[security-dev] Database driven Java Keystore

Bill Burke bburke at redhat.com
Wed Aug 22 10:34:29 EDT 2012


It was kinda specific to DOSETA/DKIM.  It really probably only needs to 
be name/value lookup?

On 8/22/2012 9:56 AM, Anil Saldhana wrote:
> Bill,
>     do you have the links to what you have done?  I like your idea.
>
> http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
> This is the Keystore api. It is a decent API if the keys have been
> stored into a keystore.  The keystore can be the file based,  a store
> based (DB/LDAP etc) or hardware based.
>
> But if the keys do not exist in a keystore that is loaded by the
> Keystore API,  then you will need an higher level api, to have the
> flexibility.
>
> Regards,
> Anil
>
> On 08/21/2012 06:25 PM, Bill Burke wrote:
>> Or maybe you should create a new abstraction for key discovery?  I did
>> this for resteasy for the key-based features I have so that the user has
>> different options for storing keys.  i.e. from cert.pem or cert.der
>> files, or .pem text embedded in LDAP entries, DNS entries, etc.
>>
>> On 8/21/2012 12:44 PM, Anil Saldhana wrote:
>>> Hi all,
>>>      you are familiar with the file based standard Java keystore. KeyTool
>>> is a command line utility to deal with the standard keystore.
>>>
>>> The challenges with a file based keystore are plenty:
>>> a) Each node in a cluster needs to have a local copy. NFS based keystore
>>> does solve this problem.
>>> b) Updates to keystore need to be done with each copy in a cluster.
>>>
>>> I put in a DB backed keystore that is standalone with dependence on
>>> Bouncycastle jars alone.
>>> https://docs.jboss.org/author/display/SECURITY/Java+Keystores
>>>
>>> There are multiple TBD items listed on the page.
>>>
>>> There is a master salt.  It is used to MD5 hash+salt the keystore
>>> password (master password) and also individual key passwords.
>>>
>>> Feedback welcome.
>>>
>>> Regards,
>>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list