JSSE and keys

Jeff Nisewanger (Jeff.Nisewanger@eng.sun.com)
Thu, 12 Aug 1999 15:04:37 -0700 (PDT)

Message-Id: <199908122206.PAA24517@shorter.eng.sun.com>
Date: Thu, 12 Aug 1999 15:04:37 -0700 (PDT)
From: Jeff Nisewanger <Jeff.Nisewanger@eng.sun.com>
Subject: JSSE and keys
To: java-security@java.sun.com, kevin@Differential.COM

>
> Trust/KeyManagerFactory: SunX509
> SSLContext: SSL, TLS
> KeyStore: PKCS12

Of course, the JDK itself supports JKS keystores and JCE 1.2
additionally supports a JCEKS format. Any of these (or other)
keystore types can be used with JSSE as long as they implement the
KeyStore api.

>
> Also, I have another question. It seems that when initializing a
> KeyManagerFactory, it expects a KeyStore and a password for the
> private key to be used for authentication. This only seems
> to work if there is a single private key in the keystore.
> Can the init method take an alias as well, so that other
> private keys may reside in the keystore?
>

The SunX509 KeyManagerFactory assumes that all private keys
stored in a keystore are all protected by the same password (the
KeyStore api allows for a possibly unique password for each private
key). Other than that there is no limit on the number of keys which can
be present in the keystore. Keys can additionally be obtained in a
KeyManagerFactory provider-specific manner.

Based on the available keys, the KeyManagerFactory then returns
a set of KeyManagers which may be passed to the init() method of the
SSLContext. In reality, the SunX509 factory will return an
X509KeyManager since the JSSE reference implemention only supports
public key authentication. This key manager is then queried by
the SSLContext implementation to return appropriate keys as needed at
runtime. See the bundled javadoc api for further details.

If you want to you can implement KeyManager classes yourself
directly or, perhaps more likely, you can simply interpose your own
KeyManager object and delegate to the one from the security provider.
In this way, you can filter or modify the default choices that it would
make, possible as a result of asking the user through a GUI etc.

If you are asking if we can make it easier to assert that a
specific alias should be used I'll have to think about that.
Currently, there are 2 ways to achieve this. One way is to only place a
single key of a particular key type (RSA or DSA) in the keystore so
that there is effectively only one key for the X509KeyManager to choose
from. The other way is to implement your own filtering X509KeyManager
and delegate the actual hard work to the provider's X509KeyManager.
For instance, you would have chooseClientAlias() and/or
chooseServerAlias() always return your preferred key alias and then
delegate the other methods. I suppose we could make it easier to
implement an X509KeyManager filter....

Jeff