3

I have a JKS keystore that keeps several private/public key pairs in my application. That is already protected using the password for the keystore. I'm adding keys used for doing OpenPGP with Bouncy Castle, and I need to generate several keys to use with Bouncy Castle PGP. I know I can store these keys as individual files, but those files would need to be protected individually with passwords creating a headache for the user. I'd like to simply store the PGP keys in the existing Keystore. I've read several responses on Stackoverflow alluding to it being possible, but no definitive answer about how. So can I store the PGP keys in the existing Keystore?

Here is what I'm thinking. Bouncy Castle's classes for PGP do not implement Key or Certificate. It does have JcaPGPKeyPair which can wrap a PrivateKey/PublicKey instance. So I could create keys within JCE, then "import" the JCE keys into the BC PGP infrastructure using JcaPGPKeyPair. Once I'm done I throw away all of the BC PGP instances and recreate when I need them again. Possibly using JcaPGPKeyConverter to do the heavy lifting of converting between JCE keys and PGP keys?

Could I use 2 JCE RSA or DSA keypairs for both signature and encryption keys PGP wants to use? Keep those in the Keystore and simply reconstruct the PGP infrastructure on demand when I want to use those keys?

chubbsondubs
  • 37,646
  • 24
  • 106
  • 138

1 Answers1

2

I'd like to simply store the PGP keys in the existing Keystore. I've read several responses on Stackoverflow alluding to it being possible, but no definitive answer about how. So can I store the PGP keys in the existing Keystore?

The Java key store does not support OpenPGP keys. OpenPGP is another standard incompatible to X.509.

Bouncy Castle's classes for PGP do not implement Key or Certificate. It does have JcaPGPKeyPair which can wrap a PrivateKey/PublicKey instance. So I could create keys within JCE, then "import" the JCE keys into the BC PGP infrastructure using JcaPGPKeyPair. Once I'm done I throw away all of the BC PGP instances and recreate when I need them again. Possibly using JcaPGPKeyConverter to do the heavy lifting of converting between JCE keys and PGP keys?

Could I use 2 JCE RSA or DSA keypairs for both signature and encryption keys PGP wants to use? Keep those in the Keystore and simply reconstruct the PGP infrastructure on demand when I want to use those keys?

You could probably extract the plain numbers forming the public and private keys, but are losing all information on user IDs, timestamps, ..., which you would have to reconstruct every time. I would not go for such a fragile and error-prone path. There is no real mapping of OpenPGP and X.509 key attributes, and it gets worse for certificates (signatures on keys).

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • So what are the preferred ways of storing PGP keys in something like a Keystore? I know there are lots of other formats PKCS11, PKCS12 that can store multiple keys. In the API PGPSecretKeyRingCollection has an encode(OutputStream) method, but details are missing as to what it actually does. Or how to protect keys you write out. – chubbsondubs Mar 11 '16 at 21:19
  • OpenPGP knows the concept of "keyrings", which are basically multiple keys listed one after the other. If you have GnuPG installed and use it, you can easily observe this by looking at the `~/.gnupg/pubring.gpg` file, for example using `gpg --list-packets` or `pgpdump` to list the actual key packets (and everything attached to them). Private keys are by default symmetrically encrypted with a passphrase, which is also standardized in OpenPGP. – Jens Erat Mar 12 '16 at 08:51
  • Well I want to do this in the Bouncy Castle API since that is apart of my product so using GnuPG is not an option. So I guess I'll keep looking. – chubbsondubs Mar 12 '16 at 23:22
  • GnuPG was only meant as reference and debugging tool. I've never actually used Bouncy Castle, but from reading the API it seems they support the very same semantics of key stores. I think I even remember somebody directly having used GnuPG's public key file in Bouncy Castle (you couldn't do this with private keys, though, as GnuPG is storing private keys in a special, non-standard format). – Jens Erat Mar 13 '16 at 15:03
  • Ok. Yes Bouncy Castle API looks very similar to GnuPG and has key rings etc, but some technical questions about how things are protected aren't answered by looking at the API alone. Thanks for you help. You did answer my original question. – chubbsondubs Mar 14 '16 at 16:50