| Message |
|
|
An implementation of the JCE KeyPairGenerator would add a lot of power/security to JCAPI - the ability to generate a key pair entirely within the Microsoft cryptographic store, so that it could be referenced by a JCAPIRSAPrivateKey handle without the private key ever have to leave MS CAPI.
This would be particularly useful if coupled with the ability to update an existing key/certificate pair with a new certificate but the same key (the JCA specifications for KeyStore.setKeyEntry theoretically support this, the biggest complication here would probably be the difference between JCE aliases and MS-CAPI friendly name, and how they respectively deal with collisions).
[Note: Java's built in "SunMSCAPI" provider does already support KeyPairGenerator, but the provider doesn't support many other JCA features, so you still end up having to export the key to do much useful with it. Depending on how the KeyPair references work in SunMSCAPI, a JCAPI KeyFactory implementation capable of converting SunMSCAPI handles to JCAPIRSAPrivateKey handles could provide similar end functionality - I'm not sure Oracle exposes enough of SunMSCAPI to do that without having to export the key first, though]
|
 |
|
|
Tommy,
Sorry I didn't see your first post until today, so didn't get a chance to reply to it (I didn't really have any useful thoughts anyways though - using JCAPIKeystoreProperties definitely seems the most elegant solution, given the limitations of the JCE interface)
Your solution is perfect (and your response time was fantastic, I really appreciate it) - I didn't test all the permutations of exportable/protected, but the use case that we really needed (exportable but not protected) is working great!
Thanks a bunch!
-Chris
|
|
|
|
I'm trying to import a private key and associated certificate chain into a "MY" keystore (the CERT_SYSTEM_LOCAL_MACHINE one, specifically).
While I'm able to successfully import the key/certificate using SetKeyEntry("alias", aPrivateKey, null, myCertChain), there doesn't seem to be a way to import it with the "non exportable" flag.
If I include a password (or empty char[]) rather than null, it will be marked as non-exportable, but also has the user_protection flag, so requires GUI interaction to set the security level. Unfortunately, for my use case I need to do the import without that sort of prompt.
Is there some way to accomplish this that I'm missing, or does JCAPI not currently support importing a key to the Microsoft store marked as non-exportable without 'user protection' being flagged as well?
I've got C++ console apps that can do this from a pfx store (since PFXImportCertStore has the nice and friendly CRYPT_EXPORTABLE flag), but I'd like to use JCAPI to directly import to the MS store, if possible.
Thanks!
|
|
|
|
|
|
![[Search]](/templates/pheox/images/icon_mini_search.gif){kind=icon}
![[Recent Topics]](/templates/pheox/images/icon_mini_recentTopics.gif){kind=icon}
![[Groups]](/templates/pheox/images/icon_mini_groups.gif){kind=icon}
![[Register]](/templates/pheox/images/icon_mini_register.gif){kind=icon}
![[Login]](/templates/pheox/images/icon_mini_login.gif){kind=icon}