Storing public and private keys in a Database or keystore

Question

I am making a web service that will store public and private keys for each record in a database table.

The keys are made using Java, but I am unsure weather to create a keystore or place the keys inside fields in the databbase directly.

What option would you recommend and what are the benefits of each method?

Answer 1

If you use a keystore, you'll be using a database that has been designed to keep encrypted items, such as keys and certificates.

Wherever possible, you shouldn't try and re-invent the wheel. Will a keystore suffice in your problem? If you try and design your own database for storing these artefacts, you're going to have to re-solve problems and issues which were taken into account already when creating databases such as Java's keystore.

Answer 2

You can provide keystores to already existing implementations for data sending over http, which will fetch the keystore and perform all the necessary stuff so you don't have to. For server-side authentication this would be a keystore = KeyStore.getInstance("JKS"), containing all the trusted certificates.

For client-side authentication, if applicable (you need to verify yourself) also such implementation already exist where you just provide your client 'keystore' => this one will contain your certificate and it's private key => KeyStore.getInstance("PKCS12")

Then finally you want to store these stuff to database, here it gets a bit tricky.. Keystores are secured, so you can not just write it away.. you have to use the keystore.store(OutPutstream, password)..

What I find best is for instance:

@Entity
public class MyKeyStoreClass {
private Long id;
@Transient
private KeyStore keystore;
private String passwordForKeyStore;
private Byte[] keyStoreAsBytes;

@PreUpdate
@PrePersist
public void concertKeyStoreToBytes() {
   ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keystore.store(byteArrayOutputStream,
                passwordForKeyStore.toCharArray());
   keyStoreAsBytes = byteArrayOutputStream.toByteArray();
}

@PostLoad
public void getKeyStore() {
   if (keystore == null && keyStoreAsBytes != null) {
      keyStore = KeyStore.getInstance(getKeystoreType().getType());
      keyStore.load(new ByteArrayInputStream(keystoreAsBytes), passwordForKeyStore.toCharArray()); 
   }    
}

The above code is not 100% correct, but it gives you a good idea of what I mean, If you don't work with annotations, you can do it using another approach but I think my point is clear ;)