Encrypted private keys in keystore

tomhay · December 9th, 2006, 08:29 PM

Hi:

I'm writing a small key management system that interfaces to a hardware security module. When the HSM generates key pairs it returns the private key encrypted in some proprietary way - as far as my code is concerned, it's just a bunch of bytes.

Everything works OK, except I can't find a way to save/recover the private key in a keystore.

To store the key I'm calling:

store.setKeyEntry("myKey", pair.getPrivate().getEncoded(), chain);
(I've tried making my PrivateKey class return lots of different getEncoded() formats, but no luck.)

When I call:
Key k = store.getKey("myKey", password);

I get a runtime exception:
java.lang.RuntimeException: forget something!

which seems to come from org\bouncycastle\jce\provider\JDKKeyStore.java:

throw new RuntimeException("forget something!");
// TODO
// if we get to here key was saved as byte data, which
// according to the docs means it must be a private key
// in EncryptedPrivateKeyInfo (PKCS8 format), later...
//

Can anyone suggest a fix or a workaround please?

Many thanks, Tom.

dgh · December 10th, 2006, 07:07 AM

Providing the key is really exporting the simplest way to work around this is to use the output of getEncoded() to create a PKCS8EncodedKeySpec and then create a BC key using a KeyFactory. You can then store this in a regular key store.

Note: this does mean that the key data is being exposed outside the device - often hardware security modules refuse to do this unless some kind of key wrapping is used for the export.

Regards,

David

tomhay · December 10th, 2006, 08:35 AM

Hello David:

Thanks for the quick response.

I've come up with a workaround, but I think it relies on a quirk in BKS. I have made my PrivateKey class return Format="RAW", and getEncoded returns the (unencoded) encrypted key. BKS then stores it happily. When I call getKey, it returns as a SecretKeySpec, which I can use to reconstruct my PrivateKey. Not pretty, but it works.

By the way, the device is "wrapping" the private key in hardware before exposing it outside the device, but the wrapping algorithm is proprietary, which is why I have to deal with the key as just a bunch of bytes. At the end of your discussion of EncryptedPrivateKeyInfo (on p181) you indicate that would be the correct way to deal with this situation, but I haven't found the right recipe to put all the pieces together !

Anyway, thanks for the help, and thanks also for a fantastic book. It's been absolutely invaluable in the project.

All the best, Tom.