6

I'm trying to set up a DTLS server on Android based on the example java files from Californium.Scandium. Initially I ran into issues because the keystore and truststore were in jks format and I did not have the key passwords. Hence, I created my own PKCS12 keystore and truststore using Portecle. 

KeyStore keyStore = KeyStore.getInstance("PKCS12");
in = getResources().openRawResource(R.raw.keystore);
keyStore.load(in, KEY_STORE_PASSWORD.toCharArray());

KeyStore trustStore = KeyStore.getInstance("PKCS12");
inTrust = getResources().openRawResource(R.raw.truststore);
trustStore.load(inTrust, TRUST_STORE_PASSWORD.toCharArray());

After that, the code did not throw any errors during keystore loading but upon running the application I get this:

FATAL EXCEPTION: main
Process: com.example.admin.securesend, PID: 3402
java.lang.RuntimeException: Unable to start activity
ComponentInfo{com.example.admin.securesend/com.example.admin.securesend.DTLSServer}: java.lang.IllegalStateException: Keys must be ECDSA capable when support for an ECDHE_ECDSA based cipher suite is configured

Edit: I realised that my keys were created using SHA instead of ECDSA. I'm not very familiar with keystores and keys, so I'm assuming that my keystore is now valid and I just need to generate the appropriate keys for the system and plant them into the key. How do I create keys using ECDSA and transfer them into my keystore?

Maarten Bodewes
  • 80,169
  • 13
  • 121
  • 225
Amber K.
  • 61
  • 1
  • 4

1 Answers1

9

Ok, let's first get the terminology right:

  • RSA: That's the type of keys that you have created with portecle.
  • DSA: Another key type, very rarely used. Also a signature algorithm.
  • EC: Elliptic curve keys are what you want to generate.
  • ECDSA: A signature algorithm for EC keys.
  • SHA: A hashing algorithm, used to generate a hash value of the data to be signed.

For generating EC keys you can use keytool (with Java 7 or higher):

keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA  -validity 365 -storetype JKS -keystore ectest.jks -storepass 123456

This command generates a 256 bit EC key on a SEC curve (secp256r1) and a self signed certificate using ECDSA with SHA256.

If you prefer GUI tools, KeyStore Explorer is another way to generate EC keys:

EC key generation with KSE

Omikron
  • 3,578
  • 1
  • 23
  • 26
  • You may not want to specify -storepass on the command line since that puts your password in your command history. Better to enter it interactively (the default for keytool). – GlenPeterson Oct 18 '19 at 13:43
  • Why storetype jks instead of pkcs12? I don't really know what either one is, just curious. – GlenPeterson Oct 18 '19 at 13:44