PEM KeyStore Implementation

Karl Scheibelhofer karl.scheibelhofer at gmx.net
Sun Sep 10 08:04:03 UTC 2023 

Hi Tony,

The motivation was mostly about reading PEM keys and certificates
generated somewhere else. This is common practice in enterprise
environments I work in. Because corporate key material is subject to
centralized key management, including generation, backup and rollover.
PEM is the format most software products can handle. For Java
applications, having a PEM KeyStore would reduce the often required
additional step of converting PEM key and certificate in a Java
Keystore/PKCS#12.
Even truststores handling is easier with individual PEM certificates
instead of a single PKCS#12 Truststore. Adding or deleting a single
file instead of replacing the complete PKCS#12 store is less error
prone and cleaner to track in version control. The additional benefit
of a MAC in PKCS#12 adds little to no security in most cases.
And being text based, PEM is more version control friendly than binary PKCS#12.

But to enable sound support of PEM, I also implemented writing PEM
keys and certificates. This way, one can use the JDK keytool to
generate key and certificate signing requests in PEM format. Getting
the certificate from the CA in PEM, one can use PEM throughout the
process.

Do you have any links or documentation on the PEM API JEP that you mentioned?

Thank you for your feedback and best regards

  Karl

Am Fr., 8. Sept. 2023 um 21:17 Uhr schrieb Anthony Scarpino
<anthony.scarpino at oracle.com>:
>
> Hi Karl
>
> The keystore is interesting and may have some value.  Was your use case
> mostly reading PEM keys and certificates generated elsewhere for use
> with a particular application, maybe webservers?  Did you see value in
> writing to this keystore from Java?
>
> On the topic of PEM, I hope before the end of the year to have a PEM API
> JEP.  I would be interested in your API feedback from your keystore
> experiences.  I think if this keystore contribution was accepted, it
> should wait so it can use that API.
>
> thanks
>
> Tony
>
>
> On 9/1/23 12:15 PM, Karl Scheibelhofer wrote:
> > Hi,
> >
> > Working with Java and the JCA KeyStore for decades, I came across
> > many situations where I thought it would be convenient to be
> > able to load private keys and certificates in PEM format directly
> > using the KeyStore API. Without the need to convert them to PKCS#12/JKS.
> >
> > You can find my implementation of a PEM KeyStore in
> > https://github.com/KarlScheibelhofer/java-crypto-tools.
> >
> > I wondered if it would make sense to integrate such an implementation
> > in one of the standard providers of OpenJDK - like the SUN provider.
> > What do you think?
> >
> > Best regards
> >
> >    Karl

More information about the security-dev mailing list