Java keystore for passwords

Question

Is it possible to use Java Keystore to store password, particularly for WebServices and such? I found online information about storing SSL keys, but this is an over-kill for my needs.

Answer 1

Yes, depending on the type of key store, you can create a SecretKeyEntry in a KeyStore. The SunJCE provider implements a "JCEKS" key store that accommodate secret key entries.

static byte[] getPassword(KeyStore ks, String alias, char[] master)
  throws GeneralSecurityException, DestroyFailedException
{
  if (!ks.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class))
    throw new IllegalArgumentException();
  KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(master);
  try {
    KeyStore.SecretKeyEntry e = (KeyStore.SecretKeyEntry) ks.getEntry(alias, pp);
    return e.getSecretKey().getEncoded();
  }
  finally {
    pp.destroy();
  }
}

static void setPassword(KeyStore ks, String alias, byte[] password, char[] master)
  throws GeneralSecurityException, DestroyFailedException
{
  SecretKey wrapper = new SecretKeySpec(password, "RAW");
  KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(wrapper);
  KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(master);
  try {
    ks.setEntry(alias, entry, pp);
  }
  finally {
    pp.destroy();
  }
}

You should be careful to "zero" the passwords as soon as you are done using them, just like I destroy() the PasswordProtection instance in a try-finally block. Otherwise a memory scraper like that used in the Target breach has a better chance of grabbing a key.