Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / April 2008

Tip: Looking for answers? Try searching our database.

Using PKCS#7 as a provider for keytool

Thread view: 
Enable EMail AlertsStart New Thread
Efi Merdler - 16 Apr 2008 16:51 GMT
Hi,
I am not able to use pkcs#7 as a provider for keytool. I want to read
a certificate chain encoded in PKCS#7 format using keytool.

When running the following command
keytool -import -provider pkcs7 -keystore my_cert.jks -file cert.p7 -
noprompt -storepass my_cert -v
I receive keytool error: java.lang.ClassNotFoundException: pkcs7
even when qualifying the full path I still receive the same error.

Where can I find the keytool's built in supported providers ?

Thanks,
Efi
Reply to this Message
Speedo - 17 Apr 2008 00:50 GMT
pkcs#7 is not a keyStore provider. If you want to read certificate
chain in a pkcs#7 file, use "keytool -importcert -file filename".

To find out all KeyStore providers, write a small program. See
   http://exampledepot.com/egs/java.security/ListServices.html
Call getCryptoImpls("KeyStore") to find out what's available. For a
Sun JDK out of box, there should be al least pkcs12, jks, jceks. You
also get the pkcs11 one on Solaris and MSCAPI ones on Windows.

- Speedo

> Hi,
> I am not able to use pkcs#7 as a provider for keytool. I want to read
[quoted text clipped - 10 lines]
> Thanks,
> Efi
Reply to this Message
Efi Merdler - 17 Apr 2008 10:49 GMT
> pkcs#7 is not a keyStore provider. If you want to read certificate
> chain in a pkcs#7 file, use "keytool-importcert -file filename".
[quoted text clipped - 23 lines]
> > Thanks,
> >Efi

Thanks.
It still does not work.
When using keytool -printcert -file cert.p7 it prints everything fine
however when trying to import I receive Input not an X.509
certificate.

I tried to follow thawte tutorial on the subject :
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id
=SO7108
still no help there.

Any ideas ?

Efi
Reply to this Message
Speedo - 17 Apr 2008 15:40 GMT
Are you importing the pkcs#7 file (as a reply from a CA) into an
existing private key entry? Or, are you simply trying to create a new
trusted certificate entry?

If I remember correctly, it should succeed in the first case but the
second case demands a *single* X.509 certificate in the file.

If you really want to create a trusted certificate entry, you can
first -printcert it using the -rfc option, choose the BASE64 format
certificate you need and copy/paste it into a file, and -importcert
it.

- Speedo

> > pkcs#7 is not a keyStore provider. If you want to read certificate
> > chain in a pkcs#7 file, use "keytool-importcert -file filename".
[quoted text clipped - 36 lines]
>
> Efi
Reply to this Message
howdyraju2@gmail.com - 17 Apr 2008 17:49 GMT
As mentioned before, since pkcs#7 is not a keystore provider; hence
the JDK keytool command will not be able to parse a pkcs#7 file.
However, you can easily extract the certificate chain
programmatically. See the method below:

private X509Certificate[] getCertificateChain(InputStream in) throws
CertificateException {
    CertificateFactory certFac = CertificateFactory.getInstance("X.509");
    CertPath certPath = certFac.generateCertPath(in, ENCODING);
    X509Certificate[] chain =
(X509Certificate[])certPath.getCertificates().toArray(new
X509Certificate[1]);
    return chain;
}

> > pkcs#7 is not a keyStore provider. If you want to read certificate
> > chain in a pkcs#7 file, use "keytool-importcert -file filename".
[quoted text clipped - 36 lines]
>
> Efi
Reply to this Message
Roedy Green - 21 Apr 2008 04:04 GMT
On Wed, 16 Apr 2008 08:51:43 -0700 (PDT), Efi Merdler
<fooshm@gmail.com> wrote, quoted or indirectly quoted someone who said

>Where can I find the keytool's built in supported providers ?

see http://mindprod.com/jgloss/keytoolexe.html
Signature


Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com

Reply to this Message
Efi Merdler - 22 Apr 2008 11:33 GMT
On 21 אפריל, 06:04, Roedy Green <see_webs...@mindprod.com.invalid>
wrote:
> On Wed, 16 Apr 2008 08:51:43 -0700 (PDT), Efi Merdler
> <foo...@gmail.com> wrote, quoted or indirectly quoted someone who said
[quoted text clipped - 6 lines]
> Roedy Green Canadian Mind Products
> The Java Glossaryhttp://mindprod.com

Thank you all for your help.
Speedo is right, I created a perl script that reads each time an
individual certificate from a chain and add it to the keystore.

Efi
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.