Does anyone know if it is possible to load a KeyStore so that it only prompts for the password for the given alias?
Example:
In my key store i have two private keys: Alice's Encryption Certificate and Bob's Encryption Certificate.
When i load my key store:
keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keyStore.load(null);
I am prompted for both Alice's and Bob's key store password. Once they are entered i can use getKey("Alice's Encryption Certificate", null); to retrieve Alice's private key. My keys are protected by Entrust's Security Provider, it is who prompts me for the passwords upon loading the key store. If i do not enter Bob's password and try to get his key it will return null, which is fine, but i would like to avoid the password prompt.
Is it possible to somehow specify that i only want Alice's key before loading the key store so i am never prompted for Bob's password?
Thanks.
We had the same issue and couldn't find a way to do it. Basically, you are asking if there is a way to load the keystore partially. It makes things more complicated that MSCAPI provider ignores any password you provide.
We get around the issue by storing only one key With MSCAPI keystore. It turns out this works better with the security model of Smartcard also.
Related
I'm using SunPKCS11 security provider to store key entries (certificate + private key) into a nShield HSM using the setKeyEntry method but when I store the same certificate with different aliases the first one is removed from de HSM. I've tested with soft HSM too but I get the same behaviour.
I found this in PKCS#11 Reference Guide but I'm not storing CA certificates, they are user certificates:
"If a CA certificate is already in the token, a duplicate is not stored."
Is possible to store the same certificate (and private key) with different aliases using SunPKCS11 security provider?
Is it feasible for the Key(Certificate) which is stored to the Keystore to have their own password?
What will happen to the integrity of the keys and their passwords if the Keystore's password is changed or if we changed the password of each key(certificate) to make it unique for security reasons?
I attached a table to make it clear.
Yes, the password for the private key can be different to the keystores password.
The integrity is not touched by using different passwords for the key and the keystore.
If you have different keys in your keystore then the integrity is slightly lowered by having the same password for the key(s) and the keystore.
I need some help with this lib. Fetching the following examples code BouncyCastle and I do not understand how this works.
My code: http://pastebin.com/RieDfUd9
Dictionary: chain[0], is sender cert.
conv, is the receiver cert.
My problem is this, I need to encrypt an email using smime with the public key personnel which I am sending the email. At the moment in my test environment I have access to both certificates. But in a production environment I will have only access to my certificate (who is sending) chain [0], and the public key of those who receive. I need encryptar email so that I can open with the public key of who is reading (and which was used to encrypt the message).
I already tried several ways, but I always have problems when decrypting.
You cannot do that. You will have to store the cert instead of just the public keys.
When a mail client receive a email, it has to know which private key to use to decrypt it - or it will just fail to decrypt.
How does the mail client knows which private key to use? Because recipient information is also in the encrypted mail.
You can't just encrypt your data encryption key with any random public key and hope the receiver knows which key can be used to decrypt it.
That's why the BouncyCastle API takes a certificate instead of a key.
You can more read about the details of SMIME encryption here:
https://security.stackexchange.com/questions/45222/smime-email-decryption-key-with-openssl
This link has more about how the decryption process is done for multiple recipients:
SMIME decryption for multiple recipients
Note
I don't want to import a certificate into a keystore with keytool. What I want, is to add a java.security.cert.Certificate object into a java.security.KeyStore object.
Scenario
My apps works with FireFox user certificates and those in a smartcard, with NSS + JSS. The APP first loads all user certificates via NSS and stores them into a KeyStore object, and stores their SN, DN, etc. Then, with org.mozilla.jss.CryptoManager I load all external modules, then every token of the modules, at last, with this line, I get a CryptoStore with all certificates of the token:
CryptoStore store = null;
store = token.getCryptoStore();
org.mozilla.jss.crypto.X509Certificate[] certs = store.getCertificates();
Then, I read these certificates and store their SN, DN, etc., along with those data of user certificates, for UI part to show.
When doing an authentication, the user is prompted a dialog with all certificates to choose. This window has a table with rows containing alias of each certificate, users' + card. Then I pick the certificate from the keyStore with the selected alias.
Error
Here comes the problem: the keyStore only has entries of user certificates from FireFox, not those in the card. If I pick one from the card, and do this:
certificate = keyStore.getCertificate(alias);
It returns null. It makes sense because those from the card are stored in CryptoStore. Now, if I do this:
keyStore.setCertificateEntry(alias, cert); //cert is a certificate from card
no exception occurs. Then, when I do this again:
certificate = keyStore.getCertificate(alias);
A NullPointerException from sun.security.pkcs11.p11keyStore.P11KeyStore.getID() happens.
Question
Adding a certificate from a smartcard to a java.security.KeyStore is possible with my approach here?
Why the exception?
I've managed to use Sun's MSCAPI provider in my application. The problem I'm having now is that it always pops up a window, asking for a password, even though I've provided it in the code. This is a problem, because I need the cryptography functionality in a webservice.
Here's the code I have now:
String alias = "Alias to my PK";
char[] pass = "MyPassword".toCharArray();
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, pass);
Provider p = ks.getProvider();
Signature sig = Signature.getInstance("SHA1withRSA",p);
PrivateKey key = (PrivateKey) ks.getKey(alias, pass)
sig.initSign(key);
sig.update("Testing".getBytes());
sig.sign();
This is working great, but I get a popup asking for the password when the last line is run. How do I prevent that?
The MSCAPI provider does not support providing the password to CAPI:
A compatibility mode is supported for applications that assume a password must be supplied. It permits (but ignores) a non-null password. The mode is enabled by default. (1)
To set the password through CAPI, you must call CryptSetKeyParam with the undocumented KP_KEYEXCHANGE_PIN or KP_SIGNATURE_PIN and hope your underlying hardware token provider supports it. (They are not completely undocumented - the documentation for Windows CE and Windows Mobile mention them (2) and they are included in the header files).
My guess is that Windows is popping up the pop up.
Import your key again using the Certificate Import Wizard, but make sure that you don't check the following option on the "Password" screen.
[_] Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.
I resolved this problem setting the provider as follow:
signeData = gen.generate(content, ks.getProvider());
Where
ks is a KeyStore and
genis a CMSSignedDataGenerator