JDK-6407454 : KeyTool fails to generate KeyPair to store in Windows-My Sub Store of MSCAPI KeyStore
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_nt
  • CPU: x86
  • Submitted: 2006-04-03
  • Updated: 2010-04-02
  • Resolved: 2006-05-09
Description
=============================GENERATING KEYPAIR TO STORE IN CAPI KEYSTORE=========================================
Generating KeyPair with Alias Name: BRUCE_LEE which does not exist in the CAPI KeyStore
executing KeyTool command as under :
z:/jdk/6.0/latest/binaries/windows-i586//bin//keytool.exe -J-Djava.security.manager -J-Djava.security.policy=KeytoolCAPI.policy -keystore NONE -provider sun.security.mscapi.SunMSCAPI  -genkeypair -v -noprompt -alias BRUCE_LEE  -storetype  Windows-My -keyalg RSA -keysize 1024 -dname cn=sqe, ou=j2se-sqe, o=sun, c=us
Generating 1,024 bit RSA key pair and self-signed certificate (MD5withRSA) with a validity of 90 days
        for: CN=sqe, OU=j2se-sqe, O=sun, C=us
keytool error: java.lang.UnsupportedOperationException: Cannot assign the key to the given alias.
java.lang.UnsupportedOperationException: Cannot assign the key to the given alias.
        at sun.security.mscapi.KeyStore.engineSetKeyEntry(KeyStore.java:399)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:869)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1172)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:171)
        at sun.security.tools.KeyTool.main(KeyTool.java:165)
=============================GENERATING KEYPAIR TO STORE IN CAPI KEYSTORE=========================================
Generating KeyPair with Alias Name: BRUCE_LEE which does not exist in the CAPI KeyStore
executing KeyTool command as under :
z:/jdk/6.0/latest/binaries/windows-i586//bin//keytool.exe -J-Djava.security.manager -J-Djava.security.policy=KeytoolCAPI.policy -keystore NONE -provider sun.security.mscapi.SunMSCAPI  -genkeypair -v -noprompt -alias BRUCE_LEE  -storetype  Windows-My -keyalg RSA -keysize 1024 -dname cn=sqe, ou=j2se-sqe, o=sun, c=us
Generating 1,024 bit RSA key pair and self-signed certificate (MD5withRSA) with a validity of 90 days
        for: CN=sqe, OU=j2se-sqe, O=sun, C=us
keytool error: java.lang.UnsupportedOperationException: Cannot assign the key to the given alias.
java.lang.UnsupportedOperationException: Cannot assign the key to the given alias.
        at sun.security.mscapi.KeyStore.engineSetKeyEntry(KeyStore.java:399)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:869)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1172)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:171)
        at sun.security.tools.KeyTool.main(KeyTool.java:165)
Comments
WORK AROUND Avoid specifying the SunMSCAPI provider explicitly.
09-05-2006
EVALUATION The SunMSCAPI provider doesn't support access to the RSA keys that it generates. Users of the keytool utility must omit the SunMSCAPI provider from the -provider option and applications must not specify the SunMSCAPI provider.
09-05-2006
EVALUATION If I omit the "-provider sun.security.mscapi.SunMSCAPI", the command runs successfully. It seems that if the SunMSCAPI provider is at the beginning of the provider list (try change the order of providers in java.security), then in sun.security.mscapi.KeyStore:368, key will be a sun.security.mscapi.RSAPrivateKey object, and -- if (key instanceof RSAPrivateCrtKey) will return false, then fails.
04-04-2006