How to export ECC key and Cert from NSS DB and import into JKS keystore and Oracle Wallet

In this blog I will write about how to extract a cert and key from NSS Db and import it to a JKS Keystore and then import that JKS Keystore into Oracle Wallet.

1. Set Java Home

I pointed it to JRE 1.6.0_22

$ export JAVA_HOME=/usr/java/jre1.6.0_22/

2. Create a self signed ECC cert in NSS DB

I created NSS DB with self signed ECC certificate. If you already have NSS Db with ECC cert (and key) skip this step.

$export NSS_DIR=/export/home/nss/

$$NSS_DIR/certutil -N -d .

$$NSS_DIR/certutil -S -x -s "CN=test,C=US" -t "C,C,C" -n ecc-cert -k ec -q nistp192 -d .

3. Export ECC cert and key using pk12util

Use NSS tool pk12util to export this cert and key into a p12 file 

    $$NSS_DIR/pk12util -o ecc-cert.p12 -n ecc-cert -d . -W password

4. Use keytool to create JKS keystore and import this p12 file

4.1 Import p12 file created above into a JKS keystore

$JAVA_HOME/bin/keytool -importkeystore -srckeystore ecc-cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ecc.jks -srcstorepass password -deststorepass password -srcalias ecc-cert -destalias ecc-cert -srckeypass password -destkeypass password -v

But if an error as shown is encountered,

keytool error: java.security.UnrecoverableKeyException: Get Key failed: EC KeyFactory not available
java.security.UnrecoverableKeyException: Get Key failed: EC KeyFactory not available
       at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source)
        at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
        at java.security.KeyStore.getEntry(Unknown Source)
        at sun.security.tools.KeyTool.recoverEntry(Unknown Source)
        at sun.security.tools.KeyTool.doImportKeyStoreSingle(Unknown Source)
        at sun.security.tools.KeyTool.doImportKeyStore(Unknown Source)
        at sun.security.tools.KeyTool.doCommands(Unknown Source)
        at sun.security.tools.KeyTool.run(Unknown Source)
        at sun.security.tools.KeyTool.main(Unknown Source)
Caused by: java.security.NoSuchAlgorithmException: EC KeyFactory not available
        at java.security.KeyFactory.<init>(Unknown Source)
        at java.security.KeyFactory.getInstance(Unknown Source)
        ... 9 more

4.2 Create a new PKCS11 provider

If you didn't get an error as shown above skip this step.

Since we already have NSS libraries built with ECC, we can create a new PKCS11 provider

Create ${java.home}/jre/lib/security/nss.cfg as follows:

name = NSS
    nssLibraryDirectory = ${nsslibdir}
    nssDbMode = noDb
    attributes = compatibility

where nsslibdir should contain NSS libs with ECC support.

Add the following line to ${java.home}/jre/lib/security/java.security :

     security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

Note that those who are using Oracle iPlanet Web Server or Oracle Traffic Director, NSS libs built with ECC are in <ws_install_dir>/lib or <otd_install_dir>/lib.

4.3. Now keytool should work

Now you can try the same keytool command and see that it succeeds :

$JAVA_HOME/bin/keytool -importkeystore -srckeystore ecc-cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ecc.jks -srcstorepass password -deststorepass password -srcalias ecc-cert -destalias ecc-cert -srckeypass password -destkeypass password -v

[Storing ecc.jks]

5. Convert JKS keystore into an Oracle Wallet

You can export this cert and key from JKS keystore and import it into an Oracle Wallet if you need using orapki tool as shown below.

Make sure that orapki you use supports ECC.

Also for ECC you MUST use "-jsafe" option.

$ orapki wallet create -pwd password  -wallet .  -jsafe

$ orapki wallet jks_to_pkcs12 -wallet . -pwd password -keystore ecc.jks -jkspwd password -jsafe

AS

$orapki wallet display -wallet . -pwd welcome1  -jsafe
Oracle PKI Tool : Version 11.1.2.0.0
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=test,C=US
Trusted Certificates:
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=test,C=US

As you can see our ECC cert in the wallet.

You can follow the same steps for RSA certs as well.

6. References

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356

http://old.nabble.com/-PATCH-FOR-REVIEW-%3A-Support-PKCS11-cryptography-via-NSS-p25282932.html

http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html