Search code examples
javasslcertificatekeystorejks

How to use ECC private key with Java 1.6?

I created new JKS keystore which contain trustedCertEntry and PrivateKeyEntry. Both created using ECC ( Signature algorithm name: SHA384withECDSA ). The import can be done only with Java 1.7 keytool which support ECC. In runtime i use java 1.6 which doesn't support ECC.

In my code i defined:

System.setProperty("javax.net.ssl.keyStore", "c:\mykey.ks");
System.setProperty("javax.net.ssl.keyStorePassword","abcde");

Currently i'm getting :

org.apache.axis2.AxisFault: unable to decode base64 data: null

Is there anyway to use the JKS with Java 1.6 ?

Solution

  • Basically, what you have to do to make ECC available in Java 6 is to add an additional provider that supports ECC. Without paying money you have two choices:

    1. The Sun PKCS#11 provider
    2. The Bouncy Castle provider

    For option 1 you would need a native PKCS#11 library, which I assume you do not have. And option 2 is probably the better choice anyway, because PKCS#11 is actually for keys in smart cards or HSMs. But just for the record if someone wants to go that way, here is a description of how to do it (the NSS part does not matter): How to export ECC key and Cert from NSS DB and import into JKS keystore and Oracle Wallet

    Option 2 requires the keystore to be of one of the types that are provided by Bouncy Castle (either BKS or UBER) and it requires the Bouncy Castle provider to be installed.

    For provider installation follow these instructions: Provider Installation. It might be necessary to add the BC provider before the standard SSL provider (com.sun.net.ssl.internal.ssl.Provider), but I am not sure about that.

    After that you can import the key into a BKS keystore by using the keytool command you have used before with the following modifications:

    • -storetype BKS instead of -storetype JKS
    • -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider

    Alternatively you can use KeyStore Explorer for converting the keystore from JKS to BKS (if you run KSE with Java 7).

    To use the BKS keystore for SSL you have to add another system property:

    System.setProperty("javax.net.ssl.keyStoreType", "BKS");

    That should be it, but frankly I would recommend to either switch to Java 7 or RSA keys.