Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc

Question

Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc.

I am interested in extending the certificate with with specific validity.

For example can the following command run be done using Java security APIs

keytool -genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype}

I want to use only java core security APIs and not interested in third party APIs

Answer 1

Most of the operations that keytool (at least those that I know) can be recreated using java.security.* classes with some aditional utilities classes, for example, to create a new pair of keys you can use:

private static final String ALGORITHM = "RSA";
private static final String PROVIDER = "BC";

private PrivateKey privateKey;
private PublicKey publicKey;

...

public void generateNewKeyPair() {
    try {
        KeyPairGenerator keyGen = KeyPairGenerator.getInstance(ALGORITHM, PROVIDER);
        keyGen.initialize(2048, new SecureRandom());
        KeyPair keypair = keyGen.genKeyPair();
        privateKey = keypair.getPrivate();
        publicKey = keypair.getPublic();
    } catch (Exception e) {
        LOG.error("Error creating keyPair", e);
    }
}

Here is an example of retrieving a KeyPair from a KeyStore

Here is an (more elaborated) example that not only creates the KeyPair , but also stores it in a file

You can also serialize the KeyPair alongside a expiration timestamp as a SealedObject to simulate both the validity parameter and the storage provided by keytool

EDIT: SealedObject alone won't give you the validity parameter simulation, is the timestamp stored alongside with the keypair (in a SealedObject ) that will "simulate" an expiration date (which can be seen as the validity of the key). For example:

class KeyWithExpiration {
    private PublicKey publicKey;
    private Date expirationDate;
}

public static void serializeEncrypted(File file, Serializable instance) {
   // With these lines, I hope to expose some of the craft that is needed to work with the API 
   PBEKeySpec keySpecObj = new PBEKeySpec(PASSWORD, SALT, ITERATIONS);
   Cipher ecipherObj = Cipher.getInstance(keyObj.getAlgorithm());
   SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(ALGORITHM);
   SecretKey keyObj = secretKeyFactory.generateSecret(keySpecObj);

   SealedObject sealedObject = new SealedObject(instance, ecipherObj);

   ObjectOutputStream objOutputStream = new ObjectOutputStream(new FileOutputStream(file));
   objOutputStream.writeObject(sealedObject);
   objOutputStream.close();
}

// Generate a new KeyWithExpiration 
KeyWithExpiration key = new KeyWithExpiration(keyPair, DateUtil.future().days(365));
serializeEncrypted(new File(".key"), key);

Thats why the API plus some utility classes are needed to achieve some of the functionality provided by keytool