Keystore Implementation

The KeyStore class supplies well-defined interfaces to access and modify the information in a keystore. It is possible for there to be multiple different concrete implementations, where each implementation is that for a particular type of keystore.

Currently, there are two command-line tools that make use of KeyStore: keytool and jarsigner, and also a GUI-based tool named policytool. policytool is also used by the Policy reference implementation when it processes policy files specifying the permissions (allowed accesses to system resources) to be granted to code from various sources. Because KeyStore is publicly available, SDK users can write additional security applications that use it.

There is a built-in default implementation, called JCK. It implements the keystore as a file, utilizing a proprietary keystore type (format). It protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.

Keystore implementations are provider-based. More specifically, the application interfaces supplied by KeyStore are implemented in terms of a Service Provider Interface (SPI). That is, there is a corresponding abstract KeystoreSpi class, also in the java.security package, which defines the SPI methods that providers must implement. (The term provider refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java™ 2 SDK Security API.) Therefore, to provide a keystore implementation, clients must implement a provider and supply a KeystoreSpi subclass implementation.

Applications can choose different types of keystore implementations from different providers, using the getInstance factory method in the KeyStore class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible.

The default keystore type is jks (the proprietary type of the keystore implementation provided by the IBMJCE provider). This keystore type is specified by the following line in the security properties file:

keystore.type=jks

To specify that tools and other applications will use a keystore implementation other than the default keystore, you can change that line to specify a different keystore type. Or, you can let users of your tools and applications specify a keystore type, and pass that value to the getInstance method of KeyStore.

An example of the former approach is the following: If you have a provider package that supplies a keystore implementation for a keystore type called pkcs12, change the line to

keystore.type=pkcs12

Note: Keystore type designations are not case-sensitive. For example, JKS would be considered the same as jks.