Use the source Luke. Sent from Comcast mobile
-----Original Message----- From: Matthew Hall To: mstjohns Cc: security-dev Sent: 2013-02-20 02:48:57 +0000 Subject: Re: Safe storage of RSA private keys before binding to X.509 cert How could I do it with the undocumented classes? Muahahahahaha! :) On Wed, Feb 20, 2013 at 02:36:26AM +0000, mstjo...@comcast.net wrote: > Not using the pkcs11 provider. If you use the (undocumented) wrapper classes > you can get more direct access to the pkcs11 libraries. Or go with the iaik > pkcs11 lobs. >> Sent from Comcast mobile >> -----Original Message----- > From: Matthew Hall > To: mstjohns > Cc: security-dev > Sent: 2013-02-20 02:27:21 +0000 > Subject: Re: Safe storage of RSA private keys before binding to X.509 cert >> Is there a more elegant way? >> On Wed, Feb 20, 2013 at 02:24:40AM +0000, mstjo...@comcast.net wrote: >> Store the private key with a self-signed certificate. Replace the cert when >> it is issued. >>> Sent from Comcast mobile >>> -----Original Message----- >> From: Matthew Hall >> To: security-dev >> Sent: 2013-02-20 00:27:51 +0000 >> Subject: Safe storage of RSA private keys before binding to X.509 cert >>> Hello, >>> I have a question about safely storing RSA private keys while waiting for a >> Cerification Request to be processed remotely so a signed X.509 Certificate >> will be returned. >>> I want to store it inside the PKCS #11 KeyStore so it will be protected >>> while >> we wait for the Certificate to become available, so that both can be bound >> together and then stored. >>> However, the KeyStore APIs prevent this from succeeding: >>> If public final void setKeyEntry(String alias, byte[] key, Certificate[] >> chain) is used with keyPair.getPrivate().getEncoded(), it throws >> UnsupportedOperationException. >>> If public final void setKeyEntry(String alias, Key key, char[] password, >> Certificate[] chain) is used, it throws java.lang.IllegalArgumentException: >> Private key must be accompanied by certificate chain. >>> If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = >>> new >> SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW >> SecretKey, it throws java.security.KeyStoreException: Cannot convert to >> PKCS11 >> keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. >>> How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if the >> KeyStore refuses to handle it via any of these APIs? Several threads on >> StackOverflow also mentioned this issue, with no known workaround. >>> Regards, >> Matthew.