[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] NewBie Questions



> I have a few questions:
>         1) Is it possible to get the source of your demo classes? It hard to
> evaluate the product when you don't have anything
>         to get started with! Is their somewhere I get some source to get me
> started?

These come with the distribution, under src.

>         2) I used the keytool -genkey. That seemed to have worked. Does this
> generate both the public and private keys or just a skeleton for you to fill
> in?

>From the JDK-1.2 tools documentation, I gather it generates a key pair, and
saves the private key and single self-signed certificate, which holds the public
key.

Remember, keytool is a JDK-1.2 utility which makes calls into the KeyStore
class.  The keytool utility is not written by IAIK.

>         3) It seems that the keysig is MD5, you can't specify SHA for keyalg
> RSA. Is this correct?

What do you mean here?  Do you mean the key and signing algorithms for the
-genkey command?

>         4) I generated the csr which looks ok. That did not work in Java
> 1.2, but works in JDK1.3. Is this correct?

Probably.  The keytool utility that comes with JDK-1.2 is notoriously bug-ridden
(see below).

>         5) I run a program that reads for the keystore (ks). Their is no
> getprivatekey or getpublickey, their is only getkey!
>         When I use the getkey is returns me null. That's why I was asking in
> question 2 "Does this generate both the public and private keys".
>         If it does where are they and how do I access them to sign and
> verify signatures? What does getkey return?

This depends on whether the entry in the keystore is a key entry or a trusted
certificate entry.  Why Sun didn't expose two hashtables at the keystore level,
I don't know.  But you call getKey on a key entry to get the private key (hm,
good question, why not just return the right type...?).  You can get the public
key by getting the certificate associated with the alias and pulling the public
key from there.

>         6) Do you recommend using the keytool utility or doing everything
> from an application? Are their any other problems that I will encounter by
> using
>         the keytool with your product?

I have found the JDK-1.2 keytool utility to be a rat's nest of bugs, incomplete
features, and inconsistencies.  In particular, I have found the following
problems using IAIK as a security provider, using the IAIKKeyStore type:

+ The -v (verbose) flag seems to break almost any call, with the informative
keytool error: iaik.asn1.structures.Name
error reported.  My understanding from reading this mailinglist and persuing the
archives is that this is a bug in the keytool utility.  Not having the source to
either the keytool source or IAIK sources, I can't say for sure.

+ The -genkey command only works if IAIK is set as the *preferred* provider in
the java.security system properties file.  Otherwise, you'll get the informative
keytool error: unknown private key type
error (or something like that)

+ The -certreq command is broken.  I've written a utility to generate a PKCS
certificate request, if anyone is interested in it.

+ The -import command is broken, if you want to import a PKCS7 certificate list
(reply) into a JKS keystore (say, one you have issued using the IAIK PKCS7
CertList class)

So, to answer your question, I'd recommend skipping the keytool utility all
together.  It's just too buggy for serious use, and by integrating it into your
application, you need not restrict yourself to JDK-1.2, which is still not
widely supported.  However, please not that I do NOT speak for IAIK; these are
just my personal observations.

As a final note, one person on this list inquired about a GUI interface to the
keystore class.  Personally, I think this would be a good idea, since generally
the keytool utility is not the sort of thing you'd want to script, anyway (which
is where you get real functionality out of a command line interface), and, in
addition, you'd be able to get around the serious bugginess of the keytool
program, script, C program, or whatever it is.  I don't know if a GUI has ever
been implemented, whether SUN is planning one, or whether people here would be
interested in pooling together to write something open source, under the GPL (or
GLPL, or whatever).  I would be interested in contributing to this, if only to
make the keystore a more viable medium for key management.

Any takers?

Fred Dushin
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce