Skip to main content
Join the official Python Developers Survey 2018 and win valuable prizes: Start the survey!

pure python jks file parser

Project description


A pure python Java KeyStore file parser, including private key decryption.

Usage examples:

Reading a JKS or JCEKS keystore and dumping out its contents in the PEM format:
import sys, base64, textwrap
import jks

def print_pem(data, type):
print "-----BEGIN %s-----" % type
print "\r\n".join(textwrap.wrap(base64.b64encode(data), 64))
print "-----END %s-----" % type

ks = jks.KeyStore.load("keystore.jks", "XXXXXXXX")

for pk in ks.private_keys:
print "Private key: %s" % pk.alias
print_pem(pk.pkey, "RSA PRIVATE KEY")
for c in pk.cert_chain:
print_pem(c[1], "CERTIFICATE")

for c in ks.certs:
print "Certificate: %s" % c.alias
print_pem(c.cert, "CERTIFICATE")

Transforming an encrypted JKS/JCEKS file into an OpenSSL context):
import OpenSSL
import jks

_ASN1 = OpenSSL.crypto.FILETYPE_ASN1

def jksfile2context(jks_file, passphrase):
keystore = jks.KeyStore.load(jks_file, passphrase)
pkey = OpenSSL.crypto.load_privatekey(_ASN1, keystore.private_key.pkey)
trusted_certs = [OpenSSL.crypto.load_certificate(_ASN1, cert.cert)
for cert in keystore.certs]
public_cert = OpenSSL.crypto.load_certificate(
_ASN1, keystore.private_keys[0].cert_chain[0][1])

ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
#want to know ASAP if there is a problem with the protected
cert_store = ctx.get_cert_store()
for cert in trusted_certs:
return ctx


The best way to utilize a certificate stored in a jks file up to this point has been
to use the java keytool command to transform to pkcs12, and then openssl to transform to pem.

This is better:

1- no security concerns in passwords going into command line arguments, or unencrypted files being left around

2- no dependency on a JVM

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date (5.2 kB) Copy SHA256 hash SHA256 Source None Mar 4, 2015

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page