Pheox - Forums

Navigation
Forum Index Search Recent Topics Hottest Topics Top Downloads

Register / Login  |  Desktop view  |  Jump to bottom of page

General Issues » NoSuchAlgorithmException: This key store instance do only support RSA and DSA keys.

Author: fstarnaud, Visitor
26/08/2015 22:59:39
Hello,

I'm looking into JCAPI as a solution to avoid having to export certs from MS stores and import them into JKS stores. I would like to get the certs directly from the MS stores from Java.

I managed in the past to get the certs I needed directly from the MS stores using SunMSCAPI, but these were certs created from a typical AD CS web server template using typical crypto.

However, I now need, as per my client's requirements, to get certs generated using modern crypto, specifically ECDH with SHA383. To test, I generated a cert via AD CS for my machine, moved it to my user store, exported it to a .pfx file and created a .jks file by importing this .pfx file.

I then created two test methods (see attached .zip file, a NetBeans project, containing the .pfx, .jks and Certificates.java files):

Method Certificates.Standard() uses standard JDK mechanisms to load keys from the .jks file. With this code, I manage to get a secured HTTPS connection using Chrome (which also confirms the connection uses "modern crypto").

Method Certificates.JCAPI() tries to do the same, but using JCAPI to get the cert directly from the MS store instead of the .jks file. Unfortunately, I get the following exception (BTW, note the grammatic error in the message) : 


java.security.NoSuchAlgorithmException: This key store instance do only support RSA and DSA keys.

	at com.pheox.jcapi.f.n(Unknown Source)

	at com.pheox.jcapi.JCAPIKeyStore.engineGetKey(Unknown Source)

	at java.security.KeyStore.getKey(KeyStore.java:1023)

	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)

	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

	at ca.logisphere.Certificates.JCAPI(Certificates.java:79)

	at ca.logisphere.Certificates.main(Certificates.java:14)


Am I doing something wrong? Is what I'm trying to do possible with JCAPI?

Thanks,

François

Filename Certificates.zip
Description NetBeans project
Filesize 59 Kbytes
Downloaded 408 time(s)
[Disk] Download


Author: tommy, Visitor
31/08/2015 19:24:19
Hi François,

Sorry for the late reply. Many things in the pipe right now.
I'll take a look at it asap.
Thanks for attaching code to reproduce the problem.

Regards,
Tommy

Author: tommy, Visitor
31/08/2015 20:03:12
Hi again François,

I did read your post too quickly.
The reason why it doesn't work is quite obvious. JCAPI v2 only support DSA and RSA asymmetric keys and their respective crypto engines through MS CAPI. Support for ECDH is part of the coming JCAPI v3 which is to be released next year.

I am afraid that you have to choose another JCE provider meanwhile.

Regards,
Tommy

Author: fstarnaud, Visitor
12/09/2015 18:33:05
Hey Tommy,

Thanks for your reply, and sorry also for my late answer (I never got / never saw an email to alert me of a new message in this thread).

Great! When do you plan to have a first of JCAPI v3.0 out? Which quarter of 2016 are you targeting for release?

In the meantime, I would very much like to try another JCE provider alternative to SunMSCAPI that supports modern crypto, but I know of no other. Do you?

BTW, I posted this in Stack Overflow:

http://stackoverflow.com/questions/32239859/is-it-possible-to-load-next-generation-certificates-from-the-microsoft-keystore

François

Author: fstarnaud, Visitor
22/09/2016 21:48:34
Hello Tommy,

Any news on when JCAPI v3.0 will be released?

Cheers,

Francois




Register / Login  |  Desktop view  |  Jump to top of page