Java Keys, nCipher and the mysterious InvalidKeyException

  • Article

Recently stumbled upon this rather pesky issue using Java JDK 6 and I figured it would be something interesting that other people may appreciate a solution for.

 

I followed the nCipher instructions to a T on how to setup the Java JCE provider. And upon trying to generate keys using KeyTool.exe, I noticed that I was getting a java.security.InvalidKeyException. This is weird as it only happens with SHA-256 CSRs, and not with SHA-1. Upon further investigation we found out that the problem is the order of the providers on the java.security file. Even though nCipher advertises to set its provider on the #1 spot, adding it to the last spot resolved this issue.

 

Update on 6/2016: From reviewing the latest user manuals and some field experience, the recommendation is to follow the user guide, which would warrant the provider to be in the first spot. Below is a representative example.

#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ncipher.provider.km.nCipherKM
security.provider.2=sun.security.provider.Sun