[security-dev 01741]: Re: '\0' in alias name of a pkcs11 keystore

Tomas Gustavsson tomas at primekey.se
Fri Mar 26 00:05:12 PDT 2010


Slightly off topic.
Something I would like to see is API support for setting aliases when 
using the KeyPairGenerator. This is due to the fact that many HSMs do 
not allow changing an alias of private keys after they have been 
generated. Since the key pair generator sets a blank alias when using 
PKCS#11, HSM key pairs are left with no alias.

You can set an alias by providing it using pkcs11 attributes through the 
provider, but that alias is provider global (for all generated key 
pairs) which is not very usable.

Regards,
Tomas

On 03/26/2010 12:17 AM, Valerie Peng wrote:
>
> Probably not. Unless explicitly specified through KeyStore APIs, aliases
> are constructed using the attributes values associated with the
> keys/certs. Thus, this is probably due to some problem with the native
> library which generated the keys/certs.
> Valerie
>
> On 03/18/10 19:03, Weijun Wang wrote:
>> Hi Valerie
>>
>> As described in http://forums.sun.com/thread.jspa?threadID=5432248,
>> customer's pkcs11 keystore has aliases ended with '\0'.
>>
>> Is this something we should fix on the Java side?
>>
>> Thanks
>> Max
>>




More information about the security-dev mailing list