Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Specification of JKS key store format

I was wondering if there exists an official specification of the JKS key store format used in Java? I'd like to write a converter from/to PKCS#12, but not in Java, so keytool or Java code is not an option unfortunately.

Looking at one in a hex editor tells me that it's probably not ASN.1. Before I start digging into OpenJDK, trying to reverse-engineer the format, does anyone know if there exists a spec maybe? I couldn't find anything so far, any help would be much appreciated!

like image 500
emboss Avatar asked May 31 '12 18:05

emboss


People also ask

What is JKS file format?

A Java keystore (JKS) file is a secure file format used to hold certificate information for Java applications.

What is JKS keystore type?

A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in TLS encryption. In IBM WebSphere Application Server and Oracle WebLogic Server, a file with extension jks serves as a keystore.

Is the .JKS file keystore file?

The Java KeyStore (JKS) system is provided as part of your Java installation. Private keys and certificates for your server are stored in a keystore file.


1 Answers

I think you should start your research at JDK sources. There are some very useful comments there. E.g.

/*
         * KEYSTORE FORMAT:
         *
         * Magic number (big-endian integer),
         * Version of this file format (big-endian integer),
         *
         * Count (big-endian integer),
         * followed by "count" instances of either:
         *
         *     {
         *      tag=1 (big-endian integer),
         *      alias (UTF string)
         *      timestamp
         *      encrypted private-key info according to PKCS #8
         *          (integer length followed by encoding)
         *      cert chain (integer count, then certs; for each cert,
         *          integer length followed by encoding)
         *     }
         *
         * or:
         *
         *     {
         *      tag=2 (big-endian integer)
         *      alias (UTF string)
         *      timestamp
         *      cert (integer length followed by encoding)
         *     }
         *
         * ended by a keyed SHA1 hash (bytes only) of
         *     { password + whitener + preceding body }
         */
like image 112
Konstantin V. Salikhov Avatar answered Sep 29 '22 14:09

Konstantin V. Salikhov