"Pluggable" key serialization in JCE/JCA
Michael StJohns
mstjohns at comcast.net
Fri Mar 25 02:12:07 UTC 2022
On 3/24/2022 12:28 PM, Anders Rundgren wrote:
> On 2022-03-24 16:59, Michael StJohns wrote:
>> On 3/24/2022 2:46 AM, Anders Rundgren wrote:
>>> Hi List,
>>>
>>> I find it a bit strange that every user of crypto either have to write
>>> or install specific software for converting JOSE/COSE/PEM keys
>>> back-and-forth to Java's internal representation. This reduces the
>>> value of the abstract types as well.
>>>
>>> Now there is whole bunch of new algorithms coming to the Java platform
>>> making this task even less attractive.
>>>
>>> So my question is simply: How about including this part in an enhanced
>>> JCE/JCA? That is, making the encoder/decoder "pluggable" and hiding
>>> this complexity from users and library developers?
>>
>> Hi Anders -
>
> Hi Mike,
>
>>
>> Isn't that the exact purpose for KeyFactory and its plugins?
>
> They presume that you know not only the key algorithm but the
> associated parameters as well. Why should users or library developers
> have to deal with that?
Um - no. They presume you know the key algorithm, but (using EC Public
keys for example), you can use either of the X509PublicKeySpec (to
decode an encoded key), or the ECPublicKeySpec (to deal with building a
key from scratch using the parameters. You can notionally (haven't
tried it, but should work) use KeyFactory.getKeySpec() to convert
between the two formats or use Key.getEncoded() to get the default
encoding for the key.
The equivalent on the ECPrivateKey side are the ECPrivateKeySpec and
PKCS8EncodedKeySpec clases.
PEM is actually not an encoding, but a wrapping of an encoding. The only
part of Java that deals with it natively (I believe) is the
CertificateFactory for X.509 certificates. You may have an extra step
to add or remove a PEM style envelope (or the equivalent BASE64 bare
string), but that's reasonable.
>
> The requirement to know key algorithm in advance forces you into ASN.1
> decoding for dealing with PEMs. Been there done that.
Ah - not sure why you wouldn't know the key algorithm, BUT: It should
theoretically be possible to write a KeyFactory provider that does that
decoding for you from the X509PublicKeySpec (or PKCS8PrivateKeySpec) and
returns an appropriate PublicKey. Check the actual return type to figure
out what type of key. E.g.:
KeyFactory kf = KeyFactory.getInstance("GenericDecoder");
As I said below, you'll need to define the equivalent opaque format
KeySpec classes to handle COSE and JOSE. I think that's a class per
type of encoding.
>
>>
>> You might need to add KeySpec types for Jose and Cose
>> (JOSEEncodedKeySpec and COSEEncodedKeySpec) assuming both of those cover
>> all of the secret, public and private key specifications.
>>
>> Or hmm... GenericEncodedKeySpec (String alg, byte[] encoded key) or
>> GenericEncodedKeySpec (String alg, String encodedKey).
>>
>>
>>>
>>> Eventually you could end up with something like:
>>>
>>> PrivateKey privateKey = new KeyConverter().readPrivateKey(byte[] or
>>> stream);
>>>
>>> You would not even have to know in which format the key is supplied in
>>> since this could be accomplished by simple "sniffing".
>>
>> Nope. This isn't safe as someone might up with yet another
>> representation that looks like one of the "sniffable" ones. You could
>> build a private implementation that takes its best shot, but ....
>
> Finding out if the container is COSE, JOSE, or PEM is (AFAICT)
> trivial. If the guess is incorrect a properly designed decoder should
> simply fail.
It's trivial NOW because its a closed set of possibilities. And even
then, you're assuming you don't have to detect ASN1 vs raw key encodings
vs string encodings. Simply detecting a) whether a file is character,
b) detecting the character encoding, and c) accidentally thinking a
character file is actually binary or vice versa is fragile.
The addition of the "new" EC variant keys required a substantial
reworking of the API to support them and the arguments were fierce. The
additions were not free.
I deal with no fewer than 3 encodings for an EC public key. Two or
three for an EC private key. 2 or 3 text versions of a RSA public key
along with the X509Encoded binary version and the TPM binary version.
Etc. I usually know what type of key I'm dealing with when I get it,
but I would love a magic DWIM class that did the right thing on all inputs.
>
>>
>>>
>>> To make "pluggability" feasible, I'm trying to convince the JOSE/COSE
>>> folks to give each new crypto system a separate namespace as an
>>> alternative to overloading OKP (RFC 8037), even if the parameters
>>> match technically. AFAICT, X.509 public keys essentially already
>>> adhere to this notion.
>>>
>>> I would exclude private key import and export in HSMs since these are
>>> specific and rare occasions.
>>
>> Again, no. Don't do this in an incomplete way - it will come back to
>> bite you. You don't have to implement the plugin that talks to the HSM,
>> but you have to define the mechanism/API so that the HSM vendors don't
>> curse your first born child later.
>
>
> This is little bit out of my league but targeting the masses is core.
This is the problem with open source some times. It may be core, but it
is not complete and leaving this as a problem to be worked later is a
bit unprofessional.
I don't mean any offense here, but there's a problem with basing
everything what IOT requires and ignoring everything else.
Later, Mike
>
>
> Anders
>
>>
>> Mike
>>
>>
>>>
>>> WDYT?
>>>
>>> Thanx,
>>> Anders
>>
>>
>
More information about the security-dev
mailing list