Abandon all hope, ye who import sun.* ? :-D
On Wed, Feb 20, 2013 at 02:54:08AM +0000, mstjo...@comcast.net wrote: > Use the source Luke. > > Sent from Comcast mobile > > -----Original Message----- > From: Matthew Hall > To: mstjohns > Cc: security-dev > Sent: 2013-02-20 02:48:57 +0000 > Subject: Re: Safe storage of RSA private keys before binding to X.509 cert > > How could I do it with the undocumented classes? Muahahahahaha! :) > > On Wed, Feb 20, 2013 at 02:36:26AM +0000, mstjo...@comcast.net wrote: > > Not using the pkcs11 provider. If you use the (undocumented) wrapper > > classes you can get more direct access to the pkcs11 libraries. Or go with > > the iaik pkcs11 lobs. > >> Sent from Comcast mobile > >> -----Original Message----- > > From: Matthew Hall > > To: mstjohns > > Cc: security-dev > > Sent: 2013-02-20 02:27:21 +0000 > > Subject: Re: Safe storage of RSA private keys before binding to X.509 cert > >> Is there a more elegant way? > >> On Wed, Feb 20, 2013 at 02:24:40AM +0000, mstjo...@comcast.net wrote: > >> Store the private key with a self-signed certificate. Replace the cert > >> when it is issued. > >>> Sent from Comcast mobile > >>> -----Original Message----- > >> From: Matthew Hall > >> To: security-dev > >> Sent: 2013-02-20 00:27:51 +0000 > >> Subject: Safe storage of RSA private keys before binding to X.509 cert > >>> Hello, > >>> I have a question about safely storing RSA private keys while waiting for > >>> a > >> Cerification Request to be processed remotely so a signed X.509 > >> Certificate > >> will be returned. > >>> I want to store it inside the PKCS #11 KeyStore so it will be protected > >>> while > >> we wait for the Certificate to become available, so that both can be bound > >> together and then stored. > >>> However, the KeyStore APIs prevent this from succeeding: > >>> If public final void setKeyEntry(String alias, byte[] key, Certificate[] > >> chain) is used with keyPair.getPrivate().getEncoded(), it throws > >> UnsupportedOperationException. > >>> If public final void setKeyEntry(String alias, Key key, char[] password, > >> Certificate[] chain) is used, it throws > >> java.lang.IllegalArgumentException: > >> Private key must be accompanied by certificate chain. > >>> If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = > >>> new > >> SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW > >> SecretKey, it throws java.security.KeyStoreException: Cannot convert to > >> PKCS11 > >> keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. > >>> How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if > >>> the > >> KeyStore refuses to handle it via any of these APIs? Several threads on > >> StackOverflow also mentioned this issue, with no known workaround. > >>> Regards, > >> Matthew.
