[security-dev 01750]: Re: alias in KeyPairGenerator - was: '\0' in alias name of a pkcs11 keystore

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Mon Apr 19 11:47:56 PDT 2010


You can use your custom PKCS11 config and as long as you call the 
KeyStore API to store the key (generated as session key) under the 
desired alias, it will be saved as a token key as a result.

Have you tried it and see if this solves your problem?
Valerie

On 04/19/10 08:08, Tomas Gustavsson wrote:
> If we need it it's usually for all keys, both RSA and EC.
>
> Cheers,
> Tomas
>
> "Michael StJohns" <mstjohns at comcast.net> wrote:
>
>   
>> At 04:34 AM 4/19/2010, Tomas Gustavsson wrote:
>>
>>     
>>> Hi,
>>> Sorry being late, I was away on vacation.
>>>
>>> Yes in most cases we do use a custom PKCS11 config fil, with token=yes. If we specify token=false would it still be a token object on the HSM finally?
>>>       
>> Yes.  The C_CopyObject turns the Session object into a Token object. and that happens as a side effect of the KeyStore.store operation.
>>
>>     
>>> For most HSMs we need to use a cusom PCKS11 config file, otherwise it is not possible to generate key because the HSM will throw an error, usually invalid_template.
>>>       
>> Does this happen for all keys or just for EC keys?
>>
>>
>>     
>>> Cheers,
>>> Tomas
>>>
>>>
>>> Valerie (Yu-Ching) Peng wrote:
>>>       
>>>> If the default PKCS11 config is used, I'd expect that KeyPairGenerator to generate a "session" key and then SunPKCS11 keystore impl will do a C_CopyObject(...) w/ the desired alias.
>>>> Is a custom PKCS11 config file used here? If yes, perhaps it specifies that token key be generated for key generation?
>>>> Valerie
>>>> On 03/31/10 17:51, Michael StJohns wrote:
>>>>         
>>>>> KeyPairGenerator should be generating a "Session" key pair.
>>>>>
>>>>> When you write the key store object, the underlying function should do a C_CopyObject from the Session object to a Token object.  (Or from a software key to a Token  object).  At that point, the template provided to C_CopyObject should be able to reset the CKA_LABEL attribute to the alias.
>>>>>
>>>>> Let me look at the code and see what's going on and make further comments tomorrow.
>>>>>
>>>>> Mike
>>>>>
>>>>>
>>>>> At 03:26 AM 3/31/2010, Tomas Gustavsson wrote:
>>>>>
>>>>>  
>>>>>           
>>>>>> Hi,
>>>>>>
>>>>>> Sorry if I misunderstood you. That is actually exactly how we do it,
>>>>>>
>>>>>> 1. Use KeyPairGenerator with P11 provider to generate key pair.
>>>>>> 2. Create a keystore with the P11 provier.
>>>>>> 3. Generate a self signed certificate.
>>>>>> 4. keystore.setKeyEntry(myalias, privateKey, null, cert).
>>>>>>
>>>>>> The keys work fine to use in java. The issue is that in the HSM three objects are generated/stored.
>>>>>> 1. Private key - no alias
>>>>>> 2. Public key - no alias
>>>>>> 3. Certificate - myalias
>>>>>>
>>>>>> The reason for this is that the alias of the private and public keys are set in the HSM when the keys are generated (with the KeyPairGenerator). The HSMs do not allow an alias of a private key (in particular) to be changed after generation, so setKeyEntry can not change the empty alias of the private key object.
>>>>>> This has been confirmed by technicians at AEP, but it works the same in nCipher, SafeNet and Utimaco, i.e. no alias on the private key object.
>>>>>>
>>>>>> If we want to use HSM vendors tools to manipulate objects this usually causes problems because they mostly rely on an alias.
>>>>>>
>>>>>> So finally :-) this is why an alias parameter to KeyPairGenerator would be useful.
>>>>>>
>>>>>> Cheers,
>>>>>> Tomas
>>>>>>
>>>>>>
>>>>>> On 03/30/2010 08:34 PM, Valerie (Yu-Ching) Peng wrote:
>>>>>>    
>>>>>>             
>>>>>>> Why do you assume that the key is generated in software?
>>>>>>> You use the KeyGenerator API to generate a key, this key can be
>>>>>>> generated on the HSM if you have SunPKCS11 provider configured to be the
>>>>>>> most preferred provider. This key should actually just encapsulate the
>>>>>>> native key handle (not the actual value/encoding) which you can then
>>>>>>> pass it to the KeyStore API and specify an alias. The PKCS11 keystore
>>>>>>> impl would then take this key object (with the native key handle) and
>>>>>>> create a persistent copy on the HSM with the specified alias.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Valerie
>>>>>>>
>>>>>>> On 03/29/10 22:57, Tomas Gustavsson wrote:
>>>>>>>      
>>>>>>>               
>>>>>>>> Hi, thanks for the answer.
>>>>>>>>
>>>>>>>> Generating a key in software and trying to store it on the HSM violates
>>>>>>>> the whole idea of using an HSM. Which is to generate and maintain the
>>>>>>>> keys in the HSM at all times.
>>>>>>>> Most high security policies *requires* that the keys are generated by
>>>>>>>> the HSM, inside the HSM.
>>>>>>>> I also doubt that it would work to store software generated keys using
>>>>>>>> the keytool API. Many HSMs even forbid this, at least when running in
>>>>>>>> strict FIPS mode.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Tomas
>>>>>>>>
>>>>>>>> Valerie Peng wrote:
>>>>>>>>
>>>>>>>>        
>>>>>>>>                 
>>>>>>>>> Have you tried saving that key through the KeyStore API which allows you
>>>>>>>>> to specify an alias?
>>>>>>>>> Thanks,
>>>>>>>>> Valerie
>>>>>>>>>
>>>>>>>>> On 03/26/10 00:05, Tomas Gustavsson wrote:
>>>>>>>>>
>>>>>>>>>          
>>>>>>>>>                   
>>>>>>>>>> Slightly off topic.
>>>>>>>>>> Something I would like to see is API support for setting aliases when
>>>>>>>>>> using the KeyPairGenerator. This is due to the fact that many HSMs do
>>>>>>>>>> not allow changing an alias of private keys after they have been
>>>>>>>>>> generated. Since the key pair generator sets a blank alias when using
>>>>>>>>>> PKCS#11, HSM key pairs are left with no alias.
>>>>>>>>>>
>>>>>>>>>> You can set an alias by providing it using pkcs11 attributes through
>>>>>>>>>> the provider, but that alias is provider global (for all generated key
>>>>>>>>>> pairs) which is not very usable.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tomas
>>>>>>>>>>
>>>>>>>>>> On 03/26/2010 12:17 AM, Valerie Peng wrote:
>>>>>>>>>>
>>>>>>>>>>            
>>>>>>>>>>                     
>>>>>>>>>>> Probably not. Unless explicitly specified through KeyStore APIs, aliases
>>>>>>>>>>> are constructed using the attributes values associated with the
>>>>>>>>>>> keys/certs. Thus, this is probably due to some problem with the native
>>>>>>>>>>> library which generated the keys/certs.
>>>>>>>>>>> Valerie
>>>>>>>>>>>
>>>>>>>>>>> On 03/18/10 19:03, Weijun Wang wrote:
>>>>>>>>>>>
>>>>>>>>>>>              
>>>>>>>>>>>                       
>>>>>>>>>>>> Hi Valerie
>>>>>>>>>>>>
>>>>>>>>>>>> As described inhttp://forums.sun.com/thread.jspa?threadID=5432248,
>>>>>>>>>>>> customer's pkcs11 keystore has aliases ended with '\0'.
>>>>>>>>>>>>
>>>>>>>>>>>> Is this something we should fix on the Java side?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> Max
>>>>>>>>>>>>
>>>>>>>>>>>>                
>>>>>>>>>>>>                         
>>>>>  
>>>>>           
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20100419/b5fdb643/attachment.html 


More information about the security-dev mailing list