Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a command line tool to generate symmetric keys in a Java keystore?

I am writing a procedure about key renewing for my application. This procedure will be executed by a sysadmin every year or so.

In my application, there is a symmetric key used to cipher some data before storing it in the database. This key is stored in a Java keystore.

When the application must store some data in the database in a ciphered way, the key alias to use is read from a configuration file, the key is read from the Java keystore with this key alias, the data is ciphered with the key and I store everything in the database: the key alias, the Initialization Vector and the ciphered data, all separated with semi-colons.

So the procedure to use another key is straightforward:

  1. generate a new symmetric key in the Java Keystore with another alias
  2. change the configuration file to use this new key alias

But I do not know any command-line tool that can create a symmetric key in a Java keystore. The java keytool utility can only create key pairs.

Is there a command line tool to generate symmetric keys in a Java keystore or should I develop my own tool?

like image 990
cbliard Avatar asked Jan 27 '12 08:01

cbliard


People also ask

What is the purpose of Keytool command line tool?

keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures.

What does Keytool Genkey do?

Whenever you execute a keytool command, defaults are used for unspecified options that have default values, and you are prompted for any required values. For the genkey command, options with default values include alias (whose default is mykey ), validity (90 days), and keystore (the file named .

What is Srcalias Keytool?

If a destination alias is not provided with destalias , then srcalias is used as the destination alias. If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry.


1 Answers

keytool is able to generate a secret key since Java 6 with the -genseckey command. Here is an excerpt of the Java 6 keytool documentation:

-genseckey {-alias alias} {-keyalg keyalg}
       {-keysize keysize} [-keypass keypass]
       {-storetype storetype} {-keystore keystore}
       [-storepass storepass]
       {-providerClass provider_class_name {-providerArg provider_arg}}
       {-v} {-protected} {-Jjavaoption}

Generates a secret key and stores it in a new KeyStore.SecretKeyEntry identified by alias.

keyalg specifies the algorithm to be used to generate the secret key, and keysize specifies the size of the key to be generated. keypass is a password used to protect the secret key. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. keypass must be at least 6 characters long.

So the following command will generate a new AES 128 bits key

keytool -genseckey -alias mykey -keyalg AES -keysize 128 \
    -storetype jceks -keystore mykeystore.jks

The keytool command has a typo bug that hides the help information about -genseckey:

% keytool -help
[...]
-genkeypair  [-v] [-protected]
         [-alias <alias>]
         [-keyalg <keyalg>] [-keysize <taille_clé>]
         [-sigalg <sigalg>] [-dname <nomd>]
         [-validity <joursVal>] [-keypass <mot_passe_clé>]
         [-keystore <keystore>] [-storepass <mot_passe_store>]
         [-storetype <storetype>] [-providername <name>]
         [-providerclass <provider_class_name> [-providerarg <arg>]] ...
         [-providerpath <pathlist>]

-genkeypair  [-v] [-protected]
         [-alias <alias>] [-keypass <keypass>]
         [-keyalg <keyalg>] [-keysize <taille_clé>]
         [-keystore <keystore>] [-storepass <mot_passe_store>]
         [-storetype <storetype>] [-providername <name>]
         [-providerclass <provider_class_name> [-providerarg <arg>]] ...
         [-providerpath <pathlist>] 

The -genkeypair command appears twice. In fact the second -genkeypair should be read -genseckey. That's why I did not notice the command.

I have encountered this typo bug with Java 1.6.0_26. I have checkd with the latest Java 6 available (1.6.0_31) and it has the same problem. I have also checked with the latest Java 7 and the documentation problem is fixed:

% java -version
java version "1.7.0_03"
Java(TM) SE Runtime Environment (build 1.7.0_03-b04)
Java HotSpot(TM) Server VM (build 22.1-b02, mixed mode)
% keytool -help
 [...]
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 [...]
like image 56
cbliard Avatar answered Oct 19 '22 16:10

cbliard