PKCS12 and JSS?
Federico Fernandez Cruz
Is there a way to export a certificate and a private key to a pkcs12
using JSS?
I think it's impossible!
You can't build a PrivateKeyInfo because:
A: PrivateKey.getEncoded() always return null.
B: CryptoStore.getEncryptedPrivateKeyInfo() always return an unusable
chunk of bytes. EncryptedPrivateKeyInfo.decrypt() doesn't decrypt it and
OpensSSL complains about wrong password.
Has someone succeeded on PKCS12 export using JSS?
PD: Is there anyone who read this messages? :-)
Thanks
Radu Ux
I tried to extract a private key material from a PKCS11 token and no
success.
In order to assure a high trust level, there is a common agreement to never
let go outside the private key material. If that could be possible, after
let's say login, a customer can complain that the key was stolen through a
vicious operation. I heard that, as always, there are trojans programms
which can stole the private keys from a specific vendor card, but i don't
think it is the case :)... Anyway, the classes which implement PrivateKey
interface in JSS (PK11PrivateKey, PK11RSAPrivKey e.g) return null in every
key material related get method. For getEncryptedPrivateKeyInfo() there are
some arguments that come from nowhere, and I'm very curious, what for exist
that method?
Radu Ux
Federico Fernandez Cruz
Jamie Nicolson has sended me a piece of code in order to export a certificate and a private key in a PKCS12 blob. (See the attach!) You need to change the code a little bit, just for login into token and select your certificate and private key with another nickname.
The problem was at password converting. In the example, there is a new password converter (PWConverter), that allows to decrypt the EncryptedPrivateKeyInfo.
Now, I have another problem: the execution gets stuck at computeMacData. If I debug the application, the problem is at digest.initHMAC(key) (MacData.java)
How can I solve my problem?
I'm working with Linux RedHat 8, JBuilder 8 and JDK 1.4.1_02.
Thanks.