- by mv
How to export ECC key and Cert from NSS DB and import into JKS keystore and Oracle Wallet
In this blog I will write about how to extract a cert and key from NSS Db and import it to a JKS Keystore and then import that JKS Keystore into Oracle Wallet.
1. Set Java Home
I pointed it to JRE 1.6.0_22
$ export JAVA_HOME=/usr/java/jre1.6.0_22/
2. Create a self signed ECC cert in NSS DB
I created NSS DB with self signed ECC certificate. If you already have NSS Db with ECC cert (and key) skip this step.
$export NSS_DIR=/export/home/nss/
$$NSS_DIR/certutil -N -d .
$$NSS_DIR/certutil -S -x -s "CN=test,C=US" -t "C,C,C" -n ecc-cert -k ec -q nistp192 -d .
3. Export ECC cert and key using pk12util
Use NSS tool pk12util to export this cert and key into a p12 file
$$NSS_DIR/pk12util -o ecc-cert.p12 -n ecc-cert -d . -W password
4. Use keytool to create JKS keystore and import this p12 file
4.1 Import p12 file created above into a JKS keystore
$JAVA_HOME/bin/keytool -importkeystore -srckeystore ecc-cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ecc.jks -srcstorepass password -deststorepass password -srcalias ecc-cert -destalias ecc-cert -srckeypass password -destkeypass password -v
But if an error as shown is encountered,
keytool error: java.security.UnrecoverableKeyException: Get Key failed: EC KeyFactory not available
java.security.UnrecoverableKeyException: Get Key failed: EC KeyFactory not available at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source)
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at sun.security.tools.KeyTool.recoverEntry(Unknown Source)
at sun.security.tools.KeyTool.doImportKeyStoreSingle(Unknown Source)
at sun.security.tools.KeyTool.doImportKeyStore(Unknown Source)
at sun.security.tools.KeyTool.doCommands(Unknown Source)
at sun.security.tools.KeyTool.run(Unknown Source)
at sun.security.tools.KeyTool.main(Unknown Source)
Caused by: java.security.NoSuchAlgorithmException: EC KeyFactory not available
at java.security.KeyFactory.<init>(Unknown Source)
at java.security.KeyFactory.getInstance(Unknown Source)
... 9 more
4.2 Create a new PKCS11 provider
If you didn't get an error as shown above skip this step.
Since we already have NSS libraries built with ECC, we can create a new PKCS11 provider
Create ${java.home}/jre/lib/security/nss.cfg as follows: name = NSS nssLibraryDirectory = ${nsslibdir} nssDbMode = noDb attributes = compatibility
where nsslibdir should contain NSS libs with ECC support.
Add the following line to ${java.home}/jre/lib/security/java.security :
security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg Note that those who are using Oracle iPlanet Web Server or Oracle Traffic Director, NSS libs built with ECC are in <ws_install_dir>/lib or <otd_install_dir>/lib.
4.3. Now keytool should work
Now you can try the same keytool command and see that it succeeds :
$JAVA_HOME/bin/keytool -importkeystore -srckeystore ecc-cert.p12
-srcstoretype PKCS12 -deststoretype JKS -destkeystore ecc.jks
-srcstorepass password -deststorepass password -srcalias ecc-cert -destalias ecc-cert -srckeypass password -destkeypass password -v
[Storing ecc.jks]
5. Convert JKS keystore into an Oracle Wallet
You can export this cert and key from JKS keystore and import it into an Oracle Wallet if you need using orapki tool as shown below.
Make sure that orapki you use supports ECC.
Also for ECC you MUST use "-jsafe" option.
$ orapki wallet create -pwd password -wallet . -jsafe
$ orapki wallet jks_to_pkcs12 -wallet . -pwd password -keystore ecc.jks -jkspwd password -jsafe
AS
$orapki wallet display -wallet . -pwd welcome1 -jsafeOracle PKI Tool : Version 11.1.2.0.0Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.Requested Certificates:User Certificates:Subject: CN=test,C=USTrusted Certificates:Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USSubject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=USSubject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USSubject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USSubject: CN=test,C=US
As you can see our ECC cert in the wallet.
You can follow the same steps for RSA certs as well.
6. References
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356
http://old.nabble.com/-PATCH-FOR-REVIEW-%3A-Support-PKCS11-cryptography-via-NSS-p25282932.html
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
