Problems while generating java keystore while using the extension decentralized-identity with vault-filesystem

[MUsman1992]

I am investigating decentralized-identity extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/iam/decentralized-identity I am also using vault-filesystem extension to load private and public keys that will be placed in the Java Key Store. The private key will be used to sign JWT that will be sent to the provider. Now I am facing an issue. I have tried to generate Elliptic Curve Private and Public keys. After this, I generated certificate and created a Java Key Store (JKS) with this same private key and certificate. I have used the following commands to generate a keystore:

openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
openssl ec -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360
openssl pkcs12 -export -inkey private-key.pem -in cert.pem -name consumer-connector -out vault-filesystem-keystore.p12
keytool -importkeystore -srckeystore vault-filesystem-keystore.p12 -srcstoretype pkcs12 -destkeystore vault-filesystem-keystore.jks

Now the problem is that when I try to export private key that was generated using first command from the Java Keystore, the exported key does not match the actual private key due to which I am getting some errors and the code fails while parisng the keys.

org.eclipse.edc.spi.system.injection.EdcInjectionException: java.lang.reflect.InvocationTargetException
	at org.eclipse.edc.spi.system.injection.ProviderMethod.invoke(ProviderMethod.java:66)
	at org.eclipse.edc.boot.system.injection.lifecycle.RegistrationPhase.invokeAndRegister(RegistrationPhase.java:51)
	at org.eclipse.edc.boot.system.injection.lifecycle.RegistrationPhase.lambda$invokeProviderMethods$0(RegistrationPhase.java:45)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at org.eclipse.edc.boot.system.injection.lifecycle.RegistrationPhase.invokeProviderMethods(RegistrationPhase.java:45)
	at org.eclipse.edc.boot.system.injection.lifecycle.ExtensionLifecycleManager.provide(ExtensionLifecycleManager.java:70)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
	at org.eclipse.edc.boot.system.ExtensionLoader.bootServiceExtensions(ExtensionLoader.java:67)
	at org.eclipse.edc.boot.system.runtime.BaseRuntime.bootExtensions(BaseRuntime.java:152)
	at org.eclipse.edc.boot.system.runtime.BaseRuntime.boot(BaseRuntime.java:222)
	at org.eclipse.edc.boot.system.runtime.BaseRuntime.boot(BaseRuntime.java:87)
	at org.eclipse.edc.boot.system.runtime.BaseRuntime.main(BaseRuntime.java:75)
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.eclipse.edc.spi.system.injection.ProviderMethod.invoke(ProviderMethod.java:61)
	... 20 more
Caused by: org.eclipse.edc.spi.EdcException: com.nimbusds.jose.JOSEException: unable to convert key pair: java.security.InvalidKeyException: EC domain parameters must be encoded in the algorithm identifier
	at org.eclipse.edc.iam.did.IdentityDidCoreExtension.lambda$registerParsers$1(IdentityDidCoreExtension.java:74)
	at org.eclipse.edc.spi.security.AbstractPrivateKeyResolver$1.parse(AbstractPrivateKeyResolver.java:53)
	at org.eclipse.edc.vault.filesystem.FsPrivateKeyResolver.resolvePrivateKey(FsPrivateKeyResolver.java:74)
	at org.eclipse.edc.iam.did.service.DecentralizedIdentityServiceExtension.identityService(DecentralizedIdentityServiceExtension.java:64)
	... 25 more
Caused by: com.nimbusds.jose.JOSEException: unable to convert key pair: java.security.InvalidKeyException: EC domain parameters must be encoded in the algorithm identifier
	at com.nimbusds.jose.jwk.PEMEncodedKeyParser.parseKeys(PEMEncodedKeyParser.java:108)
	at com.nimbusds.jose.jwk.JWK.parseFromPEMEncodedObjects(JWK.java:781)
	at org.eclipse.edc.iam.did.IdentityDidCoreExtension.lambda$registerParsers$1(IdentityDidCoreExtension.java:71)
	... 28 more
Caused by: org.bouncycastle.openssl.PEMException: unable to convert key pair: java.security.InvalidKeyException: EC domain parameters must be encoded in the algorithm identifier
	at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyPair(Unknown Source)
	at com.nimbusds.jose.jwk.PEMEncodedKeyParser.toKeyPair(PEMEncodedKeyParser.java:131)
	at com.nimbusds.jose.jwk.PEMEncodedKeyParser.parseKeys(PEMEncodedKeyParser.java:95)
	... 30 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: EC domain parameters must be encoded in the algorithm identifier
	at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineGeneratePublic(ECKeyFactory.java:157)
	at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:352)
	... 33 more
Caused by: java.security.InvalidKeyException: EC domain parameters must be encoded in the algorithm identifier
	at jdk.crypto.ec/sun.security.ec.ECPublicKeyImpl.parseKeyBits(ECPublicKeyImpl.java:103)
	at java.base/sun.security.x509.X509Key.decode(X509Key.java:390)
	at java.base/sun.security.x509.X509Key.decode(X509Key.java:401)
	at jdk.crypto.ec/sun.security.ec.ECPublicKeyImpl.<init>(ECPublicKeyImpl.java:71)
	at jdk.crypto.ec/sun.security.ec.ECKeyFactory.implGeneratePublic(ECKeyFactory.java:219)
	at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineGeneratePublic(ECKeyFactory.java:153)
	... 34 more

Process finished with exit code -1

I have also used KeyStore Explorer Tool to confirm this. When I open my java keystore in Keystore Explorer and try to export the private key after selecting "OpenSSL" as the Export Private Key Option as can be seen in the below image, the private key that I exported is not equal to the private key that was generated in the beginning

There is also a keystore https://github.com/eclipse-edc/Connector/blob/main/extensions/common/vault/vault-filesystem/src/test/resources/edc-test-keystore.jks that has been already created for test cases in this project. For that Java Keystore the test cases are working fine. Can anyone tell me what I am doing wrong and how I can generate a java keystore. What steps did you follow to create it? I have already invested a lot of time figuring out this problem and could not find asolution yet. Thanks

[MUsman1992]

Finally, I have solved the problem. Instead of using the commands, in the end I had to generate keypairs using Keystore Explorer and now things are working. Now my private key loads successfully in my application. Still could not figure out why the loaded key does not match the actual private key if I create java keystore (.jks) using the above commands but anyway I have found another way to fix it
.