Re: JSECURITY Issue: KeyStoreSPI

Jan Luehe (luehe@laguna.eng.sun.com)
Tue, 26 Jan 1999 09:13:28 -0800 (PST)

Date: Tue, 26 Jan 1999 09:13:28 -0800 (PST)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: JSECURITY Issue: KeyStoreSPI
To: java-security@java.Sun.COM, webmaster@java.Sun.COM,

Johannes:

When you generate the keypair, you can wrap the public-key component
in a self-signed (dummy) certificate and store that along with the private
key in your keystore. Then, after you have received your real
certificate chain, you use that to replace your dummy certificate.

Jan

> I implemented the KeyStoreSPI for the IAIK-JCE. The comment of the setKeyEntry
method says, "If the given key is of type java.security.PrivateKey, it must be
accompanied by a certificate chain certifying the corresponding public key."
>
> This is the point I don't feel comfortable with. Consider this: I calculate a
key pair for a certificate request. Certification takes some time. So I have to
store the private key in a save location until I get my new certificate. The
KeyStore would be the right place for it.
> Shouldn't it be possible to save private keys in the KeyStore without a
certificate chain as well?
>
> Regards,
>
> Johannes Farmer