How can I store a Bouncy Castle PGP key in a Java Keystore?

Question

I have a JKS keystore that keeps several private/public key pairs in my application. That is already protected using the password for the keystore. I'm adding keys used for doing OpenPGP with Bouncy Castle, and I need to generate several keys to use with Bouncy Castle PGP. I know I can store these keys as individual files, but those files would need to be protected individually with passwords creating a headache for the user. I'd like to simply store the PGP keys in the existing Keystore. I've read several responses on Stackoverflow alluding to it being possible, but no definitive answer about how. So can I store the PGP keys in the existing Keystore?

Here is what I'm thinking. Bouncy Castle's classes for PGP do not implement Key or Certificate. It does have JcaPGPKeyPair which can wrap a PrivateKey/PublicKey instance. So I could create keys within JCE, then "import" the JCE keys into the BC PGP infrastructure using JcaPGPKeyPair. Once I'm done I throw away all of the BC PGP instances and recreate when I need them again. Possibly using JcaPGPKeyConverter to do the heavy lifting of converting between JCE keys and PGP keys?

Could I use 2 JCE RSA or DSA keypairs for both signature and encryption keys PGP wants to use? Keep those in the Keystore and simply reconstruct the PGP infrastructure on demand when I want to use those keys?

Answer 1

I'd like to simply store the PGP keys in the existing Keystore. I've read several responses on Stackoverflow alluding to it being possible, but no definitive answer about how. So can I store the PGP keys in the existing Keystore?

The Java key store does not support OpenPGP keys. OpenPGP is another standard incompatible to X.509.

Bouncy Castle's classes for PGP do not implement Key or Certificate. It does have JcaPGPKeyPair which can wrap a PrivateKey/PublicKey instance. So I could create keys within JCE, then "import" the JCE keys into the BC PGP infrastructure using JcaPGPKeyPair. Once I'm done I throw away all of the BC PGP instances and recreate when I need them again. Possibly using JcaPGPKeyConverter to do the heavy lifting of converting between JCE keys and PGP keys?

Could I use 2 JCE RSA or DSA keypairs for both signature and encryption keys PGP wants to use? Keep those in the Keystore and simply reconstruct the PGP infrastructure on demand when I want to use those keys?

You could probably extract the plain numbers forming the public and private keys, but are losing all information on user IDs, timestamps, ..., which you would have to reconstruct every time. I would not go for such a fragile and error-prone path. There is no real mapping of OpenPGP and X.509 key attributes, and it gets worse for certificates (signatures on keys).