All geek questions in one place

Is there a command line tool for creating symmetric keys in a Java keystore?

I am writing a key update procedure for my application. This procedure will be performed by the system administrator every year or so.

My application has a symmetric key used to encrypt some data before storing it in the database. This key is stored in the Java keystore.

When the application needs to store some data in the database in an encrypted way, the key alias used is read from the configuration file, the key is read from the Java key store using this key alias, the data is encrypted with the key and I store everything in the database: the key alias, the initialization vector and the encrypted data, all separated by semi-colonies.

Thus, the procedure for using another key is simple:

  • create a new symmetric key in Java Keystore with a different alias
  • modify the configuration file to use this new key alias

But I do not know any command line tool that can create a symmetric key in the Java keystore. The java keytool utility can only create key pairs.

Is there a command line tool for creating symmetric keys in a Java keystore or should I develop my own tool?

+4
source share
1 answer

keytool able to generate a secret key, since Java 6 c is a genseckey command . Here is an excerpt from the Java 6 keytool documentation :

 -genseckey {-alias alias} {-keyalg keyalg} {-keysize keysize} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}

Creates a private key and stores it in a new KeyStore.SecretKeyEntry identified by an alias.

keyalg defines the algorithm that will be used to generate the secret key, and keyize determines the size of the key to be generated. keypass is the password used to protect the private key. If no password is specified, the user will be prompted to enter it. If you press RETURN at the invitation, the key password will be set to the same password as for the keystore. The key length must be at least 6 characters.

So the following command will create a new 128 bit AES key

 keytool -genseckey -alias mykey -keyalg AES -keysize 128 \ -storetype jceks -keystore mykeystore.jks

The keytool command has a typo that hides help information about -genseckey :

 % keytool -help [...] -genkeypair [-v] [-protected] [-alias <alias>] [-keyalg <keyalg>] [-keysize <taille_clรฉ>] [-sigalg <sigalg>] [-dname <nomd>] [-validity <joursVal>] [-keypass <mot_passe_clรฉ>] [-keystore <keystore>] [-storepass <mot_passe_store>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>]] ... [-providerpath <pathlist>] -genkeypair [-v] [-protected] [-alias <alias>] [-keypass <keypass>] [-keyalg <keyalg>] [-keysize <taille_clรฉ>] [-keystore <keystore>] [-storepass <mot_passe_store>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>]] ... [-providerpath <pathlist>]

The -genkeypair command appears twice. In fact, the second -genkeypair should read -genseckey . That is why I did not notice the command.

I ran into this typo error with Java 1.6.0_26. I checked with the latest version of Java 6 (1.6.0_31) and it has the same problem. I also checked with the latest version of Java 7 and fixed the problem with the documentation:

 % java -version java version "1.7.0_03" Java(TM) SE Runtime Environment (build 1.7.0_03-b04) Java HotSpot(TM) Server VM (build 22.1-b02, mixed mode) % keytool -help [...] -genkeypair Generates a key pair -genseckey Generates a secret key [...]
+7
source

Source: https://habr.com/ru/post/1393320/

More articles:


All Articles