How to display Java keystore SecretKeyEntry from command line

Question

I have a Java keystore file using the storetype JCEKS. It contains SecretKeyEntry entries. I would like to be able to dump, from the command line, the actual secret keys stored in this file. I tried this:

keytool -list -keystore secretkeys.jks -storetype JCEKS

which returned

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 1 entry

secret1, May 27, 2016, SecretKeyEntry

But that does not show me the key itself. How can I extract and look at, from the command line, the secret key?

Answer 1

This is not possible with keytool.

Converting the keystore to PKCS#12 and then using OpenSSL to view the key doesn't work either, because this is a symmetric key (SecretKeyEntry).

If you are stuck with the command line, you could write a small Java program that does it. Something like this:

String fileName = "secretkey.ks";
char[] password = "mypassword".toCharArray();
String alias = "secret1";

KeyStore ks = KeyStore.getInstance("JCEKS");
try (FileInputStream fis = new FileInputStream(fileName)) {
    ks.load(fis, password);
    SecretKey secretKey = (SecretKey) ks.getKey(alias, password);
    System.out.println(new BigInteger(1, secretKey.getEncoded()).toString(16));
}

This prints out the secret key as a hex string (toString() with radix 16).

Or you could use the GUI program KeyStore Explorer.