3

I have a JKS keystore without a storepass, which contains a private key without a keypass.

  • I can't use this store and this key to interactively sign using e.g. jarsigner (which does not allow for empty keypass),
  • and all automation fails either by demanding a storepass or a keypass or both.

But the private key is in the keystore.

All my attempts at extracting the key using keytool have failed, and all attempts to password protect the key or the keystore have failed as well, all owing to the passlessness. The same goes for GUI and other tools that manipulate keystores. I'm guessing this is because a keypassless key in a storepassless store isn't a supported scenario anymore, or perhaps never was.

But I'm guessing there's code in the java.security.KeyStore namespace or elsewhere that lets me export the private key using Java code. Does anyone know for sure, and if so, could point me in the right direction, since I have zero experience with this?

MDTool IPA
  • 183
  • 1
  • 8

1 Answers1

1

You can find some Java code using KeyStore to export a private key here.

It's not clear what you mean when you say that you have "no" password. A JKS key store requires a key store password and a password for each secret and private key entry. However, this password can be the empty string. If that's what you mean, use new char[0] as the password, like this:

KeyStore keys = KeyStore.getInstance("JKS");
 /* You don't actually need the password to open the store. */
try (FileInputStream is = new FileInputStream("identity.jks")) {
  keys.load(is, null);
}
char[] password = new char[0];
/* Continue with example from linked answer. */
...

The command line tools won't work without specifying arguments for these, but have you tried specifying an empty string? I.e., -storepass ""? You can also change passwords on the store itself or an individual key entry so that the password is no longer empty and the tools will not complain.

Community
  • 1
  • 1
erickson
  • 265,237
  • 58
  • 395
  • 493