Skip to content
Advertisement

IOException in Java 8 when reading PKCS12 keystore created with keytool from OpenJDK16

TL;DR

keytool from OpenJDK16 creates PKCS12 keystore files that cannot be read from Java 8, 9, 10 and 11. Is this a bug? How to create a PKCS12 keystore that works with Java 8?

Context

I build a Maven project which produces an executable JAR file that must run on any JRE from version 8 to version 16. That JAR file spawns an HTTPS server (using com.sun.net.httpserver.HttpsServer).

During the build, I use keytool to generate a key pair and store it in a PKCS12 keystore that is bundled in the JAR (actually, I’m using keytool-maven-plugin):

JavaScript

The Java code uses this automatically-generated keystore to start the HTTPS server:

JavaScript

Problem

When the JAR is build with a OpenJDK 16 JDK (and keytool from OpenJDK 16 is used) and then executed in a Java 8 JRE, we get this exception on keyStore.load():

JavaScript

When the same JAR is executed in OpenJDK 11.0.7+10, we get this exception:

JavaScript

However, when the same JAR is executed with OpenJDK 14, 15 or 16, no exception and everything works.

Here’s a table that summarizes the versions of keytool, and whether the PKCS12 key store created with each version of keytool can be loaded in various JRE versions:

JRE 8 JRE 11 JRE 14 JRE 16
keytool 8
keytool 11
keytool 14
keytool 15
keytool 16

Questions

Is this a bug in keytool, or in the KeyStore class?

How to create a PKCS12 key store using OpenJDK16 that will work when loaded with JRE 8?

What is HmacPBESHA256? I haven’t specified this algorithm in my keytool command line.

Advertisement

Answer

It’s not a bug in keytool or KeyStore. keytool in OpenJDK 16 has been improved to use more secure algorithms by default, which are not supported with Java 8 and Java 11 (see JDK-8228481).

2 options to solve the problem:

  • Use JKS instead of PKCS12 for the key store
  • Use the -J-Dkeystore.pkcs12.legacy option with keytool to set the keystore.pkcs12.legacy system property and force OpenJDK 16’s keytool to use the older algorithms (which are supported by Java 8 and 11)

For the keytool-maven-plugin Maven plugin, use the below configuration:

JavaScript

Note: All credits go to @dave_thompson_085

Advertisement