Re: keytool error: Public keys in reply and keystore don't match

Jan Luehe (luehe@laguna.eng.sun.com)
Thu, 26 Aug 1999 09:47:15 -0700 (PDT)

Message-Id: <199908261647.JAA20299@laguna.eng.sun.com>
Date: Thu, 26 Aug 1999 09:47:15 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: keytool error: Public keys in reply and keystore don't match
To: java-security@java.sun.com, lucas@gonze.com

--Blessing_of_Unicorns_115_000
Content-Type: TEXT/plain; charset="us-ascii"
Content-MD5: WhwOnZZ4XkstHKao5IWVNQ==
X-Sun-Content-Length: 1072

Lucas:

Are you using Crypto-J 2.1 as your RSA provider?

Someone else reported the same problem (see attachment),
which we were able to reproduce. However, when using
Crypto-J 2.2, everything works fine.

Jan

> This is the command I'm using:
> keytool -v -debug -import -alias webbank -trustcacerts -file
> c:/medianow/cert_response_RSA.p7c
>
> keytool error: Public keys in reply and keystore don't match
> java.lang.Exception: Public keys in reply and keystore don't match
> at sun.security.tools.KeyTool.establishCertChain(Compiled Code)
> at sun.security.tools.KeyTool.installReply(KeyTool.java:1069)
> at sun.security.tools.KeyTool.doCommands(Compiled Code)
> at sun.security.tools.KeyTool.run(KeyTool.java:116)
> at sun.security.tools.KeyTool.main(KeyTool.java:110)
>
> One possible explanation is that when I first got back the response, I
attempted to import
> the CA cert under the same alias as the certificate request. This was,
obviously, a user
> error. Is it possible that this corrupted the public key for this alias?
>
> - Lucas Gonze

--Blessing_of_Unicorns_115_000
Content-Type: TEXT/plain; name="reply"; charset="us-ascii"; x-unix-mode="0644"
Content-Description: reply
Content-MD5: znPMTrCuP9raMQxfPZIYXQ==
X-Sun-Content-Length: 1098

From: Jan Luehe <luehe@laguna>
Subject: Re: Problem with certs for RSA keyentry using keytool
To: java-security@java.sun.com, sat@differential.com
X-Mailer: dtmail 1.2.1 CDE Version 1.2.1 SunOS 5.6 sun4u sparc
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: 0OxurVa613Uv+X541ej8Fw==
Content-Length: 1045
Status: O
X-Status: $$$$
X-UID: 0000006465

Sat:

> We're having problems importing certs for an RSA keyentry within
> our keystore. The crypto provider is jsafe (crypto-J) from RSA.
>
> The base case that fails is as follows:
> We export the self-signed certificate (keytool -selfcert) that is
> associated with the key into a file and try to import it back (keytool
> -import) from that file without changes.
> It fails with an error message to the effect of: the public key in the
> keystore and the response do not match.

I have been able to reproduce your problem when using
Crypto-J 2.1.
After I installed Crypto-J 2.2, it worked fine, I got this
message (as expected):

keytool error: Certificate reply and certificate in keystore are identical

Jan

--Blessing_of_Unicorns_115_000--