[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-jce] NewBie Questions

Thanks for the information.

5) My entry is a key entry. I can generate the CSR, I can get the
certificate and get the 
public key, and all other information related to the certificate. However
when I do getkey, 
which should return the RSA private key that I generated, I get a null. Has
anyone encountered 
this problem before. 



-----Original Message-----
From: fadushin@fadushin.ne.mediaone.net
[mailto:fadushin@fadushin.ne.mediaone.net]On Behalf Of Fred Dushin
Sent: Tuesday, January 04, 2000 10:05 AM
To: Andre Hiotis; iaik-jce@iaik.tu-graz.ac.at
Subject: Re: [iaik-jce] NewBie Questions

> I have a few questions:
>         1) Is it possible to get the source of your demo classes? It hard
> evaluate the product when you don't have anything
>         to get started with! Is their somewhere I get some source to get
> started?

These come with the distribution, under src.

>         2) I used the keytool -genkey. That seemed to have worked. Does
> generate both the public and private keys or just a skeleton for you to
> in?

>From the JDK-1.2 tools documentation, I gather it generates a key pair, and
saves the private key and single self-signed certificate, which holds the

Remember, keytool is a JDK-1.2 utility which makes calls into the KeyStore
class.  The keytool utility is not written by IAIK.

>         3) It seems that the keysig is MD5, you can't specify SHA for
> RSA. Is this correct?

What do you mean here?  Do you mean the key and signing algorithms for the
-genkey command?

>         4) I generated the csr which looks ok. That did not work in Java
> 1.2, but works in JDK1.3. Is this correct?

Probably.  The keytool utility that comes with JDK-1.2 is notoriously
(see below).

>         5) I run a program that reads for the keystore (ks). Their is no
> getprivatekey or getpublickey, their is only getkey!
>         When I use the getkey is returns me null. That's why I was asking
> question 2 "Does this generate both the public and private keys".
>         If it does where are they and how do I access them to sign and
> verify signatures? What does getkey return?

This depends on whether the entry in the keystore is a key entry or a
certificate entry.  Why Sun didn't expose two hashtables at the keystore
I don't know.  But you call getKey on a key entry to get the private key
good question, why not just return the right type...?).  You can get the
key by getting the certificate associated with the alias and pulling the
key from there.

>         6) Do you recommend using the keytool utility or doing everything
> from an application? Are their any other problems that I will encounter by
> using
>         the keytool with your product?

I have found the JDK-1.2 keytool utility to be a rat's nest of bugs,
features, and inconsistencies.  In particular, I have found the following
problems using IAIK as a security provider, using the IAIKKeyStore type:

+ The -v (verbose) flag seems to break almost any call, with the informative
keytool error: iaik.asn1.structures.Name
error reported.  My understanding from reading this mailinglist and persuing
archives is that this is a bug in the keytool utility.  Not having the
source to
either the keytool source or IAIK sources, I can't say for sure.

+ The -genkey command only works if IAIK is set as the *preferred* provider
the java.security system properties file.  Otherwise, you'll get the
keytool error: unknown private key type
error (or something like that)

+ The -certreq command is broken.  I've written a utility to generate a PKCS
certificate request, if anyone is interested in it.

+ The -import command is broken, if you want to import a PKCS7 certificate
(reply) into a JKS keystore (say, one you have issued using the IAIK PKCS7
CertList class)

So, to answer your question, I'd recommend skipping the keytool utility all
together.  It's just too buggy for serious use, and by integrating it into
application, you need not restrict yourself to JDK-1.2, which is still not
widely supported.  However, please not that I do NOT speak for IAIK; these
just my personal observations.

As a final note, one person on this list inquired about a GUI interface to
keystore class.  Personally, I think this would be a good idea, since
the keytool utility is not the sort of thing you'd want to script, anyway
is where you get real functionality out of a command line interface), and,
addition, you'd be able to get around the serious bugginess of the keytool
program, script, C program, or whatever it is.  I don't know if a GUI has
been implemented, whether SUN is planning one, or whether people here would
interested in pooling together to write something open source, under the GPL
GLPL, or whatever).  I would be interested in contributing to this, if only
make the keystore a more viable medium for key management.

Any takers?

Fred Dushin
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce