How to Check Java Keystore JKS File for Private Keys

tl;dr — use keytool to list content of .jks keystore file and lookout for SecretKeyEntry and PrivateKeyEntry entry types for private key storage and extract private key with openssl library

Sometimes when I come across Java Keystore or a file with .jks extension as well as its password, I wonder if sensitive data is inside and whether I can extract private keys from the file if the file password is known.

Can I know whether a private key is stored inside JKS without actually exporting it out? Is it possible?

The answer is Yes.

The following items will be used in my demonstration:

• mykeystore.jks — I imported www.google.com and www.bing.com public keys or public certificates as non-sensitive information storage. A set of public and private key that I generated called mykey for sensitive information storage
• keystore password
• keytool — I think it typically comes with java installation
• openssl — Linux OS has it or it can be easily installed

Checking What Type of Entries are Stored within the Keystore

It is pretty simple. Run the following keytool command against the .jks file you want to analyse.

keytool -list -keystore mykeystore.jks

Listing the content of Java Keystore file using keytool -list command

So, the yellow circle is nothing much, the column denotes a name or alias of a particular data row. From the screenshot above, I have three items stored in the keystore with alias or name bing, google and mykey.

What is more important is the entries type value which marked with green. There are 3 possible values as far as I know.

• PrivateKeyEntry: Contains a private key and the associated certificate chain.
• SecretKeyEntry: Stores a secret (symmetric) key used in algorithms like AES.
• TrustedCertificateEntry: Holds a trusted certificate, such as a root or intermediate CA certificate. No private key involved.

If we happen to crack a password of a .jks file and it has items with an entry type of either SecretKeyEntry or PrivateKeyEntry, we have hit a jackpot. Private keys, either asymmetric or symmetric, can be extracted if you want it further. For this demonstration it has been identified that an item with mykey alias has entry type of PrivateKeyEntry which means its private key is stored within this mykeystore.jks keystore.

Extracting Private Keys

From a quick search, it looks like we have to convert the .jks file into PKCS12 (file extension .p12) then use openssl to export the private key out.

If you want to extract a single item from the keystore, use -srcalias to specify the desired alias name:

keytool -importkeystore -srckeystore <name>.jks -destkeystore <name>.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias <alias> -deststorepass <password> -destkeypass <password>

If you want to extract everything, you don’t need to specify -srcalias parameter:

keytool -importkeystore -srckeystore <name>.jks -destkeystore <name>.p12 -srcstoretype jks -deststoretype pkcs12 -deststorepass <password> -destkeypass <password>

We are interested in this item with mykey alias

Extracting a single “mykey” item by specifying in alias name and converting into .p12 file format

The command to export private keys:

openssl pkcs12 -in <name>.p12 -nocerts -out <name>.pem

Exporting private key from .p12 file to another viewable format .pem

Viewing the actual private key value from the exported .pem file

Just make sure to keep track of various passwords if you are giving unique passwords for each steps.

So this is how we can view if .jks file content and export private keys.

Thanks for reading!