You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have verified this is the correct repository for opening this issue.
I have verified no other issues exist related to my request.
Is Your Feature Request Related To A Problem? Please describe.
Windows has supported AES256-SHA256 enveloped pfx files since Server 2019 and OpenSSL has defaulted to creating them since OpenSSL 3.0.0. Attempting to have keytool that ships with Nexus read a pfx with AES256-SHA256 will fail with
PS C:\Users\vagrant> C:\ProgramData\nexus\jre\bin\keytool.exe -list -v -storetype PKCS12 -keystore C:\choco-setup\nexus.pfx
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:937)
at sun.security.tools.keytool.Main.run(Main.java:377)
at sun.security.tools.keytool.Main.main(Main.java:370)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
The password is definitely correct it's just that this version is unable to use this "newer" encryption method. By generating a 3DES pfx (what Windows does by default still) then things work just fine.
Describe The Solution. Why is it needed?
Unfortunately I don't know the solution. It might be that the keystore is created locally or with a newer version of keytool than the one that Nexus ships with. It could be that Nexus also needs to run with a newer JRE. In either case JRE 8 is quite old and probably should be looked into even if it doesn't fix the problem.
Additional Context
To generate some certs with OpenSSL you can run the following with OpenSSL v3.0.0+:
This will generate 2 pfx files aes256.pfx and 3des.pfx. The latter works fine with keytool that Nexus ships with but the former will fail saying the password is incorrect.
Related Issues
No response
The text was updated successfully, but these errors were encountered:
Checklist
Is Your Feature Request Related To A Problem? Please describe.
Windows has supported AES256-SHA256 enveloped pfx files since Server 2019 and OpenSSL has defaulted to creating them since OpenSSL 3.0.0. Attempting to have keytool that ships with Nexus read a pfx with AES256-SHA256 will fail with
The password is definitely correct it's just that this version is unable to use this "newer" encryption method. By generating a 3DES pfx (what Windows does by default still) then things work just fine.
Describe The Solution. Why is it needed?
Unfortunately I don't know the solution. It might be that the keystore is created locally or with a newer version of keytool than the one that Nexus ships with. It could be that Nexus also needs to run with a newer JRE. In either case JRE 8 is quite old and probably should be looked into even if it doesn't fix the problem.
Additional Context
To generate some certs with OpenSSL you can run the following with OpenSSL v3.0.0+:
openssl ecparam \ -name secp384r1 \ -genkey \ -noout \ -out cert.key openssl req \ -new \ -x509 \ -out cert.pem \ -key cert.key \ -days 365 \ -subj "/CN=server.chocolatey.test" \ -addext "subjectAltName = DNS:server.chocolatey.test" openssl pkcs12 \ -export \ -out aes256.pfx \ -inkey cert.key \ -in cert.pem openssl pkcs12 \ -export \ -certpbe PBE-SHA1-3DES \ -keypbe PBE-SHA1-3DES \ -macalg SHA1 \ -out 3des.pfx \ -inkey cert.key \ -in cert.pemThis will generate 2 pfx files
aes256.pfxand3des.pfx. The latter works fine with keytool that Nexus ships with but the former will fail saying the password is incorrect.Related Issues
No response
The text was updated successfully, but these errors were encountered: