Monday, November 6, 2017

How to resolve "Could not generate DH keypair" issue faced with WSO2 products

When working with WSO2 products, sometimes, you might see the below exception when trying out security scenarios with JDK 1.7.

TID: [0] [AS] [2017-11-07 05:02:26,655] ERROR {org.apache.tomcat.util.net.NioEndpoint$SocketProcessor} -   {org.apache.tomcat.util.net.NioEndpoint$SocketProcessor}
java.lang.RuntimeException: Could not generate DH keypair
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1345)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
    at sun.security.ssl.ECDHCrypt.(ECDHCrypt.java:68)
    at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1215)
    at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1069)
    at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:896)
    at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:629)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:853)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:851)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1285)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
    ... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: unknown curve name: 1.2.840.10045.3.1.7
    at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
    at sun.security.ssl.ECDHCrypt.(ECDHCrypt.java:63)
    ... 17 more 

The reason for this is missing JCE policy files in the JDK. So in order to do this, you need to download the relevant JCE policy files from [2] and patch the JDK.

[1] - https://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception?answertab=votes#tab-top
[2] - http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html