Is Entry.Attribute meant to be encrypted for a PrivateKeyEntry?
Michael StJohns
mstjohns at comcast.net
Mon Jun 3 14:53:25 UTC 2019
On 6/3/2019 10:18 AM, Sean Mullan wrote:
> On 6/2/19 10:28 PM, Weijun Wang wrote:
>> I am playing with KeyStore.Entry.Attribute and found out it's only
>> retrievable with Entry::getAttributes. This means for a
>> PrivateKeyEntry that is protected with a password, you will have to
>> provide that password to get the entry first to get the attributes.
>>
>> Is this by design? So there is no way to add public attributes to
>> these entries? If I read PKCS12 correctly, the attributes is out of
>> the bag value. Therefore even if I cannot decrypt a
>> pkcs8ShroudedKeyBag, the attributes are still visible.
>>
>> Or am I missing something?
>
> Probably not. Maybe we need something like a
> KeyStore.getAttributes(String alias) method?
>
> --Sean
From what I remember, the whole thing of the PKCS12 is protected by a
MAC which is calculated from the PKCS12 password which is generally the
same as the PKCS8 password for the entry. This is somewhat the same
model that was in place for the JKS version of the key store. Is it
possible that the password is necessary to validate the attribute
integrity and that's why it's there?
Mike
More information about the security-dev
mailing list