JKS and JCEKS keystores¶
Background¶
The JKS keystore format is the format that originally shipped with Java. It is implemented by the traditional “Sun” cryptography provider.
JCEKS is an improved keystore format introduced with the Java Cryptography Extension (JCE). It is implemented by the SunJCE cryptography provider.
- JCEKS keystores improve upon JKS keystores in 2 ways:
- A stronger key protection algorithm is used
- They allow for arbitrary (symmetric) secret keys to be stored (e.g. AES, DES, etc.)
Store types¶
-
class
jks.jks.
KeyStore
(store_type, entries)[source]¶ Bases:
jks.util.AbstractKeystore
Represents a loaded JKS or JCEKS keystore.
-
entries
¶ A dictionary of all entries in the keystore, mapped by alias.
-
store_type
¶ A string indicating the type of keystore that was loaded. Can be one of
jks
,jceks
.
-
classmethod
load
(filename, store_password, try_decrypt_keys=True)¶ Convenience wrapper function; reads the contents of the given file and passes it through to
loads()
. Seeloads()
.
-
classmethod
loads
(data, store_password, try_decrypt_keys=True)[source]¶ Loads the given keystore file using the supplied password for verifying its integrity, and returns a
KeyStore
instance.Note that entries in the store that represent some form of cryptographic key material are stored in encrypted form, and therefore require decryption before becoming accessible.
Upon original creation of a key entry in a Java keystore, users are presented with the choice to either use the same password as the store password, or use a custom one. The most common choice is to use the store password for the individual key entries as well.
For ease of use in this typical scenario, this function will attempt to decrypt each key entry it encounters with the store password:
- If the key can be successfully decrypted with the store password, the entry is returned in its decrypted form, and its attributes are immediately accessible.
- If the key cannot be decrypted with the store password, the entry is returned in its encrypted form, and requires a manual follow-up decrypt(key_password) call from the user before its individual attributes become accessible.
Setting
try_decrypt_keys
toFalse
disables this automatic decryption attempt, and returns all key entries in encrypted form.You can query whether a returned entry object has already been decrypted by calling the
is_decrypted()
method on it. Attempting to access attributes of an entry that has not yet been decrypted will result in aNotYetDecryptedException
.Parameters: Returns: A loaded
KeyStore
instance, if the keystore could be successfully parsed and the supplied store password is correct.If the
try_decrypt_keys
parameter was set toTrue
, any keys that could be successfully decrypted using the store password have already been decrypted; otherwise, no atttempt to decrypt any key entries is made.Raises: - BadKeystoreFormatException – If the keystore is malformed in some way
- UnsupportedKeystoreVersionException – If the keystore contains an unknown format version number
- KeystoreSignatureException – If the keystore signature could not be verified using the supplied store password
- DuplicateAliasException – If the keystore contains duplicate aliases
-
classmethod
new
(store_type, store_entries)[source]¶ Helper function to create a new KeyStore.
Parameters: - store_type (string) – What kind of keystore the store should be. Valid options are jks or jceks.
- store_entries (list) – Existing entries that should be added to the keystore.
Returns: A loaded
KeyStore
instance, with the specified entries.Raises: - DuplicateAliasException – If some of the entries have the same alias.
- UnsupportedKeyStoreTypeException – If the keystore is of an unsupported type
- UnsupportedKeyStoreEntryTypeException – If some of the keystore entries are unsupported (in this keystore type)
-
save
(filename, store_password)¶ Convenience wrapper function; calls the
saves()
and saves the content to a file.
-
saves
(store_password)[source]¶ Saves the keystore so that it can be read by other applications.
If any of the private keys are unencrypted, they will be encrypted with the same password as the keystore.
Parameters: store_password (str) – Password for the created keystore (and for any unencrypted keys)
Returns: A byte string representation of the keystore.
Raises: - UnsupportedKeystoreTypeException – If the keystore is of an unsupported type
- UnsupportedKeystoreEntryTypeException – If the keystore contains an unsupported entry type
-
certs
¶ A subset of the
entries
dictionary, filtered down to only those entries of typeTrustedCertEntry
.
-
private_keys
¶ A subset of the
entries
dictionary, filtered down to only those entries of typePrivateKeyEntry
.
-
secret_keys
¶ A subset of the
entries
dictionary, filtered down to only those entries of typeSecretKeyEntry
.
-
Entry types¶
-
class
jks.jks.
TrustedCertEntry
(**kwargs)[source]¶ Bases:
jks.util.AbstractKeystoreEntry
Represents a trusted certificate entry in a JKS or JCEKS keystore.
-
decrypt
(key_password)[source]¶ Does nothing for this entry type; certificates are inherently public data and are not stored in encrypted form.
-
encrypt
(key_password)[source]¶ Does nothing for this entry type; certificates are inherently public data and are not stored in encrypted form.
-
classmethod
new
(alias, cert)[source]¶ Helper function to create a new TrustedCertEntry.
Parameters: Returns: A loaded
TrustedCertEntry
instance, ready to be placed in a keystore.
-
cert
= None¶ A byte string containing the actual certificate data. In the case of X.509 certificates, this is the DER-encoded X.509 representation of the certificate.
-
type
= None¶ A string indicating the type of certificate. Unless in exotic applications, this is usually
X.509
.
-
-
class
jks.jks.
PrivateKeyEntry
(**kwargs)[source]¶ Bases:
jks.util.AbstractKeystoreEntry
Represents a private key entry in a JKS or JCEKS keystore (e.g. an RSA or DSA private key).
-
pkey
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.A byte string containing the value of the
privateKey
field of the PKCS#8PrivateKeyInfo
representation of the private key. See RFC 5208, section 5: Private-Key Information Syntax.
-
pkey_pkcs8
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.A byte string containing the DER-encoded PKCS#8
PrivateKeyInfo
representation of the private key. See RFC 5208, section 5: Private-Key Information Syntax.
-
algorithm_oid
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.A tuple of integers corresponding to the algorithm OID for which the private key is valid.
Common values include:
(1,2,840,113549,1,1,1)
(aliasrsaEncryption
)(1,2,840,10040,4,1)
(aliasid-dsa
).
-
cert_chain
= None¶ A list of tuples, representing the certificate chain associated with the private key. Each element of the list of a 2-tuple containing the following data:
[0]
: A string indicating the type of certificate. Unless in exotic applications, this is usuallyX.509
.[1]
: A byte string containing the actual certificate data. In the case of X.509 certificates, this is the DER-encoded X.509 representation of the certificate.
-
classmethod
new
(alias, certs, key, key_format='pkcs8')[source]¶ Helper function to create a new PrivateKeyEntry.
Parameters: - alias (str) – The alias for the Private Key Entry
- certs (list) – An list of certificates, as byte strings. The first one should be the one belonging to the private key, the others the chain (in correct order).
- key (str) – A byte string containing the private key in the format specified in the key_format parameter (default pkcs8).
- key_format (str) – The format of the provided private key. Valid options are pkcs8 or rsa_raw. Defaults to pkcs8.
Returns: A loaded
PrivateKeyEntry
instance, ready to be placed in a keystore.Raises: UnsupportedKeyFormatException – If the key format is unsupported.
-
decrypt
(key_password)[source]¶ Decrypts the entry using the given password. Has no effect if the entry has already been decrypted.
Parameters: key_password (str) – The password to decrypt the entry with. If the entry was loaded from a JCEKS keystore, the password must not contain any characters outside of the ASCII character set.
Raises: - DecryptionFailureException – If the entry could not be decrypted using the given password.
- UnexpectedAlgorithmException – If the entry was encrypted with an unknown or unexpected algorithm
- ValueError – If the entry was loaded from a JCEKS keystore and the password contains non-ASCII characters.
-
-
class
jks.jks.
SecretKeyEntry
(**kwargs)[source]¶ Bases:
jks.util.AbstractKeystoreEntry
Represents a secret (symmetric) key entry in a JCEKS keystore (e.g. an AES or DES key).
-
algorithm
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.A string containing the name of the algorithm for which the key is valid, as known to the Java cryptography provider that supplied the corresponding SecretKey object.
-
key
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.A byte string containing the raw secret key.
-
key_size
¶ Note
Only accessible after a call to
decrypt()
; until then, accessing this attribute will raise aNotYetDecryptedException
. See alsotry_decrypt_keys
onjks.jks.KeyStore.loads()
.An integer containing the size of the key, in bits. For DES and 3DES keys, the sizes 64 bits resp. 192 bits are returned.
-
classmethod
new
(alias, sealed_obj, algorithm, key, key_size)[source]¶ Helper function to create a new SecretKeyEntry.
Returns: A loaded SecretKeyEntry
instance, ready to be placed in a keystore.
-
decrypt
(key_password)[source]¶ Decrypts the entry using the given password. Has no effect if the entry has already been decrypted.
Parameters: key_password (str) – The password to decrypt the entry with. Must not contain any characters outside of the ASCII character set.
Raises: - DecryptionFailureException – If the entry could not be decrypted using the given password.
- UnexpectedAlgorithmException – If the entry was encrypted with an unknown or unexpected algorithm
- ValueError – If the password contains non-ASCII characters.
-