{"id":36676497,"url":"https://github.com/lwithers/minijks","last_synced_at":"2026-01-12T10:51:07.562Z","repository":{"id":18892855,"uuid":"85517518","full_name":"lwithers/minijks","owner":"lwithers","description":"Simple Go replacement for the Java keystore tool","archived":false,"fork":false,"pushed_at":"2024-09-13T11:22:39.000Z","size":44,"stargazers_count":8,"open_issues_count":0,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-12-06T21:11:54.511Z","etag":null,"topics":["encryption","java-keystore"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lwithers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-19T23:46:02.000Z","updated_at":"2024-09-13T11:22:35.000Z","dependencies_parsed_at":"2022-07-25T06:47:01.756Z","dependency_job_id":null,"html_url":"https://github.com/lwithers/minijks","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/lwithers/minijks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwithers%2Fminijks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwithers%2Fminijks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwithers%2Fminijks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwithers%2Fminijks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lwithers","download_url":"https://codeload.github.com/lwithers/minijks/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwithers%2Fminijks/sbom","scorecard":{"id":606609,"data":{"date":"2025-08-11","repo":{"name":"github.com/lwithers/minijks","commit":"aea1245e8ebc0d9480707717ea58766ee329a3a7"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":8,"reason":"1 out of the last 1 releases have a total of 1 signed artifacts.","details":["Info: signed release artifact: minijks-linux-x86_64.asc: https://github.com/lwithers/minijks/releases/tag/v0.5.0","Warn: release artifact v0.5.0 does not have provenance: https://api.github.com/repos/lwithers/minijks/releases/6513255"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-21T01:45:23.078Z","repository_id":18892855,"created_at":"2025-08-21T01:45:23.078Z","updated_at":"2025-08-21T01:45:23.078Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338846,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T10:40:25.642Z","status":"ssl_error","status_checked_at":"2026-01-12T10:39:27.820Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","java-keystore"],"created_at":"2026-01-12T10:51:06.103Z","updated_at":"2026-01-12T10:51:07.550Z","avatar_url":"https://github.com/lwithers.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# minijks Java keytool replacement\n\nThis is a replacement for the Java `keytool` program that manipulates `.jks`\n(Java keystore) files. Its purpose is to reduce the pain of DevOps burdened by\nJava deployments.\n\n## Usage\n\nTo install:\n\n```\ngo get github.com/lwithers/minijks\n```\n\nSimply running the `minijks` command with no arguments produces a usage screen.\n\nTo inspect the content of a `.jks` file:\n\n```\n$ minijks inspect my.jks\n# … shows certificates\n$ minijks inspect --password foo my.jks\n# … shows certificates, verifies the digest, shows keys encrypted with\n    the common password\n```\n\nTo unpack a `.jks` file:\n\n```\n$ minijks unpack --password foo --key-password server:bar my.jks\n$ tree my.jks.d\nmy.jks.d/\n├── certs\n│   └── ca.pem\n├── keys\n│   └── server\n│       ├── cert-0001.pem\n│       ├── cert-0002.pem\n│       └── privkey.pem\n└── password\n\n3 directories, 5 files\n```\n\n### Inspect\n\nThe `inspect` command will show details about the certificates and possibly the\nprivate keys embedded in the `.jks` file.\n\nWithout a password, the tool is able to display all the certificates and can\nshow which private keys are in the file (alias, timestamp, and associated\ncertificate chain), but it cannot decrypt the private keys to inspect them or\nverify the integrity digest over the file.\n\nIf the keystore password is given, then the integrity digest can be verified.\nFurthermore, this password will be used to attempt to decrypt each private key\nembedded in the file. It is possible that one or more keys were encrypted using\ndifferent passwords; in that case, the `--key-password \u003ckey_alias:password\u003e`\noption may be used.\n\n### Unpack\n\nThe `unpack` command will unpack each certificate (and private key if the\npassword is given) into a directory tree. It could be considered similar to\na `tar x` operation.\n\nThe output directory name is derived by taking the source filename and adding a\n`.d` onto the end. If the directory already exists the command will refuse to\nrun.\n\nThe directory tree format is suitable for use with the `pack` command.\n\n### Pack\n\nThe `pack` command will pack a directory tree into a `.jks` file. It takes two\narguments: the name of the input directory, and the name of the output file. It\ncould be considered similar to a `tar c` operation.\n\nTODO: explain directory format.\n\n### Pack key file\n\nThe `keyfile` command will pack a single private key and associated certificate\nchain into a `.jks` file. It takes two or more arguments: the name of the\noutput file, and then one or more `.pem` input files. The certificates are\npacked in the order they are named on the command line, and then the order\nthey appear in the input file(s). The first certificate (leaf certificate)\nis expected to match the private key.\n\nThis command is a shortcut to packing a `.jks` file containing a single client\nor server keypair.\n\n## TODO list\n\nPull requests accepted!\n\n- OpenJDK appears to have a second key encryption algorithm available for private\n  keys using 3DES. This needs to be implemented for decryption purposes.\n- Validation hints:\n  - Check that certificate entries are valid CA certificates (intermediate or\n    otherwise).\n  - Check private key certificate chains have correct corresponding public key,\n    correct order, and do not include the final root CA.\n- Write clear file format specifications in a document.\n- Testcases! I have some internal ones but they're not data I can share, so it\n  would be good to gather some real-world examples and check that we can\n  process them correctly.\n- Unit tests for the functions would be good.\n- PKCS#8 library: either find an existing one and extend it with the algorithms\n  we need for Java, or write a new one.\n- Programmable mode? Auto-generate a new .jks file based on a set of\n  instructions.\n\n## References\n\n### Keystore format\n\nThe `.jks` file format doesn't appear to be explicitly documented, but the\nOpenJDK source is clear enough. It has a comment giving the file structure as\nwell as code for parsing and creating `.jks` files:\n- http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/sun/security/provider/JavaKeyStore.java#l492\n\n### PKCS#8\n\nPrivate keys are wrapped in PKCS#8, which is actually incredibly simple. It's\nan ASN.1 object that has an algorithm OID followed by a blob of encrypted data.\nDetails in RFC5208 §6:\n- https://tools.ietf.org/html/rfc5208#section-6\n\n### Key encryption type 1\n\nThere appear to be two types of encryption that can be used to encrypt the\nprivate keys. One of them seems to be custom crypto (you should *never* do\nthis):\n- identified by algorithm OID 1.3.6.1.4.1.42.2.17.1.1\n- http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/com/sun/crypto/provider/KeyProtector.java#l192\n\n### Key encryption type 2\n\nAnother type of encryption used to encrypt private keys. This might be specific\nto OpenJDK. It appears to be a custom combination of existing algorithms:\n- identified by algorithm OID 1.3.6.1.4.1.42.2.19.1\n- http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/com/sun/crypto/provider/PBEWithMD5AndTripleDESCipher.java\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flwithers%2Fminijks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flwithers%2Fminijks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flwithers%2Fminijks/lists"}