Solving Invalid secret key format

This issue happens when a Java module is unable to access com.sun.crypto libraries earlier than its Classloader modules. You will typically see a Stack trace which looks like this:

Caused by: Invalid secret key format
        at com.sun.crypto.provider.JceKeyStore.engineLoad(
        at Source)
        at org.picketbox.util.KeyStoreUtil.getKeyStore(
        at org.picketbox.util.KeyStoreUtil.getKeyStore(
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(

One way to solve this issue is to upgrade the keystore from JCEKS to PKCS12. As the JCEKS keystore uses a proprietary format is it subject to changes for example if you update your JDK.

You can use the keytool command line to migrate a keystore from JCEKS to PKCS12:

keytool -importkeystore -srckeystore [KEYSTORE.jks] -destkeystore [FILE.p12] -srcstoretype JKS - deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

If your application requires using a JCEKS keystore, then you have to force early access to the sun.jdk libraries.

If you are using WildFly application server, then you can add into the specific module.xml file (for example the one of  “org.picketbox” module) a dependency to “sun.jdk” module:

<module name="sun.jdk"/>

Also, if you want to add visibility to the “com.sun” packages to all WildFly modules, then in your configuration script (standalone.conf), add to the JBOSS_MODULES_SYSTEM_PKGS also the “com.sun.crypto.provider” package as follows:

if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; 
   then   JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,com.sun.crypto.provider"