann answered 19/3 at 0:3 Comment(0)
B
0

I've seen this exact error with Open JDK 1.8.0_332-b09 and it was solved with 1.8.0_342-b07 and higher. I saw the error with both with keytool on the command-line and in the Java code trying to open a jetty SSL socket. It was not a corrupt cert or bad password because just upgrading java solved it.

Belsky answered 16/4 at 20:2 Comment(0)
E
0

In our case, the issue was trying to process a p12 file generated using a OpenSSL version 3.x using a JDK 11.0.1. The issue does not happen:

  • using a JDK 11.11.x or above
  • using OpenSSL version 1.1.x (our choice, because JDK could not be changed)
Exegete answered 9/5 at 16:53 Comment(0)
U
0

In my case in Android Studio I was actually using a wrong key alias. It was "key1" while I was putting "key0". Silly mistake on my part.

Upheld answered 23/6 at 16:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.