Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unencrypted private keys in JKS files cannot be decrypted with the JKS passphrase

See original GitHub issue

Our application creates JKS files using PyJKS version 17.1.0 using the following method:

def jks_key(alias: str, chain: list, key_der: bytes, passphrase: str) -> bytes:
    """ generate a java keystore with an alias for the given key """

    pke = jks.PrivateKeyEntry.new(alias, chain, key_der, 'rsa_raw')
    keystore = jks.KeyStore.new('jks', [pke])
    return keystore.saves(passphrase)

Up until recently the JKS files have worked well, and our Java application could read and decrypt the private key using the provided passphrase.

Since the pyasn1 module was updated to version 0.3.2 and pyasn1-modules to version 0.0.11, the JKS files created by the application no longer work. The passphrase can decrypt the JKS itself, but cannot decrypt the private key within it anymore.

http://pyjks.readthedocs.io/en/latest/jks.html#jks.jks.KeyStore.saves states: “If any of the private keys are unencrypted, they will be encrypted with the same password as the keystore.” This statement does not seem to hold true anymore.

Issue Analytics

State:
Created 6 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

3reactions

magnuswatncommented, Dec 10, 2017

This broke by: https://github.com/etingof/pyasn1/commit/6fa0e312ea80713983b1a3c1e4529e7452b0e0fe

The problem is that the optional attributes field in the PrivateKeyInfo is now being included without anything in it. Before:

    0:d=0  hl=4 l=1213 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim:  INTEGER           :00
    7:d=1  hl=2 l=  13 cons:  SEQUENCE          
    9:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim:   NULL              
   22:d=1  hl=4 l=1191 prim:  OCTET STRING      [HEX DUMP]:308204A3...

After:

    0:d=0  hl=4 l=1215 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim:  INTEGER           :00
    7:d=1  hl=2 l=  13 cons:  SEQUENCE          
    9:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim:   NULL              
   22:d=1  hl=4 l=1191 prim:  OCTET STRING      [HEX DUMP]:308204A...
 1217:d=1  hl=2 l=   0 cons:  cont [ 0 ]

We can fix this in our code, but it seems strange to me that we have to. I will create a bug in pyasn1 and ask if this is how it’s supposed to be. If it is, then I will create a fix.

2reactions

magnuswatncommented, Jun 18, 2018

Yes, this should be fixed soon @jcdevil. Sorry that it has taken forever!

Top Results From Across the Web

Decryption using private key from jks file - CodeRanch

I am trying to decrypt a key using the private key in my keystore jks file. Everything is working correctly except for the...

What causes keytool error "Failed to decrypt safe contents ...

Sometimes this error is symptomatic of using an incorrect password for the p12 key.

Import an encrypted private key into a Java Key Store

Import an encrypted private key into a Java KeyStore ... OpenSSL prompts me for a passphrase that I must provide in order to...

Keystore error with mismatching key and ... - Salesforce Help

Keystore error with mismatching key and keystore passwords for certificates. ... if the Private Key and the Keystore are encrypted using different password:...

PyJKS Documentation - Read the Docs

if the key could not be decrypted using the store password,. # decrypt with ... creating a jks keystore with the private key,...