Monday, February 8, 2010

KeyStore and KeyTool

KeyStore

A storage/repository to store/retrieve key entries based on a provider format. This entry can be stored in three different format

KeyStore.PrivateKeyEntry
represents Privatekey entry which will be stored and protected from unauthorized access. This key used to singing and decrypting the message. This key is accompanied by a Publickey.
KeyStore.SecretKeyEntry
entry holds javax.crypto.SecretKey
KeyStore.TrustedCertificateEntry
entry contains a single public key Certificate belonging to another party

KeyTool

As part of JAVA SE, the keytool is shipped which helps to create keystore, import/export/print certificates and etc.,. Following are the list of operations possible to using keytool

  • -certreq
  • -changealias
  • -delete
  • -exportcert
  • -genkeypair
  • -genseckey
  • -help
  • -importcert
  • -importkeystore
  • -keypasswd
  • -list
  • -printcert
  • -storepasswd

Sample Keystore

Create keystore with RSA algorithm, where JAVA_HOME/bin folder is set in PATH environment variable


keytool -genkey -keystore keystore.jks -keyalg rsa -alias mykey
Enter keystore password: welcome1
Re-enter new password: welcome1
What is your first and last name?
  [Unknown]:  my.org
What is the name of your organizational unit?
  [Unknown]:  myorg
What is the name of your organization?
  [Unknown]:  myorg
What is the name of your City or Locality?
  [Unknown]:  blr
What is the name of your State or Province?
  [Unknown]:  ka
What is the two-letter country code for this unit?
  [Unknown]:  in
Is CN=my.org, OU=myorg, O=myorg, L=blr, ST=ka, C=in correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password): welcome2
Re-enter new password: welcome2
Export Certificate
keytool -export -alias mykey -keystore keystore.jks -keyalg rsa -file myorg_public.cer
Import Certificate
keytool -import -alias mykey -keystore keystore.jks -keyalg rsa -file myorg_public.cer
List Certificate
keytool -list -keystore keystore.jks -keyalg rsa
JarSigner - If we want to ship jars and monitor that whether it get tempared in medium.
jarsigner -keystore keystore.jks -storepass welcome1 -keypass welcome2 -signedjar smycode.jar mycode.jar mykey

KeyStore in JAVA Object

java.security.KeyStore class loads keysore file and provides APIs to do the above listed operations.


private KeyStore getKeyStore()
 {
  try
  {
   KeyStore ks = KeyStore.getInstance("JKS");
   ks.load(new FileInputStream("keystore.jks"), "welcome1");
   return ks;
  }catch (Exception e)
  {
   System.out.println(e.getLocalizedMessage());
  }
  return null;
 }

Oracle PKI key store will be loaded using following code


private KeyStore getOracleKeyStore()
 {
  try
  {
  Security.addProvider(new oracle.security.pki.OraclePKIProvider());
   KeyStore ks = KeyStore.getInstance("PKCS12", "OraclePKI");
   ks.load(new FileInputStream("keystore.jks"), "welcome1");
   return ks;
  }catch (Exception e)
  {
   System.out.println(e.getLocalizedMessage());
  }
  return null;
 }

While creating keystore file, we have to pass oracle.security.pki.OraclePKIProvider as a provider class to the keytool command.

Sun Key Store:
keytool -genkey -keystore keystore.jks -keyalg rsa -alias mykey -providerName SUN -providerClass sun.security.provider.Sun

Reactions:

1 comments:

Post a Comment

Recent Posts

Unix Commands | List all My Posts

Texts

This blog intended to share the knowledge and contribute to JAVA Community such a way that by providing samples and pointing right documents/webpages. We try to give our knowledege level best and no guarantee can be claimed on truth. Copyright and Terms of Policy refer blogspot.com

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More