keytool said "keystore password was incorrect"

Question

I use these commands to generate a selfsigned cert:

gmssl ecparam -genkey -name sm2p256v1 -out ca.key
gmssl req -new -key ca.key -out ca.csr
gmssl x509 -req -days 3650 -sm3 -signkey ca.key -in ca.csr -out ca.crt

gmssl ecparam -genkey -name sm2p256v1 -out server.key
gmssl req -new -key server.key -out server.csr
gmssl x509 -req -days 3650 -sm3 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt

gmssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name serverkey

and I input 123456 whenever it saied a password is need to input. but when I try to import server cert and key to a jks file, it doesn't work, I also try to replace some of the password into "changeit" but keytool show the same error:

keytool -importkeystore -deststorepass 123456 -destkeypass 123456 \
-destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 \
-srcstorepass 123456 -alias serverkey

keytool error: java.io.IOException: keystore password was incorrect

some addition details:

reply to the answer of @dave_thompson_085:

thank you so much for answering my question.

actually, I want to build a.netty https server using GMSSL, but I'm not familiar with that and I dont find tutorial about how to build a gmssl server using.netty, so I want to build a normal SSL server first and than modify it to GMSSL. The tutorial I find to build a SSL server use a jks file, so I try to put SM2 key and cert into it to modify it to GMSSL.

I also find other way use directly cert and key file, like build a SSLContext through these code:

File certChainFile = new File("server.crt");  
File keyFile = new File("server.key");  
File rootFile = new File("ca.crt");  
SslContext sslCtx = SslContextBuilder.forServer(certChainFile, keyFile)  
.trustManager(rootFile).protocols("GMSSLv.1.0")  
// will it recognize these string "GMSSLv.1.0"? I'dont konw, I just try.
.clientAuth(ClientAuth.NONE).build();

but it throw error when I try to run:

java.lang.IllegalArgumentException: File does not contain valid certificates

I search these error on google, someone said i need to using a pkcs8 cert, so I try this command:

gmssl pkcs8 -topk8 -inform PEM -outform PEM -in server.p12 -out server.p8 -nocrypt

and it doesn't work too:

unable to load key  
4577107392:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(libproviders.dylib): dlopen(libproviders.dylib, 2): image not found  
4577107392:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:  
4577107392:error:0E07506E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:220:module=providers, path=providers  
4577107392:error:0E076071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:162:module=providers  
4577107392:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:695:

actually I'm very confuse, I don't know how to use.netty to build a gmssl server.

do.netty support gmssl and SM2 SM3 SM4 algorithm? I see this issue it seem to support( https://github.com.netty.netty/issues/11406 ), but it seen that the pull request doesnt imply the encryption algorithm.

how should I do to build a GMSSL server? should I use a special version of JCE, Netty or JDK? or I need to imply the protocol by myself?

Answer 1

Meta: this isn't programming, and it's borderline at best for development; it probably would be better suited on security.SX or superuser. But as no one seems to be voting to close, at least not yet...

The problem is that 'standard' Java doesn't support SM2, or more exactly the standard providers in Oracle or OpenJDK Java don't. If you run your keytool command with -v added to get the full stacktrace, you can see PKCS12KeyStore.engineLoad actually got an exception for Unknown named curve but wrapped it as password was incorrect , which I call confusing and bad UI on its part.

BouncyCastle (in reasonably recent versions) does, but I can get keytool to process such a key only by the fairly clumsy means of:

1. specifying -J-cp -J/path/to/bcprov-jdk15on-$ver.jar

2. modifying the JRE/conf/security/java.security file to add to the provider list an entry for org.bouncycastle.jce.provider.BouncyCastleProvider -- or since I prefer not to modify my JRE, modifying a copy and using -J-Djava.security.properties=$filename to point to it

3. specifying -srcprovidername BC AND -destprovidername BC

and moreover, this won't put the result in a JKS file, because the Bouncy provider doesn't support JKS. Why do you want JKS anyway? All versions of Java that are still supported can read PKCS12 -- but for SM2 only if using the Bouncy provider, so you'll need that in your application(s) and/or their JVM(s). And you'll need the Bouncy provider anyway to do anything at all with the key once you've read it in -- and maybe the cert also, I'm not sure exactly when that gets parsed.