Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

UnrecoverableKeyException: DER Input, Integer tag error

139 views
Skip to first unread message

Michael J. Hudson

unread,
Dec 18, 2002, 12:40:06 AM12/18/02
to
I'm just doing your basic generate public/private keys, and then
trying to
put one into the keystore and get it back, but it keeps throwing
UnrecoverableKeyException... and I have no idea why.

The code is as follows:

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024, new SecureRandom());
KeyPair kp = kpg.generateKeyPair();
PrivateKey privKey = kp.getPrivate();
PublicKey pubKey = kp.getPublic();
byte[] privBytes = privKey.getEncoded();
byte[] pubBytes = pubKey.getEncoded();
KeyStore ks = KeyStore.getInstance("JKS","SUN");
ks.load(null, null);
ks.setKeyEntry("test", pubKey, "password".toCharArray(), null);
Key newKey = ks.getKey ( "test", "password".toCharArray () );

and when I run this, I get the following error:

java.security.UnrecoverableKeyException: DER input, Integer tag error
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103
)
at java.security.KeyStore.getKey(KeyStore.java:289)

What does "DER input, Integer tag error" mean???
I tried this on two machines here... same thing...
I tried it with jdk 1.3.1_02 and jdk 1.4.1_01... same thing...

any ideas??? I'm completely lost... no idea whats going on.

Thanks,
Michael

Kenji Konaka

unread,
Dec 18, 2002, 9:55:06 AM12/18/02
to
> What does "DER input, Integer tag error" mean???
> any ideas??? I'm completely lost... no idea whats going on.

I think it's because JavaKeyStore always assumes private keys in there.
from the jdk srouce code:
j2sdk1_4_0/j2se/src/share/classes/sun/security/provider/KeyProtector.java,
KeyProtector.recover() always invokes

| return PKCS8Key.parseKey(new DerValue(plainKey));

which makes things unhappy if faced with publickeys.

- don't know what happens if other keystore types are used.

kenji

Michael J. Hudson

unread,
Dec 18, 2002, 7:28:07 PM12/18/02
to
That, my friend, WAS the problem!! THANK YOU!!!

Now I'm just mad that no-one anywhere has documented this restriction.
I was playing around with public keys in the keystore because the API
said I had to go through all the certificate mess if I wanted to store
a private key. The interface takes a Key class, NOT a PrivateKey
class... and definitely seems to imply that you can store public keys
in the keystore... in fact, more or less says that you don't need a
certificate chain if you're storing a public key!

In any case, I was able to grounge up a dummy cert and everything
worked... though, since it's a dummy cert... the cert's public key
doesn't match the private key I generated... and it doesn't sit well
with me that I can associate a private key with a certificate who's
public key doesn't match the private key!

Now my next question... how can I programmatically become my own
Certificate Authority?? So, I can actually create a certificate and
associate my own public key with it... without necessarily having to
go through Truste or Verisign to do it?? Any ideas?

Thanks again for your help!
-Michael


kko...@mac.com (Kenji Konaka) wrote in message news:<8c37a9fa.02121...@posting.google.com>...

0 new messages