[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] PKCS8ShroudedKeyBag: not decrypted yet!



Thanks for the tip! I compared the two ASN.1 structures and found out that
the difference between the two certificates lies in the way the
authenticated
safes are stored.

In the swisskey case the authenticated safes are stored in mode
PASSWORD_ENCRYPTED
while the netscape exported variant containes an UNENCRYPTED authentication
safe for the private key.

Now, I found out that the PKCS8ShroudedKeyBag doesn't get properly decrypted
if (and only if) the AuthenticatedSafe that contains the keybag is in mode
PASSWORD_ENCRYPTED. If the AuthenticatedSafe is UNENCRYPTED the decrypt
method
of the AuthenticatedSafe seems to pass on the 'decrypt' message.

I *think* this is a bug in IAIK. As a workaround I'm currently using the
following (ugly!!!) bits and pieces:

// helper class that has access to decrypt
public class DecryptedPKCS8ShroudedKeyBag extends PKCS8ShroudedKeyBag {
  public DecryptedPKCS8ShroudedKeyBag (PKCS8ShroudedKeyBag keybag, char[]
password)
    throws java.security.GeneralSecurityException,
java.security.NoSuchAlgorithmException {
    super(keybag);
    decrypt(password);
  }
}

PKCS12 np12= new PKCS12(new FileInputStream(sFile));
np12.decrypt(sPassword.toCharArray());
PrivateKey privateKey= np12.getKeyBag().getPrivateKey();
if (privateKey == null) {
  // np12.decrypt doesn't always propage decrypt correctly
  AuthenticatedSafe[] as= np12.getAuthenticatedSafes();
  for (int i= 0; i < as.length; i++) {
    SafeBag[] sb= as[i].getSafeBags();
    for (int k= 0; k < sb.length; k++) {
      if (sb[k] instanceof PKCS8ShroudedKeyBag) {
        DecryptedPKCS8ShroudedKeyBag keybag=
          new DecryptedPKCS8ShroudedKeyBag((PKCS8ShroudedKeyBag) sb[k],
sPassword.toCharArray());
        privateKey= keybag.getPrivateKey();
      }
    }
  }
}

Thanks for your help!

Cheers,
// Bruno

"Carvalho, R.F. de" wrote:
>
> Hi Bruno,
>
> Probably the PKCS#12 was created without the key bag (i.e - without the
> private key, but I don't think so) or it is not of the type
> PKCS8ShroudedKeyBag. Did you parse the ASN.1 structure? Maybe doing it you
> can have a clue to what's happening.
> And I had the same problem when I implemented my own PKCS#12 class,
because
> the IAIK PKCS#12 class could not read my key bag implementation.
>
> Regards,
>
> Rodrigo
>
> -----Original Message-----
> From: Bruno Essmann [mailto:bruno.essmann@ergon.ch]
> Sent: woensdag 22 november 2000 15:25
> To: Carvalho, R.F. de
> Subject: Re: [iaik-jce] PKCS8ShroudedKeyBag: not decrypted yet!
>
> Hi Rodrigo!
>
> Yes, I can access the whole certificate chain, fingerprints
> and the extensions. (Even though one of the extensions doesn't
> seem to be supported.) The only thing that differs between the
> cert from Swisskey and the one exported by netscape is that
> the private key is readable. ?!?
>
> Cheers,
> // Bruno
>
> "Carvalho, R.F. de" wrote:
> >
> > Bruno
> >
> > Are you able to retrive the CertificateBag information?
> >
> > Regards,
> >
> > Rodrigo Carvalho
> >
> > -----Original Message-----
> > From: Bruno Essmann [mailto:bruno.essmann@ergon.ch]
> > Sent: woensdag 22 november 2000 14:56
> > To: iaik-jce@iaik.tu-graz.ac.at
> > Subject: [iaik-jce] PKCS8ShroudedKeyBag: not decrypted yet!
> >
> > Hello!
> >
> > I'm trying to fiddle out what I'm doing wrong in decrypting
> > a PKCS12 file. I observe the following strange behaviour with
> > a certificate I got from Swisskey CA:
> >
> > - The private key of this cert is "null" when read with
> >   the code listed below.
> > - If the cert is imported in e.g. netscape and exported again
> >   the code listed below extracts the private key correctly.
> >
> > PKCS12 np12= new PKCS12(new FileInputStream(sFile));
> > np12.decrypt(sPassword.toCharArray());
> > System.out.println("key bag: "+ np12.getKeyBag());
> > System.out.println("private key: "+ np12.getKeyBag().getPrivateKey());
> >
> > Interestingly the output using the unmodified cert issued by
> > Swisskey is:
> >
> > key bag: PKCS8ShroudedKeyBag: not decrypted yet!
> > private key: null
> >
> > When importing and exporting the cert in netscape the output is
> > as expected, i.e. I get a listing of private key algorithm, bag
> > type, friendly name, local key id, and a valid private key.
> >
> > Now, the docu of PKCS8ShroudedKeyBag says that decription is handled
> > behind the scenes, which it's not. Hmm... I'm puzzled!
> >
> > Anybody any ideas?!
> >
> > Thanks in advance,
> > // Bruno
> >
> > --
> >
> >   _  _  _  _  _   Ergon Informatik AG         Bruno Essmann
> >  /_\| \/ \/ \| \  Baechtoldstrasse 4          dipl. Informatik Ing. ETH
> >  \  |  \_/\_/| |  8044 Zuerich - Switzerland  bruno.essmann@ergon.ch
> >         /         Phone: +41-1-268 89 00      Direct Line: +41-1-268 89
16
> >                   Fax: +41-1-261-27-50        http://www.ergon.ch/
> > --
> > Mailinglist-archive at
> > http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html
> >
> > To unsubscribe send an email to listserv@iaik.at with the folowing
> content:
> > UNSUBSCRIBE iaik-jce
> >
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce