[security-dev 01746]: Re: '\0' in alias name of a pkcs11 keystore

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Tue Mar 30 11:34:54 PDT 2010 

Why do you assume that the key is generated in software?
You use the KeyGenerator API to generate a key, this key can be 
generated on the HSM if you have SunPKCS11 provider configured to be the 
most preferred provider. This key should actually just encapsulate the 
native key handle (not the actual value/encoding) which you can then 
pass it to the KeyStore API and specify an alias. The PKCS11 keystore 
impl would then take this key object (with the native key handle) and 
create a persistent copy on the HSM with the specified alias.

Regards,
Valerie

On 03/29/10 22:57, Tomas Gustavsson wrote:
> Hi, thanks for the answer.
>
> Generating a key in software and trying to store it on the HSM violates
> the whole idea of using an HSM. Which is to generate and maintain the
> keys in the HSM at all times.
> Most high security policies *requires* that the keys are generated by
> the HSM, inside the HSM.
> I also doubt that it would work to store software generated keys using
> the keytool API. Many HSMs even forbid this, at least when running in
> strict FIPS mode.
>
> Regards,
> Tomas
>
> Valerie Peng wrote:
>   
>> Have you tried saving that key through the KeyStore API which allows you
>> to specify an alias?
>> Thanks,
>> Valerie
>>
>> On 03/26/10 00:05, Tomas Gustavsson wrote:
>>     
>>> Slightly off topic.
>>> Something I would like to see is API support for setting aliases when
>>> using the KeyPairGenerator. This is due to the fact that many HSMs do
>>> not allow changing an alias of private keys after they have been
>>> generated. Since the key pair generator sets a blank alias when using
>>> PKCS#11, HSM key pairs are left with no alias.
>>>
>>> You can set an alias by providing it using pkcs11 attributes through
>>> the provider, but that alias is provider global (for all generated key
>>> pairs) which is not very usable.
>>>
>>> Regards,
>>> Tomas
>>>
>>> On 03/26/2010 12:17 AM, Valerie Peng wrote:
>>>       
>>>> Probably not. Unless explicitly specified through KeyStore APIs, aliases
>>>> are constructed using the attributes values associated with the
>>>> keys/certs. Thus, this is probably due to some problem with the native
>>>> library which generated the keys/certs.
>>>> Valerie
>>>>
>>>> On 03/18/10 19:03, Weijun Wang wrote:
>>>>         
>>>>> Hi Valerie
>>>>>
>>>>> As described in http://forums.sun.com/thread.jspa?threadID=5432248,
>>>>> customer's pkcs11 keystore has aliases ended with '\0'.
>>>>>
>>>>> Is this something we should fix on the Java side?
>>>>>
>>>>> Thanks
>>>>> Max
>>>>>
>>>>>           
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20100330/2941f94a/attachment.html

More information about the security-dev mailing list