What causes keytool error “Failed to decrypt safe

2019-02-04 10:15发布

问题:

I am trying to convert a standard PKCS #12 (.p12) key store into a Java JKS key store with this command:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

It is failing with:

keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded

Do you have any idea how to solve this problem?

回答1:

Sometimes this error is symptomatic of using an incorrect password for the p12 key.



回答2:

The pkcs12 keystore was corrupt indeed.



回答3:

I've never attempted to do this before, but I did find instructions on google here.

This thread asks a similar question.

EDIT (Based on comment)

Here is the full content of the linked reference:

PFX/P12 to JKS (Java KeyStore)

Question: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)?

Answer: keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

Note: To find the srcalias, list the contents of the PFX/P12 file:

keytool -v -list -storetype pkcs12 -keystore PFX_P12_FILE > FILENAME.TXT As this writes the output of the command to a file with the name of FILENAME.TXT.



回答4:

I had the same issue today(BadPaddingException). It seems keytool had a problem with certain characters in the password. I solved it by adding double-quotes around the password.

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass "PFX_P12_FILE" -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass "PASSWORD" -destalias ALIAS_NAME



回答5:

I did this command (opposite to yours) to export a private key to PKCS12 from a JKS:

keytool -importkeystore -srckeystore DemoIdentity.jks -srcstoretype JKS -destkeystore demoidentity.p12 -deststoretype PKCS12

If I left off the seemingly redundant "-srcstoretype JKS", the generated demoidentity.p12 file gave me the same error when I tried to list the details in keytool even though the above command accepted the passwords and generated a file seemingly correctly!

For your issue, perhaps you did something similar when generating keystore.p12.



回答6:

I had a similar issue when i was trying to export certs as pfx from JKS.It worked when i excluded deststorepass attribute in keytool command & gave the destination store password at runtime.

keytool -importkeystore -srckeystore Keystore.jks -destkeystore dv163.pfx -srcstoretype JKS -deststoretype PKCS12 -srcalias alias1-destalias alias1

Enter destination keystore password:

Re-enter new password:

Enter source keystore password: