Symbian^3 Product Developer Library > Symbian Guide > OS Security Guide > Crypto Services > File-Based Certificate and Key Stores > keytool > keytool Tutorials > Manipulating Keys and Keystores >

Listing Keystore Contents

The list command is used to display the content of the key store. It can be used to display the overall content of all key store implementations, to display the content of a specific key store implementation, or to display details about a specific key if we know its label.

Listing the content of all key store implementations

To see all the private keys available on the device, use the command:

keytool -list

The output, depending on the actual keys present on the device, will look similar to: 

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Store Label: Software key store
gm0 is a 512 bits RSA key 

Store Label: Software key store
gm1 is a 512 bits DSA key 

Store Label: Software key store
Tls RSAKey is a 1024 bits RSA key

In this case, there are two RSA keys and one DSA key. You can get information in addition to the above output by using the –details (-d for short) option: 

keytool –l –d
keytool –l –d
Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Store Label: Software key store
Version: 1.00      Serial Number: 0      Manufacturer: Nokia Corporation Store Type: Read only
        Algorithm: RSA    Size: 512  bits
        Usage : PKCS15 DecryptSignSignRecover    Code: 0xe 
        Owner : 0x101f7e95 
        User : 0x101f7e95 
        Access flags: Extractable 
        ID: 4d 15 e9 01 c6 ea ff a0 11 57 05 60 f4 ba 0c 0f 58 db ae e7 
        Label: gm0
        Native: Yes 
        Start date: not set    End date: not set

The following table details the fields that make up the output of the list command:

Output type Description

Algorithm

The algorithm field shows the type of keys available. The valid values are RSA and DSA.

Size

The size of the key in bits. For instance, in the example above, there are three RSA keys with sizes ranging from 512 to 2048 bits. The maximum allowed key size, as of now, is 2048 bits.

Usage

The usage attribute specifies the tasks which we can perform with the given key. Valid values for usage are:

  • sign and signrecover for DSA keys

  • sign, signrecover, decrypt and unwrap for RSA keys

Usage attributes are set during key import. Attempts to set invalid usages will result in an error.

Owner

Each key belongs to a specific UID. This UID represents the owner of the key. Typically the owner of a key is the application which imported the key. Only the owner of the key can remove it from the keystore. Additionally only the owner can set the users of a key.

The owner of the key can be changed by writedevicedata after it is imported, using keytool -m <keyname>. All processes that have writedevicedata capability can manipulate the keys.

User

The user attribute is a list of application UIDs. Each of those UIDs is allowed to use the key to perform a task allowed by its usage attribute, for example, sign data, verify a signature, and so on.

Each key user belongs to a specific UID, which is, by default the process owner. It can be set to all by using keytool –a <keyname>.

Access Flags

Access flags reflect those defined in the PKCS#11 standard. The values are:

  • 1. Sensitive – The key can only be exported in encrypted form. A key marked as sensitive might have been imported either from a cleartext or encrypted source.

  • 2. Extractable – The key can be exported.

  • 3. AlwaysSensitive – The key has never existed outside the keystore in unencrypted form. This access flag is set automatically by the key store. You do not have explicit access to it. It will be set only if the key has been imported as Sensitive from an encrypted source.

  • 4. NeverExtractable – The key cannot be exported, and has never existed outside the keystore. This implies that the key was created on the device.

  • 5. Local – The key was created on the device, rather than being imported.

The access flag can be set only during import and the only the values Sensitive and Extractable are available to the users. See the section Importing private keys.

ID

A unique identifier for the key. It is in hexadecimal format.

Label

The key label. A human-readable handle for the key.

Native

Specifies whether cryptographic operations involving the key will be performed on the cryptographic token or outside it. For instance, a hardware keystore might provide key storage but no facilities for encryption which will then be executed outside the token (native is false). This is always true for the Symbian file key store implementation.

Start and End date

The period of time when the key is actually valid. The key cannot be used outside this time frame.

Listing the content of a specific key store implementation

If the content of only a specific key store implementation is required, the list command can be restricted to that implementation using the –store option. Suppose the content of the key store implementation with index 0 (see the section Working with multiple keystore implementations for details on how to list the available key store implementations) is required, you can issue the following command: 

keytool –store 0 –list

Depending on the content of the key store implementation with index 0, output similar to the following is displayed: 

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
    Algorithm: RSA    Size: 512 bits
    Usage: Pkcs15 Sign     Code: 0x4
    Owner: 0x101f7e95
    User: 0x101f7e95
    Access Flags: Extractable
    ID: …
    Label: rsa1
    Native: Yes
    Start Date: not set     End Data: not set

If you try to specify a non-existing key store implementation, the following error will occur: 

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
The specified keystore implementation does not exist.
Error during list!
Error code KErrArgument.

Displaying information about a specific private key

It is possible to display information about a specific key whose label is known. This is useful, for instance, when the key store contains a significant amount of keys and only a particular store's keys are required. For example, to display information about a key with label “rsa1”, you can issue the command: 

keytool –list rsa1 -d

Remember that labels are case sensitive. The output should be similar to: 

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
    Algorithm: RSA    Size: 512 bits
    Usage: Pkcs15 Sign     Code: 0x4
    Owner: 0x101f7e95
    User: 0x101f7e95
    Access Flags: Extractable
    ID: …
    Label: rsa1
    Native: Yes
    Start Date: not set     End Data: not set

If no key in the key store corresponds to the given label, the following error will occur: 

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Cannot find the specified key.

Wildcards

The list commands supports wildcards (“*” and “?”) on key labels. For instance the following command lists information about all keys whose label contains the string “dsa”:

c:\>keytool –l *dsa*

Internal name Algorithm Key size

ECipherDES_CBC

DES

64 bits

ECipher3DES_CBC

Triple DES

192 bits

ECipherRC2_CBC_40

RC2

Effective key length 1024 bits

ECipherRC2_CBC_128

RC2

Effective key length 1024 bits

ECipherRC2_CBC_40_16

RC2

Effective key length 128 bits

ECipherRC2_CBC_128_16

RC2

Effective key length 128 bits

Parent topic: Manipulating Keys and Keystores
Related concepts
Removing Keys

Copyright ©2010 Nokia Corporation and/or its subsidiary(-ies).
All rights reserved. Unless otherwise stated, these materials are provided under the terms of the Eclipse Public License v1.0.