How could I do it with the undocumented classes? Muahahahahaha! :)
On Wed, Feb 20, 2013 at 02:36:26AM +0000, mstjo...@comcast.net wrote: > Not using the pkcs11 provider. If you use the (undocumented) wrapper classes > you can get more direct access to the pkcs11 libraries. Or go with the iaik > pkcs11 lobs. > > Sent from Comcast mobile > > -----Original Message----- > From: Matthew Hall > To: mstjohns > Cc: security-dev > Sent: 2013-02-20 02:27:21 +0000 > Subject: Re: Safe storage of RSA private keys before binding to X.509 cert > > Is there a more elegant way? > > On Wed, Feb 20, 2013 at 02:24:40AM +0000, mstjo...@comcast.net wrote: > > Store the private key with a self-signed certificate. Replace the cert > > when it is issued. > >> Sent from Comcast mobile > >> -----Original Message----- > > From: Matthew Hall > > To: security-dev > > Sent: 2013-02-20 00:27:51 +0000 > > Subject: Safe storage of RSA private keys before binding to X.509 cert > >> Hello, > >> I have a question about safely storing RSA private keys while waiting for > >> a > > Cerification Request to be processed remotely so a signed X.509 Certificate > > will be returned. > >> I want to store it inside the PKCS #11 KeyStore so it will be protected > >> while > > we wait for the Certificate to become available, so that both can be bound > > together and then stored. > >> However, the KeyStore APIs prevent this from succeeding: > >> If public final void setKeyEntry(String alias, byte[] key, Certificate[] > > chain) is used with keyPair.getPrivate().getEncoded(), it throws > > UnsupportedOperationException. > >> If public final void setKeyEntry(String alias, Key key, char[] password, > > Certificate[] chain) is used, it throws java.lang.IllegalArgumentException: > > Private key must be accompanied by certificate chain. > >> If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = > >> new > > SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW > > SecretKey, it throws java.security.KeyStoreException: Cannot convert to > > PKCS11 > > keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. > >> How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if the > > KeyStore refuses to handle it via any of these APIs? Several threads on > > StackOverflow also mentioned this issue, with no known workaround. > >> Regards, > > Matthew.
