# Specifications

Full specifications for KeyStore Explorer, including supported algorithms, key sizes and file formats, are included below.

## KeyStores

KeyStore Explorer supports the management of the following KeyStore types:

Type | Description |
---|---|

JKS | Java KeyStore. Oracle's KeyStore format. |

JCEKS | Java Cryptography Extension KeyStore. More secure version of JKS. |

PKCS #12 | Public-Key Cryptography Standards #12 KeyStore. RSA's KeyStore format. |

BKS | Bouncy Castle KeyStore. Bouncy Castle's version of JKS. |

BKS-V1 | Bouncy Castle KeyStore (older version). |

UBER | Bouncy Castle UBER KeyStore. More secure version of BKS. |

BCFKS | Bouncy Castle FIPS KeyStore (uses FIPS compliant algorithms PBDKF2, SHA-512 and AES CCM). |

## Key Pairs

KeyStore Explorer supports RSA, DSA and EC Key Pairs. It is capable of generating such Key Pairs with the following key sizes and signature algorithms:

Key Pair Algorithm | Key Size (bits) | Signature Algorithm |
---|---|---|

DSA | 512 - 1024 | SHA-1 with DSA |

SHA-224 with DSA | ||

SHA-256 with DSA | ||

SHA-384 with DSA | ||

SHA-512 with DSA | ||

RSA | 512 - 16384 | MD2 with RSA |

MD5 with RSA | ||

RIPEMD-128 with RSA | ||

RIPEMD-160 with RSA | ||

RIPEMD-256 with RSA | ||

SHA-1 with RSA | ||

SHA-224 with RSA | ||

SHA-256 with RSA | ||

SHA-384 with RSA * | ||

SHA-512 with RSA ** | ||

SHA-1 with RSA and MGF1 | ||

SHA-224 with RSA and MGF1 | ||

SHA-256 with RSA and MGF1 | ||

SHA-384 with RSA and MGF1 * | ||

SHA-512 with RSA and MGF1 ** |

Key Pair Algorithm | Curve Set | Curves *** |
---|---|---|

EC | NIST | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 |

SEC | secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 | |

ANSI X9.62 | prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1 | |

Brainpool | brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1 | |

Edwards curves | Ed25519, Ed448 |

* - Requires an RSA key size of at least 624 bits

** - Requires an RSA key size of at least 752 bits

*** - Availability of curves depends on the keystore type.

## Certificates and CRLs

KeyStore Explorer supports Version 1 and Version 3 X.509 certificates as well as CRLs. In addition for Version 3 Certificates and CRLs it supports the display of a wide range of extensions.

## Certificate Signing Requests (CSR)

KeyStore Explorer supports the generation and signing of the following CSR types:

Type | Description |
---|---|

PKCS #10 | Public-Key Cryptography Standards #10 CSR, RSA's CSR format. |

SPKAC | Signed Public Key and Challenge (SPKAC), Netscape's CSR format. |

## X.509 Extensions

KeyStore Explorer supports the display of the full set of extensions specified in RFC 5280 (Certificate and CRL Profile). In addition most of the certificate extensions are available for addition to generated certificates and signed CSRs.

Extension Name | Extension OID | View | Add to Certificates / CSRs |
---|---|---|---|

Entrust Version Information | 1.2.840.113533.7.65.0 | X | |

Authority Information Access | 1.3.6.1.5.5.7.1.1 | X | X |

Subject Information Access | 1.3.6.1.5.5.7.1.11 | X | X |

Subject Directory Attributes | 2.5.29.9 | X | |

Subject Key Identifier | 2.5.29.14 | X | X |

Key Usage | 2.5.29.15 | X | X |

Private Key Usage Period | 2.5.29.16 | X | X |

Subject Alternative Name | 2.5.29.17 | X | X |

Issuer Alternative Name | 2.5.29.18 | X | X |

Basic Constraints | 2.5.29.19 | X | X |

CRL Number | 2.5.29.20 | X | X |

Reason Code | 2.5.29.21 | X | N/A |

Hold Instruction Code | 2.5.29.23 | X | N/A |

Invalidity Date | 2.5.29.24 | X | N/A |

Delta CRL Indicator | 2.5.29.27 | X | N/A |

Issuing Distribution Point | 2.5.29.28 | X | N/A |

Certificate Issuer | 2.5.29.29 | X | N/A |

Name Constraints | 2.5.29.30 | X | X |

CRL Distribution Points | 2.5.29.31 | X | X |

Certificate Policies | 2.5.29.32 | X | X |

Policy Mappings | 2.5.29.33 | X | X |

Authority Key Identifier | 2.5.29.35 | X | X |

Policy Constraints | 2.5.29.36 | X | X |

Extended Key Usage | 2.5.29.37 | X | X |

Freshest CRL | 2.5.29.46 | X | |

Inhibit Any Policy | 2.5.29.54 | X | X |

## Key Pair Import and Export

KeyStore Explorer supports the following formats for the import and export of Key Pair entries.

Format | Private Part | Public Part |
---|---|---|

PKCS #12 | X | X |

PKCS #8 DER * | X | |

PKCS #8 PEM * | X | |

PVK | X | |

OpenSSL DER ** | X | |

OpenSSL PEM ** | X | |

X.509 DER | X | |

X.509 PEM | X | |

PKCS #7 DER | X | |

PKCS #7 PEM | X | |

PKI Path | X | |

SPC | X |

* - Where PKCS #8 is encrypted KeyStore Explorer supports the following PBE algorithms:

PBE Algorithm |
---|

SHA-1 and 40 bit RC4 |

SHA-1 and 128 bit RC4 |

SHA-1 and 2 key DESede |

SHA-1 and 3 key DESede |

SHA-1 and 40 bit RC2 |

SHA-1 and 128 bit RC2 |

** - Where OpenSSL is encrypted KeyStore Explorer supports the following PBE algorithms:

PBE Algorithm |
---|

PBE with DES CBC |

PBE with DESede CBC |

PBE with 128 bit AES CBC |

PBE with 192 bit AES CBC |

PBE with 256 bit AES CBC |

## Trusted Certificate Import and Export

KeyStore Explorer supports the following formats for the import and export of Trusted Certificate entries:

Format |
---|

X.509 DER |

X.509 PEM |

PKCS #7 DER |

PKCS #7 PEM |

PKI Path |

SPC |

## Public Key Export

KeyStore Explorer can export the public keys of Key Pair and Trusted Certificate entries in OpenSSL (SubjectPublicKeyInfo) format.

## Digital Signatures

KeyStore Explorer supports the digital signing of CSRs, JARs and MIDlets using the following signature algorithms:

Signature Subject | Signature Algorithms |
---|---|

CSR | MD2 with RSA |

MD5 with RSA | |

RIPEMD-128 with RSA | |

RIPEMD-160 with RSA | |

RIPEMD-256 with RSA | |

SHA-1 with RSA | |

SHA-224 with RSA | |

SHA-256 with RSA | |

SHA-384 with RSA * | |

SHA-512 with RSA ** | |

SHA-1 with DSA | |

SHA-224 with DSA | |

SHA-256 with DSA | |

SHA-384 with DSA | |

SHA-512 with DSA | |

JAR | MD2 with RSA |

MD5 with RSA | |

SHA-1 with RSA | |

SHA-1 with DSA | |

MIDlet | SHA-1 with RSA |

* - Requires a signing RSA key size of at least 624 bits

** - Requires a signing RSA key size of at least 752 bit