KeyStore Handling#

Spaces uses asynchronous cryptography to sign JSON Web Tokens that grant access to its service. The signature of the token can be verified using the public key.

Spaces is using EC keys with 256 Byte length. The keystore is in PKCS12 format, which allows management by different tools.

Key Alias#

Spaces is expecting the keystore to contain a public/private-key-pair with alias com.skalio.spaces.

Keypair Creation#

The keypair has to be created and named with its service-specific alias. Since the keystore always stores the public key inside a (self-signed) X509 certificate, which holds necessary details about the EC curve, keytool will inquire about the certificate details.

The entry will be added to an existing keystore, or a new keystore will be created.

# This command creates a new keystore with an EC keypair.
keytool \
  -genkeypair \
  -alias com.skalio.spaces \
  -keyalg EC \
  -groupname secp256r1 \
  -sigalg SHA256withECDSA \
  -validity 3650 \
  -storetype PKCS12 \
  -keystore /path/to/keystore.jks \
  -storepass CorrectHorseBatteryStaple

What is your first and last name?
  [Unknown]:  Admin
What is the name of your organizational unit?
  [Unknown]:  DevOps
What is the name of your organization?
  [Unknown]:  Skalio
What is the name of your City or Locality?
  [Unknown]:  Hamburg
What is the name of your State or Province?
  [Unknown]:  HH
What is the two-letter country code for this unit?
  [Unknown]:  DE
Is CN=Admin, OU=DevOps, O=Skalio, L=Hamburg, ST=HH, C=DE correct?
  [no]:  yes

List Entries#

The contents of the keystore can be listed with different tools:

# openssl pkcs12 -in /path/to/keystore.jks -nodes -info

Enter Import Password:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Bag Attributes
    friendlyName: com.skalio.spaces
    localKeyID: 54 69 6D 65 20 31 35 37 39 36 30 31 36 38 35 33 32 33
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCBXSgRKZ+OErWPR0YF1
CZy1OT21DeXxEh09OD6mffpn7Q==
-----END PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: com.skalio.spaces
    localKeyID: 54 69 6D 65 20 31 35 37 39 36 30 31 36 38 35 33 32 33
subject=C = DE, ST = HH, L = Hamburg, O = Skalio, OU = DevOps, CN = Admin

issuer=C = DE, ST = HH, L = Hamburg, O = Skalio, OU = DevOps, CN = Admin

-----BEGIN CERTIFICATE-----
MIIB0zCCAXegAwIBAgIEaNTk9zAMBggqhkjOPQQDAgUAMF4xCzAJBgNVBAYTAkRF
MQswCQYDVQQIEwJISDEQMA4GA1UEBxMHSGFtYnVyZzEPMA0GA1UEChMGU2thbGlv
MQ8wDQYDVQQLEwZEZXZPcHMxDjAMBgNVBAMTBUFkbWluMB4XDTIwMDEyMTEwMTQ0
NVoXDTMwMDExODEwMTQ0NVowXjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkhIMRAw
DgYDVQQHEwdIYW1idXJnMQ8wDQYDVQQKEwZTa2FsaW8xDzANBgNVBAsTBkRldk9w
czEOMAwGA1UEAxMFQWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQluzvw
Vekzz5+E0MpXuE5cGejhNrxRgDBEsClIw2/7rTYvOoNF+srF1kv8//69cVyQFv2U
F1QBP/1LnCZdPaSroyEwHzAdBgNVHQ4EFgQUrSSvCz+EvKvItsWTvE7XqBUEBFkw
DAYIKoZIzj0EAwIFAANIADBFAiAu2vrenouc9uos748ccxOiQL/fQ+GbiBZyo4c8
G+I3nAIhAPBtHETXYIzxkn/qyCxP+XK2OiEJ0WxAhAlp30xMTOnD
-----END CERTIFICATE-----

or

# keytool -list -v -keystore /path/to/keystore.jks -storepass CorrectHorseBatteryStaple

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: com.skalio.spaces
Creation date: Jan 21, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Admin, OU=DevOps, O=Skalio, L=Hamburg, ST=HH, C=DE
Issuer: CN=Admin, OU=DevOps, O=Skalio, L=Hamburg, ST=HH, C=DE
Serial number: 68d4e4f7
Valid from: Tue Jan 21 11:14:45 CET 2020 until: Fri Jan 18 11:14:45 CET 2030
Certificate fingerprints:
     SHA1: 94:F3:51:32:39:0E:F4:44:CD:85:DE:1E:8B:DC:F4:6D:8B:9F:FB:CC
     SHA256: CE:57:35:54:B9:64:0A:7C:5D:1B:79:3F:FF:5E:95:BD:F1:7B:21:3D:2C:CD:FB:02:4B:4D:DA:27:D6:D6:88:B3
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD 24 AF 0B 3F 84 BC AB   C8 B6 C5 93 BC 4E D7 A8  .$..?........N..
0010: 15 04 04 59                                        ...Y
]
]



*******************************************
*******************************************

or using the Spaces shell

spaces-backend> keystore list

This will list entries and their aliases in a keystore.
Configured keystore location: /path/to/keystore.jks

Keystore contains 1 entries.
Private Key: com.skalio.spaces

Export Public Keys#

It is not necessary to export the public key.