Caused by: java.security.UnrecoverableKeyException: Cannot recover key
Solution 1
The private key password defined in your app/config is incorrect. First try verifying the the private key password by changing to another one as follows:
keytool -keypasswd -new changeit -keystore cacerts -storepass changeit -alias someapp -keypass password
The above example changes the password from password to changeit. This command will succeed if the private key password was password.
Solution 2
In order to not have the Cannot recover key
exception, I had to apply the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the installation of Java that was running my application. Version 8 of those files can be found here or the latest version should be listed on this page. The download includes a file that explains how to apply the policy files.
Since JDK 8u151 it isn't necessary to add policy files. Instead the JCE jurisdiction policy files are controlled by a Security property called crypto.policy
. Setting that to unlimited
with allow unlimited cryptography to be used by the JDK. As the release notes linked to above state, it can be set by Security.setProperty()
or via the java.security
file. The java.security
file could also be appended to by adding -Djava.security.properties=my_security.properties
to the command to start the program as detailed here.
Since JDK 8u161 unlimited cryptography is enabled by default.
Solution 3
I had the same error when we imported a key into a keystore that was build using a 64bit OpenSSL Version. When we followed the same procedure to import the key into a keystore that was build using a 32 bit OpenSSL version everything went fine.
Solution 4
Check if password you are using is correct one by running below command
keytool -keypasswd -new temp123 -keystore awsdemo-keystore.jks -storepass temp123 -alias movie-service -keypass changeit
If you are getting below error then your password is wrong
keytool error: java.security.UnrecoverableKeyException: Cannot recover key
Mrinal Bhattacharjee
Updated on March 25, 2021Comments
-
Mrinal Bhattacharjee about 3 years
I am supplied with a jks keystore named ABCC_client.store. When I import this keystore to cacerts and try connecting it says No such Algorithm error. PFA the stacktrace
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at java.security.Provider$Service.newInstance(Provider.java:1245) at sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) at org.apache.axis.components.net.JSSESocketFactory.initFactory(JSSESocketFactory.java:61) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:79) ... 32 more Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) at java.security.KeyStore.getKey(KeyStore.java:763) at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:170) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.security.Provider$Service.newInstance(Provider.java:1221) ... 39 more
But if I use this keystore independently i.e without adding it to cacerts it works.
Some googling led to me to http://joewlarson.com/blog/2009/03/25/java-ssl-use-the-same-password-for-keystore-and-key/ which says that password might me different for the key and the keystore.
-
Russ over 10 yearsWhile I didn't use this answer in relation to the question. It was helpful for validating a keystore file, store password, alias/key, and key password.
-
Heimi over 8 yearsThe root cause of the Error above was java.security.UnrecoverableKeyException: Cannot recover key. The reason for that can be a false password as mentioned above, but also a keystore build with a 64bit OpenSSL Implementation. So I consider my Answer as another possible solution. It helped me in the same error situation, so I provided the solution here.
-
aled about 8 yearsopenssl doesn't create Java keystore files. Could you clarify this?
-
gersonZaragocin almost 8 yearsPlease remember that after executing this command you will change the keystore password. You would have to set the password back to the original one.
-
Andrey Regentov over 7 yearsactually, it's enough to specify just
-keypasswd -keystore storefile -alias somealias
and enter everything else in a prompt. -
Marti Pàmies Solà over 6 yearsThks for you answer. I face the same problem when invoking https webservices form OpenESB 3.05. I follow your instructions and generate the jks file again with a 32bit implementation of OpenSS and it works fine
-
Adam over 6 yearsI am seeing this error despite having the policy file jars installed.
-
WhiteKnight over 6 years@Adam My solution is for a specific case, which may be different to the one you are experiencing. However I've added an update to reflect the change that occurred in JDK 8u151.
-
Kavin Raju S over 5 yearsOn running this code I am getting the following error -
"keytool error: java.security.UnrecoverableKeyException: Cannot recover key"
Is there any way to check what is my alias key password or change it without knowing the old one? -
Alexandru Severin about 3 yearsIf I use any other password I receive error
Keystore was tampered with, or password was incorrect
. If I use password I know its correct I get errorCannot recover key
. So I don't think your statement is correct, at least in my case. Something else might cause the error -
Gabor Garami over 2 yearsTomcat can cause this issue when the keyAlias parameter is missing or the value is not matches the alias name in the keystore. Ensure you're using the correct alias by issuing
keytool -list -keystore something.jks -storepass temp123
and checking the alias in the listing.