Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support JKS stores #131

Open
elyscape opened this issue Mar 15, 2017 · 4 comments
Open

Support JKS stores #131

elyscape opened this issue Mar 15, 2017 · 4 comments

Comments

@elyscape
Copy link
Contributor

elyscape commented Mar 15, 2017
edited

The documentation indicates that certigo supports both JKS and JCEKS keystore files, but it appears to only support JCEKS files:

scapeless:jkstest elyscape$ keytool -genkeypair -keystore keystore.jks -storepass password -keypass password -alias selfsigned -keyalg RSA -keysize 2048 -validity 365 -dname CN=selfsigned
scapeless:jkstest elyscape$ certigo dump keystore.jks -p password
scapeless:jkstest elyscape$ certigo dump keystore.jks -p password -j
{"certificates":[]}
scapeless:jkstest elyscape$ keytool -list -keystore keystore.jks -storepass password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

selfsigned, Mar 15, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1): F5:38:97:C4:D9:78:7C:0D:A8:12:1A:7E:C8:EE:28:3C:5F:22:5A:CB

By contrast, if I convert the same keystore into a JCEKS file:

scapeless:jkstest elyscape$ keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jceks -deststoretype JCEKS -srcstorepass password -deststorepass password
Entry for alias selfsigned successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
scapeless:jkstest elyscape$ certigo dump keystore.jceks -p password
** CERTIFICATE 1 **
Valid: 2017-03-15 18:29 UTC to 2018-03-15 18:29 UTC
Subject: CN=selfsigned
Issuer: CN=selfsigned

I created the keystore files using the version of keytool provided with Java 1.8u112:

scapeless:jkstest elyscape$ java -version
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)

If you want to test with the keystore files I generated here, I've attached them in this zip file.
@mcpherrinm
Copy link
Contributor

mcpherrinm commented Mar 15, 2017
edited

I think your example shows the opposite of what the first line of your message says? It appears to be dumping the JCEKS file, and not the JKS file.

We implemented the JCEKS and JKS formats ourself, so it's certainly possible this is buggy. We don't really use JKS files, so I'm not sure how much testing it's gotten (the jks/jceks code was written for another project, some years ago). Maybe we should remove language claiming JKS support until we've actually tested it.

@elyscape
Copy link
Contributor Author

I think your example shows the opposite of what the first line of your message says? It appears to be dumping the JCEKS file, and not the JKS file.

Oops. Fixed the first sentence.

@mcpherrinm
Copy link
Contributor

Remove from README: #134

@mcpherrinm
Copy link
Contributor

mcpherrinm commented Oct 17, 2018
edited

Copying a comment from #134:

It works for some JKS files, it depends on the algorithm that was used for shrouding.

In particular we don't support the old "password protection" algorithm. I've been looking at PyJKS and it looks straightforward to support.

@mcpherrinm mcpherrinm reopened this Oct 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcpherrinm @elyscape