Make Keystore Exportable

Hi,

I'm developing a small application that capable of importing a pfx (self signed CA from PKCS12) into MS store (MSKS) using JCAPI.
Is the JCAPI-1.2.5.1 able to make the private key exportable?
The following is the code that does the import. However the key is not exportable when using Windows CertMgr tool.

-----------------------------------------------------------
char[] pwd = "1".toCharArray();
FileInputStream fis = new FileInputStream(new File("a.pfx"));
java.security.KeyStore pkcsKeyStore = java.security.KeyStore.getInstance("PKCS12");
pkcsKeyStore.load(fis, pwd);
fis.close();

String alias = null;
Enumeration<String> e = pkcsKeyStore.aliases();
int numOfAliases = 0;
if (e.hasMoreElements()) {
alias = e.nextElement();

X509Certificate cert = (X509Certificate) pkcsKeyStore.getCertificate(alias);
}

Key key = pkcsKeyStore.getKey(alias, pwd);
Certificate[] certs = pkcsKeyStore.getCertificateChain(alias);

X509Certificate[] x509certs = new X509Certificate[certs.length];
for (int i = 0; i < certs.length; i++) {
x509certs[i] = (X509Certificate) certs[i];
}

java.security.Security.addProvider(new JCAPIProvider());
java.security.KeyStore msksKeyStore = java.security.KeyStore.getInstance("msks", "JCAPI");
msksKeyStore.load(null, null);

JCAPIProperties.getInstance().setPrivateKeyExportable(true);
JCAPIProperties.getInstance().setMSRootCertStoreName("ROOT");
JCAPIProperties.getInstance().setMSKeyEntryStoreName("MY");

java.security.KeyStore pkcsKeyStore = java.security.KeyStore.getInstance("PKCS12");

msksKeyStore.setKeyEntry(alias, key, pwd, x509certs);
--------------------------------------------------------------

Thanks,
Andrew

Hi Andrew,

Yes, you can make it exportable by supplying null as password parameter when you import your private key.
Just change your call:

msksKeyStore.setKeyEntry(alias, key, pwd, x509certs);

into:

msksKeyStore.setKeyEntry(alias, key, null, x509certs);

Regards,
Tommy

Hi Tommy,

After importing the keystore in the Windows "Trusted People", the cert is used by the Windows' WCF service. The private key is used for digitally signing an outbound message and decrypting an inbound message. However I got an error "keyset not found" when signing outgoing message.

Below is a set of code used for setting with JCAPI
----------------------------------------------------------------------------------
java.security.Security.addProvider(new JCAPIProvider());
JCAPIProperties.getInstance().setPrivateKeyExportable(true);
JCAPIProperties.getInstance().setMSRootCertStoreName(MSCertConstant.MS_TRUSTEDROOT_CERT_AUTH);
JCAPIProperties.getInstance().setMSKeyEntryStoreName(MSCertConstant.MS_TRUSTED_PEOPLE);

JCAPISystemStoreRegistryLocation locallocation = new JCAPISystemStoreRegistryLocation(
JCAPISystemStoreRegistryLocation.CERT_SYSTEM_STORE_LOCAL_MACHINE);
JCAPIProperties.getInstance().setSystemStoreRegistryLocation(locallocation);
-------------------------------------------------------------------------------------
I search on the error and I got the impression the issue is related to permission?

Can JCAPI handle Key storage flags; MachineKeySet or PersistKeySet? Exportable is one of them.

TIA

Related to the above issue, after some research, here is the summary

The certificate+key is installed by JCAPI with administration right into the local machine's Trusted People. The current user or System account can export the public+private keys. However the other account user can't export the private key.

In comparison to p12 manual import with Windows 7 MMC, under local machine's Trusted People, the current user or System account can export the key. And the other account user can also export the private key.

Can JCAPI allow other account user to export the key? If yes, how do I go about it?

TIA

Hi Andrew,

Sorry for the late reply, but we have vacation time here in Sweden, and paid support is prioritized.

Regarding your issue, JCAPI v1.x cannot export private keys to other account users. Unfortunately, this version has entered EOL so no new functionality will be incorporated into it.

I'll put this issue on our investigation list for JCAPI v2.x.

Regards,
Tommy