Extract a Secret Key from a Java Keystore

Yesterday, I was trying to pull a shared secret (a SecretKeyEntry not a PrivateKeyEntry) out of a Java keystore.

I'd created it quite some time ago and annoyingly didn't have a copy of the secret stored anywhere. What I did have, however, was the keystorepass and the keypass, so wanted to pull the key out.

This was achievable using the below Java class:

import java.io.FileInputStream;
import java.math.BigInteger;
import java.security.KeyStore;
import java.security.KeyStoreException;
import javax.crypto.SecretKey;

public class OutputSecretKey {
  public static void main(String[] args) throws Exception {
    final String fileName = args[0];
    final String alias = args[1];
    final char[] storepass = args[2].toCharArray();
    final char[] keypass = args[3].toCharArray();

    KeyStore ks = KeyStore.getInstance("JCEKS");

    try (FileInputStream fis = new FileInputStream(fileName)) {
      ks.load(fis, storepass);
      SecretKey secretKey = (SecretKey) ks.getKey(alias, keypass);
      String secretAsHex = new BigInteger(1, secretKey.getEncoded()).toString(16);
      System.out.println(hexToAscii(secretAsHex));
    }
  }

  /* https://www.baeldung.com/java-convert-hex-to-ascii */
  private static String hexToAscii(String hexStr) {
    StringBuilder output = new StringBuilder("");

    for (int i = 0; i < hexStr.length(); i += 2) {
      String str = hexStr.substring(i, i + 2);
      output.append((char) Integer.parseInt(str, 16));
    }

    return output.toString();
  }
}

This can then be run as follows:

$ javac OutputSecretKey.java
$ java OutputSecretKey keystore.jceks alias thisisthekeystorepass thekeyhasthispassword
supersecretpassword

Note that this code has been adapted from How to display Java keystore SecretKeyEntry from command line and Convert Hex to ASCII in Java.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #java #keystore #certificates.

This post was filed under articles.

Has this content helped you? Please consider supporting me so I can continue to create content like this!

Related Posts

Other posts you may be interested in:

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.