How to save public key in keystore using keytool?

boy18nj · June 19th, 2011, 11:00 PM

to save public key txt file in keystore, do we first need to change it into .cert and then import it into keystore?

if yes, how do we change the public key txt file into .cert?

what would be the programmatic way to access the public key when required in BC runtime?

dgh · June 20th, 2011, 12:36 AM

To produce a certificate file from a public key you need someone to produce a certificate based on that public key. Normally this is done via a certification request such as the PKCS#10 one that the -certreq keytool option generates.

There's a discussion with Java and command line examples of using key stores in Chapter 8, but the short answer is java.security.cert.X509Certificate.getPublicKey(), however a lot of APIs will accept an X509Certificate in place of a public key.

Regards,

David

boy18nj · June 21st, 2011, 11:51 AM

if I see this command, there is no place to specify the public key file?

Also when it comes to certificate, they talk about private key too, in my case i've only public key to save in certificate there is no private key with me.

-certreq {-alias alias} {-sigalg sigalg} {-file certreq_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] [-provider provider_class_name] {-v} {-Jjavaoption}

dgh · June 21st, 2011, 08:10 PM

With the keytool command, it's actually used to generate a certificate request from a public/private key pair already in the keystore. In this case the assumption is that the public key has already been saved as a self-signed certificate.

If all you have is a public key certificate to store, in Java parlance this is what you'd call a "trusted certificate", as in a third party certificate whose public key you are using to verify signatures or encrypt data with. You can deal with this using the commands for importing a certificate.

Regards,

David

boy18nj · June 21st, 2011, 10:39 PM

thanks

Can you point out me to the code that i can use generate the trusted certificate from the public key file?

dgh · June 22nd, 2011, 12:35 AM

I'd need to know what's in the file. You'd have to load it first, and it may already be a certificate. Assuming it is only a public key, you'd also have to decide what to sign it with.

Regards,

David

boy18nj · June 22nd, 2011, 09:53 AM

Thanks.

The public key file is generated by Version: GnuPG v1.2.4 (SunOS).
It is DSA 1024 bits key. We have to sign with our own generated public-private key (ELG-E 2048 bits).

Vendor public key and our public-private key should live in keystore.

boy18nj · June 22nd, 2011, 02:04 PM

I realized in Kleopatra tool, the key themselves are certificates also. But these are PGP certificates.

Keytool does not allows to save PGP certificate. So how would I save PGP certificate in keytool, can some conversion be done to X.509 or any other hint you can give?

dgh · June 22nd, 2011, 06:13 PM

You can't really convert them to X.509 (well not in any meaningful sense). It's not actually possible to sign something with an ElGamal key either.

It sounds a lot like you'd be better of using a PGPKeyRing. While it's not covered in the book there is actually an API for OpenPGP in Bouncy Castle. You'll find it in the bcpg* packages in the latest releases area on the the BC website. There are a set of examples in the org.bouncycastle.openpgp.examples package which are available in the source distribution (bcpg*.zip or bcpg*.tar.gz depending on your preference).

I'd recommend you look at that.

Regards,

David

boy18nj · June 22nd, 2011, 11:09 PM

Thanks

Yes, I've seen PGPKeyring, this is used to read the public key. I was looking for safe heaven where PGP public key can be saved. It seems I've don't any option except to save in gpg DB.