What’s the difference in having a JKS or a PKCS12 subscribing to my Android app?

Asked

Viewed 1,938 times

2

I was generating a Keystore for my application by Android Studio and received the following warning:

Key was created with errors:

Warning:

The storage of keys JKS uses a proprietary format. It is recommended migration to PKCS12, which is a pattern format industrial who uses "keytool -importkeystore -srckeystore C:\test.jks -destkeystore C:\test.jks -deststoretype pkcs12".

I decided to search, I found a comparison on ONLY in English. As far as I can tell, JKS is the standard of Java. This made me confused whether or not I should generate a PKCS12, since my application is in Kotlin and in the compilation is converted to Java, in accordance with official documentation.

What’s the difference in having one JKS or a PKCS12 signing my app?

It makes sense to worry about this in developing a small app?

android keystore

1 answer

2


JKS

The JKS is an encrypted security file used to store a set of cryptographic keys or certificates in binary format and requires a password for the file to be opened.

In this specific case, JKS is being used to identify the author (person/company) of the Android application during the build and later also in the publication on Google Play or in the installation of .apk (when the OS displays a message saying that the application is from an unknown source, for example).

PKCS#12

As stated in that reply JKS is not easily accessible from outside of Java, but this is not a problem for the specific case of the question (using Kotlin/Java). The files PKCS#12, are a language neutral way to store private keys and encrypted certificates, and there is enough time for it to be supported almost everywhere.

An important note is that, as seen in Wikipedia and the publication of Openjdk, PKCS#12 became the standard format for Keystore to the Java 9. The motivations for this are in free translation below:

As keystores JKS can store only private keys and trusted public key certificates and are based on a format proprietary that is not easily extensible to new algorithms cryptographic.

PKCS#12 is an extensible, standard and widely supported format for store cryptographic keys. From JDK 8, the keystores PKCS#12 can store private keys, public key certificates trusted and secret keys. Switching to PKCS#12 improves the Keystore integrity and confidentiality. Also opens interoperability opportunities with other systems that support PKCS#12.

So even though they both work and it’s just one Warning from Android Studio, it makes sense to use PKCS#12 for the advantages and support you’re getting.

Converting JKS to PKCS#12

To stop migrating the Keystore format, simply use the suggested command in the error message. In this case, it would be:

keytool -importkeystore -srckeystore C:\test.jks -destkeystore C:\test.jks -deststoretype pkcs12

The keytool -importkeystore has a list of parameters defined in the documentation that you can use, for example, if your Keystore has a password.

Parameter Definition
-srckeystore keystore Name of the source Keystore
-destkeystore keystore Name of the target store
-srcstoretype type Source Keystore type
-deststoretype type Type of target store
-srcstorepass arg Password of the source Keystore
-deststorepass arg Password for the target store
-srcprotected Password protected source keystore
-srcprovidername name Source Keystore provider name
-destprotected Password protected destination keystore
-destprovidername name Name of the target Keystore provider
-srcalias alias Alias of origin
-destalias alias Alias destination
-srckeypass arg Password of the source key
-destkeypass arg Password of the destination key
-noprompt Not ask
-providerclass class [-providerarg arg] Add fully qualified class name security provider with an optional configuration argument
-providerpath list Provider’s classpath
-v Detailed output (verbose)

In this article there is also some information about the conversion.

Browser other questions tagged android keystore

You are not signed in. Login or sign up in order to post.