Re: Problem with the keytool in JDK 1.2 Beta 3

Jan Luehe (luehe@laguna.eng.sun.com)
Thu, 30 Jul 1998 10:26:25 -0700 (PDT)

Date: Thu, 30 Jul 1998 10:26:25 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Problem with the keytool in JDK 1.2 Beta 3
To: java-security@java.Sun.COM, tgoeller@metafinanz.de

Thorsten:

> we have a problem with the keytool. We wanted to use an own provider with
> the name "ElGamal".
> This provider functions with all testprograms we have written. But not with
> the keytool. The exception, we got:
> java.lang.RuntimeException: internal error! unrecognized algorithm name:
> ElGamal

I checked where this exception is raised: in the constructor of
sun.security.x509.X500Signer.java.

The problem you are running into is that when keytool attempts
to create a self-signed certificate for the generated public
key, it needs to determine the OID of the signature algorithm
to include in the certificate. Currently, the certificate generation
routine in the sun package accesses a private list of algname-to-OID
mappings. ElGamal is not in that list! Therefore, you get the
exception. This has been on our list of things to fix. Hopefully
we'll have a fix implemented by FCS.

> -keyalg AlgorithmName
> [...]For the default Sun security provider, the name must be DSA, which is
> also the default value for this option. Despite the presence of this
> option, you cannot really specify another algorithm name, nor, for that
> matter, can you use a non-Sun DSA provider. Internally, keytool expects the
> key generator to produce keys that belong to a specific class in the sun
> package.

This is not true.
We create RSA keys (using keytool and an RSA provider on top of
Bsafe) all the time!

When we create keys in keytool, we instantiate *provider-based*
KeyPairGenerator and Signature objects, which can be supplied
by providers other than the default SUN provider.
The generated keys (and certificates) are stored in encoded format
in your keystore.

When we parse the keys and certificates from the keystore, we
instantiate *provider-based* KeyFactory and CertificateFactory
objects, which parse the encoded bytes and return provider-based
key and certificate objects.

> -sigalg signatureAlgorithm
> [...]Like the key algorithm, this option is not particularly useful at
> present, since you cannot use your own security provider classes to
> implement the signature.

Again, this is not true (see above).

> So far the comments in this book.
>
> Now my question: when will own providers in the security tools be useable?

They are already.

Hope this helps.

Jan