Not using the pkcs11 provider. If you use the (undocumented) wrapper classes you can get more direct access to the pkcs11 libraries. Or go with the iaik pkcs11 lobs.
Sent from Comcast mobile -----Original Message----- From: Matthew Hall To: mstjohns Cc: security-dev Sent: 2013-02-20 02:27:21 +0000 Subject: Re: Safe storage of RSA private keys before binding to X.509 cert Is there a more elegant way? On Wed, Feb 20, 2013 at 02:24:40AM +0000, mstjo...@comcast.net wrote: > Store the private key with a self-signed certificate. Replace the cert when > it is issued. >> Sent from Comcast mobile >> -----Original Message----- > From: Matthew Hall > To: security-dev > Sent: 2013-02-20 00:27:51 +0000 > Subject: Safe storage of RSA private keys before binding to X.509 cert >> Hello, >> I have a question about safely storing RSA private keys while waiting for a > Cerification Request to be processed remotely so a signed X.509 Certificate > will be returned. >> I want to store it inside the PKCS #11 KeyStore so it will be protected >> while > we wait for the Certificate to become available, so that both can be bound > together and then stored. >> However, the KeyStore APIs prevent this from succeeding: >> If public final void setKeyEntry(String alias, byte[] key, Certificate[] > chain) is used with keyPair.getPrivate().getEncoded(), it throws > UnsupportedOperationException. >> If public final void setKeyEntry(String alias, Key key, char[] password, > Certificate[] chain) is used, it throws java.lang.IllegalArgumentException: > Private key must be accompanied by certificate chain. >> If one creates a RAW-type SecretKey using SecretKeySpec privateKeySpec = new > SecretKeySpec(privateKeyBytes, "RAW"), and attempts to store the RAW > SecretKey, it throws java.security.KeyStoreException: Cannot convert to > PKCS11 > keys caused by java.security.InvalidKeyException: Unknown algorithm RAW. >> How is one supposed to store the RSA PrivateKey in a FIPS-safe way, if the > KeyStore refuses to handle it via any of these APIs? Several threads on > StackOverflow also mentioned this issue, with no known workaround. >> Regards, > Matthew.
