certigo icon indicating copy to clipboard operation
certigo copied to clipboard

Published 20 hours ago verified publisher icon square

Support JKS stores

Open elyscape opened this issue 7 years ago • 4 comments

The documentation indicates that certigo supports both JKS and JCEKS keystore files, but it appears to only support JCEKS files:

scapeless:jkstest elyscape$ keytool -genkeypair -keystore keystore.jks -storepass password -keypass password -alias selfsigned -keyalg RSA -keysize 2048 -validity 365 -dname CN=selfsigned
scapeless:jkstest elyscape$ certigo dump keystore.jks -p password
scapeless:jkstest elyscape$ certigo dump keystore.jks -p password -j
{"certificates":[]}
scapeless:jkstest elyscape$ keytool -list -keystore keystore.jks -storepass password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

selfsigned, Mar 15, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1): F5:38:97:C4:D9:78:7C:0D:A8:12:1A:7E:C8:EE:28:3C:5F:22:5A:CB

By contrast, if I convert the same keystore into a JCEKS file:

scapeless:jkstest elyscape$ keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jceks -deststoretype JCEKS -srcstorepass password -deststorepass password
Entry for alias selfsigned successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
scapeless:jkstest elyscape$ certigo dump keystore.jceks -p password
** CERTIFICATE 1 **
Valid: 2017-03-15 18:29 UTC to 2018-03-15 18:29 UTC
Subject: CN=selfsigned
Issuer: CN=selfsigned

I created the keystore files using the version of keytool provided with Java 1.8u112:

scapeless:jkstest elyscape$ java -version
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)

If you want to test with the keystore files I generated here, I've attached them in this zip file.

elyscape avatar Mar 15 '17 18:03 elyscape

I think your example shows the opposite of what the first line of your message says? It appears to be dumping the JCEKS file, and not the JKS file.

We implemented the JCEKS and JKS formats ourself, so it's certainly possible this is buggy. We don't really use JKS files, so I'm not sure how much testing it's gotten (the jks/jceks code was written for another project, some years ago). Maybe we should remove language claiming JKS support until we've actually tested it.

mcpherrinm avatar Mar 15 '17 19:03 mcpherrinm

I think your example shows the opposite of what the first line of your message says? It appears to be dumping the JCEKS file, and not the JKS file.

Oops. Fixed the first sentence.

elyscape avatar Mar 15 '17 20:03 elyscape

Remove from README: https://github.com/square/certigo/pull/134

mcpherrinm avatar Mar 15 '17 21:03 mcpherrinm

Copying a comment from #134:

It works for some JKS files, it depends on the algorithm that was used for shrouding.

In particular we don't support the old "password protection" algorithm. I've been looking at PyJKS and it looks straightforward to support.

mcpherrinm avatar Oct 17 '18 01:10 mcpherrinm