4

I used keytool to generate the secret key:

keytool -genseckey -alias mykey -keyalg AES -keysize 256 -storetype jceks -keystore mykeystore

Then, the following command will list information about mykeystore:

keytool -list -keystore mykeystore -storepass password -v -storetype jceks -alias mykey

And the result will like it:

Alias name: mykey
Creation date: Dec 31, 2016
Entry type: SecretKeyEntry

But I want to see the key like below(I used openssl enc -aes-256-cbc -k secret -P -md sh1 ):

salt=xxxxxxxxxxx
key=EB381B48CC2D39C7A5164491129CA10486861530B02E4FD11D64433CF8388428
iv = xxxxxxxxxxxxxxxxxxxxxxxxxx

How to use keytool to see the key from keystore?

jww
  • 97,681
  • 90
  • 411
  • 885
klichen
  • 49
  • 1
  • 2
  • You'll have to use Java code for that. Please see http://stackoverflow.com/questions/4907622/keytool-see-the-public-and-private-keys – Ivan Jan 02 '17 at 18:00
  • Java `KeyStore.SecretKeyEntry` is a raw key, i.e. the correct number of random bits, stored in bytes. `openssl enc` in most cases including this does salted Password Based Key Derivation (PBKDF) to produce a key and sometimes (including here) IV entirely different from the input password. Standard Java JCE called from code (but not `keytool`) supports some PBKDF algorithms, but not the one used by `openssl`, which is named `EVP_BytesToKey` and there are quite a few Qs about it already. However it is a poor PBKDF; if you want PBE and don't need openssl interop you should use ... – dave_thompson_085 Jan 02 '17 at 18:47
  • ... something better like PBKDF2 or depending on your usage maybe bcrypt, scrypt, argon2. In any case, TLS-PSK does not do any kind of PBKDF, although it does alter the TLS 'PRF' which is really a KBKDF (**Key** Based Key Derivation) which is quite different from a PBKDF. In short, your Q is combining things that make no sense together. – dave_thompson_085 Jan 02 '17 at 18:49

0 Answers0