Re: JSSE and keys

Kevin Regan (kevin@Differential.COM)
Thu, 12 Aug 1999 15:18:42 -0700 (PDT)

From: Kevin Regan <kevin@Differential.COM>
Message-Id: <199908122218.PAA24023@Differential.COM>
Subject: Re: JSSE and keys
To: Jeff.Nisewanger@eng.sun.com
Date: Thu, 12 Aug 1999 15:18:42 -0700 (PDT)
In-Reply-To: <199908122206.PAA24517@shorter.eng.sun.com> from "Jeff Nisewanger" at Aug 12, 99 03:04:37 pm

In general, my application uses many keys, but shares the same keystore.
It would be really great to have the functionality to specify the passwords
for each key and alias that I am interested in using. Also, with certain
KeyStore providers (such as hardware keys) it might not be possible to
create separate keystores.

I wouldn't mind doing something like:

KeyManagerFactory factory = ...

factory.addKey( keyStore, keyAlias1, keyPassword1 );
factory.addKey( keyStore, keyAlias2, keyPassword2 );
...

It would be easier than configuring and loading multiple
keystores into my application.

--Kevin

>
> The SunX509 KeyManagerFactory assumes that all private keys
> stored in a keystore are all protected by the same password (the
> KeyStore api allows for a possibly unique password for each private
> key). Other than that there is no limit on the number of keys which can
> be present in the keystore. Keys can additionally be obtained in a
> KeyManagerFactory provider-specific manner.
>
> Based on the available keys, the KeyManagerFactory then returns
> a set of KeyManagers which may be passed to the init() method of the
> SSLContext. In reality, the SunX509 factory will return an
> X509KeyManager since the JSSE reference implemention only supports
> public key authentication. This key manager is then queried by
> the SSLContext implementation to return appropriate keys as needed at
> runtime. See the bundled javadoc api for further details.
>
> If you want to you can implement KeyManager classes yourself
> directly or, perhaps more likely, you can simply interpose your own
> KeyManager object and delegate to the one from the security provider.
> In this way, you can filter or modify the default choices that it would
> make, possible as a result of asking the user through a GUI etc.
>
> If you are asking if we can make it easier to assert that a
> specific alias should be used I'll have to think about that.
> Currently, there are 2 ways to achieve this. One way is to only place a
> single key of a particular key type (RSA or DSA) in the keystore so
> that there is effectively only one key for the X509KeyManager to choose
> from. The other way is to implement your own filtering X509KeyManager
> and delegate the actual hard work to the provider's X509KeyManager.
> For instance, you would have chooseClientAlias() and/or
> chooseServerAlias() always return your preferred key alias and then
> delegate the other methods. I suppose we could make it easier to
> implement an X509KeyManager filter....
>
>
>
> Jeff
>
>