Is there a more elegant way?
On Wed, Feb 20, 2013 at 02:24:40AM +0000, mstjo...@comcast.net wrote: > Store the private key with a self-signed certificate. Replace the cert when > it is issued. > > Sent from Comcast mobile > > -----Original Message----- > From: Matthew Hall > To: security-dev > Sent: 2013-02-20 00:27:51 +0000 > Subject: Safe storage of RSA private keys before binding to X.509 cert > > Hello, > > I have a question about safely storing RSA private keys while waiting for a > Cerification Request to be processed remotely so a signed X.509 Certificate > will be returned. > > I want to store it inside the PKCS #11 KeyStore so it will be protected while > we wait for the Certificate to become available, so that both can be bound > together and then stored. > > However, the KeyStore APIs prevent this from succeeding: > > If public final void setKeyEntry(String alias, byte[] key, Certificate[] > chain) is used with keyPair.getPrivate().getEncoded(), it throws > UnsupportedOperationException. > > If public final void setKeyEntry(String alias, Key key, char[] password, > Certificate[] chain) is used, it throws java.lang.IllegalArgumentException: > Private key must be accompanied by certificate chain. > > If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = new > SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW > SecretKey, it throws java.security.KeyStoreException: Cannot convert to > PKCS11 > keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. > > How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if the > KeyStore refuses to handle it via any of these APIs? Several threads on > StackOverflow also mentioned this issue, with no known workaround. > > Regards, > Matthew.
