Wrox Programmer Forums
BOOK: Beginning Cryptography with Java
This is the forum to discuss the Wrox book Beginning Cryptography with Java by David Hook; ISBN: 9780764596339
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning Cryptography with Java section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old December 9th, 2006, 08:29 PM
Registered User
Join Date: Dec 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Encrypted private keys in keystore


I'm writing a small key management system that interfaces to a hardware security module. When the HSM generates key pairs it returns the private key encrypted in some proprietary way - as far as my code is concerned, it's just a bunch of bytes.

Everything works OK, except I can't find a way to save/recover the private key in a keystore.

To store the key I'm calling:

store.setKeyEntry("myKey", pair.getPrivate().getEncoded(), chain);
(I've tried making my PrivateKey class return lots of different getEncoded() formats, but no luck.)

When I call:
Key k = store.getKey("myKey", password);

I get a runtime exception:
java.lang.RuntimeException: forget something!

which seems to come from org\bouncycastle\jce\provider\JDKKeyStore.java:

throw new RuntimeException("forget something!");
// if we get to here key was saved as byte data, which
// according to the docs means it must be a private key
// in EncryptedPrivateKeyInfo (PKCS8 format), later...

Can anyone suggest a fix or a workaround please?

Many thanks, Tom.
Old December 10th, 2006, 07:07 AM
dgh dgh is offline
Wrox Author
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts

Providing the key is really exporting the simplest way to work around this is to use the output of getEncoded() to create a PKCS8EncodedKeySpec and then create a BC key using a KeyFactory. You can then store this in a regular key store.

Note: this does mean that the key data is being exposed outside the device - often hardware security modules refuse to do this unless some kind of key wrapping is used for the export.



Old December 10th, 2006, 08:35 AM
Registered User
Join Date: Dec 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts

Hello David:

Thanks for the quick response.

I've come up with a workaround, but I think it relies on a quirk in BKS. I have made my PrivateKey class return Format="RAW", and getEncoded returns the (unencoded) encrypted key. BKS then stores it happily. When I call getKey, it returns as a SecretKeySpec, which I can use to reconstruct my PrivateKey. Not pretty, but it works.

By the way, the device is "wrapping" the private key in hardware before exposing it outside the device, but the wrapping algorithm is proprietary, which is why I have to deal with the key as just a bunch of bytes. At the end of your discussion of EncryptedPrivateKeyInfo (on p181) you indicate that would be the correct way to deal with this situation, but I haven't found the right recipe to put all the pieces together !

Anyway, thanks for the help, and thanks also for a fantastic book. It's been absolutely invaluable in the project.

All the best, Tom.

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to generate public and private keys using RSA mannuvashishta VS.NET 2002/2003 0 March 17th, 2007 10:52 AM
Encrypted password harini19 Java Basics 0 February 15th, 2006 07:29 AM
When to define primary keys and foregin keys? method SQL Server 2000 1 August 26th, 2005 09:14 AM
Encrypted Password field knight Classic ASP Databases 7 June 28th, 2004 12:35 PM
password in encrypted form mateenmohd SQL Server 2000 4 January 24th, 2004 07:52 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.