[OT] Loading KeyStores, detecting types

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[OT] Loading KeyStores, detecting types

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I've been writing a utility to scan a bunch of arbitrary files for
certificates that are nearing expiration. It's written in Java and it
currently works with PEM-encoded DER files (aka OpenSSL files) and
PKCS12 keystores. I'm sure it would also work with the other flavors
of Java key store, but I haven't (yet) tried them.

What I have noticed is that:

  KeyStore ks = KeyStore.getInstance("JKS");
  ks.load(pkcs12InputStream, null);

...seems to have no problem whatsoever with the fact that the
"keystore type" is JKS but the file being loaded is PKCS12. That makes
sense to me, since the in-memory keystore doesn't really have a
"type": only the on-disk representation of the keystore has a "type", et
c.

All of the information I can find online seems to indicate that the
(in-memory) KeyStore "type" must match what you are loading, or you'll
get an exception. But I'm finding that the in-memory type doesn't
matter, and the load works as long as the file is legit.

But the in-memory type doesn't change when the file is loaded. Hmm.

So two off-topic questions:

1. Can I rely on the "type doesn't matter" behavior I'm seeing, or do
I have to loop-over all the supported keystore types, attempting to
(re)load the file each time looking for the right type -- just to be saf
e?

2. Is there a way to determine the type of file that WAS loaded into a
KeyStore? It seems that there is a magic header I can use if I want to
look at the raw bytes to detect the Java keystore formats (0-feedfeed,
0xcececece), but I think that's not exactly true for PKCS12 and maybe
some other supported formats. I'd rather not look at the bytes myself
unless it's absolutely necessary.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7IPbgACgkQHPApP6U8
pFiyxw//RRNFh6nhgpSfqSzxsPDks3DqOfOnBLkI+0aRNtWkawlg+hM/nP96r9v5
IgL4qHZCz5fc2a8a5g+BsE4kM5yInSuvgAU+UtJhePNwE+2soSEYkAmjOEDOFT1J
3XCcKYAwS2c1laO3TeYXQdzgFJqwyu7my97eY3pjYB8WpfsRebYu693GOzGE8jII
HxWTiyavtzvu7dzRCx2czEyGlUVjkC7vClhC6njcEsG5lZXGW2rMupnSbYsGA9WZ
6UowafaEIAFWwLmBVauBP+4ZrUkJCoG2+Od8B55XpHdLvpKIeik6yqzshamb5z+5
rs2QTrm5Ta5UnP5l9Kf/99zuwmc4JQYLG2IeNwbw4SGVkn1MHOAArkkXJCBhWPKg
tqhYRIFkj6ZAqbVMIQe8j7dGzfr4+ZJa+yHCp4UT1N4GSQu2HGJ9i/olfXcCU3YV
j/YvO/qUcPudIwTIMbF0fKCSd4dUt4rt1zMBNUvJKW404EsQCt1HJuo3nluhBGTt
DIB4/qkhQKkHlQDq9FNzGHoQ5sX4qJcBAh6EMnjxFYyv3sPpbHFkGHbqylW9Wvwe
pVY9HcrPzocS0y/FCDQThiG5S2BMA+5eC7Fgmz2Hlqzl8dokoIDuOrJ4P50spsmc
HAhNaHQicGKq14fCT3kCh0lBqFMwDnat/JzJ1d5arZDN7PALCcg=
=RuBR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Loading KeyStores, detecting types

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

On 5/22/20 17:01, Christopher Schultz wrote:

> All,
>
> I've been writing a utility to scan a bunch of arbitrary files for
> certificates that are nearing expiration. It's written in Java and
> it currently works with PEM-encoded DER files (aka OpenSSL files)
> and PKCS12 keystores. I'm sure it would also work with the other
> flavors of Java key store, but I haven't (yet) tried them.
>
> What I have noticed is that:
>
> KeyStore ks = KeyStore.getInstance("JKS");
> ks.load(pkcs12InputStream, null);
>
> ...seems to have no problem whatsoever with the fact that the
> "keystore type" is JKS but the file being loaded is PKCS12. That
> makes sense to me, since the in-memory keystore doesn't really have
> a "type": only the on-disk representation of the keystore has a
> "type", et c.
>
> All of the information I can find online seems to indicate that
> the (in-memory) KeyStore "type" must match what you are loading, or
> you'll get an exception. But I'm finding that the in-memory type
> doesn't matter, and the load works as long as the file is legit.
>
> But the in-memory type doesn't change when the file is loaded.
> Hmm.
>
> So two off-topic questions:
>
> 1. Can I rely on the "type doesn't matter" behavior I'm seeing, or
> do I have to loop-over all the supported keystore types,
> attempting to (re)load the file each time looking for the right
> type -- just to be safe?
Answering my own question, here. Evidently, in Java 1.8 u60 or so,
Oracle added the "keystore.type.compat" security property which
defaults to "true". This allows auto-detection of formats regardless
of the in-memory type.

So it seems that, to be safe, I'll have to iterate through the
supported formats "just in case" because that setting can always be
disabled.

> 2. Is there a way to determine the type of file that WAS loaded
> into a KeyStore? It seems that there is a magic header I can use if
> I want to look at the raw bytes to detect the Java keystore formats
> (0-feedfeed, 0xcececece), but I think that's not exactly true for
> PKCS12 and maybe some other supported formats. I'd rather not look
> at the bytes myself unless it's absolutely necessary.

I'm still not sure about this.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7IQBcACgkQHPApP6U8
pFgLoBAAyahoNxDrYeF0ouyglKefgpyF5L225PeQMH+CVpWIsJV6itYpAxzhereh
oqBBGhRlS+n/uaZ6pFrS8zXpvd0cJznfYv/v5A3zerNI4YOxYTbDYCRoMvuhoDZf
M3/cRvT9axv6eNrYbwM1LXRzXHOXPJ6lDA3P3ImgeY4qYXRqFBaWKW0mZ7VxFzZ4
hJ4Vbc+2/lZIUngIlRdfQbKpcpWR37sPthX5WAI0+rST3+8QFZfnl/UVF6cQF1gl
kEzGvD9g9QcmxtLfPXeZuCxUfftDISCOGswg9+CvWJPKtdjui4FqgR2yMoiKHHMb
rF+LxX330456z63C8soIMHl+8/6ycNFK1VZJVIIcX0I/4jgjGfA40e007xDHNDt/
GpQtRw/veir/e2h6lgwZd/gyG91Szq5Bpd66kMSFh9ucjTaZp13b7qta4Zxf9khB
bGC8JKrz4qs+vQwF8BcF0l12+j3NoSOzgjvQytaSQNYyAAIqqYz1EgGHyxPZXPT2
koBfVHo7ZTXFcEJ/PiOHThEGQwbHr22Ovb+sWs/j9Z21kqwr8+uuvZHrrueAYtW6
zN69YxosPYat3NMLdBYhAWEDJSrVD+dClcyUKWbMGTnQs0bjTScMR8Avw24IVjAJ
dgScanoXudlqN8w/nLm1zBy50dMsnVRQBXt7A19PmzEgF1y8sZw=
=bRoO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]