Java KeyStore vs OpenSSL implementations of pkcs12 files -They seem to differ. Do they?


I generated a pkcs12 keystore in Java and wanted to inspect it with OpenSSL, but OpenSSL threw back an error. After a bit of head scratching I realized that the KeyStore format in Java allows you to have different passwords on the store itself and the pkcs8 encrypted key inside, while OpenSSL seems to assume that both passwords have to be the same. I can easily inspect a pkcs12 file created in Java if both the file and key passwords are the same, but get an error when they differ:

Bag Attributes     friendlyName: usercert     localKeyID: 54 69 6D 65 20 31 35 38 38 30 32 32 30 31 38 30 37 31  Error outputting keys and certificates 139815467680960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139815467680960:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:62: 139815467680960:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:93:  

Have I missed something or is it correct to say that the pkcs12 impementations differ slightly?

I’m looking for a way to be able to inspect pkcs12 files with OpenSSL where the two passwords differ. Any help would be appreciated.