[security-dev] Database driven Java Keystore

[Anil Saldhana]

I think the JDK API is reasonable to deal with keys in general.
they have:
http://docs.oracle.com/javase/6/docs/api/java/security/PrivateKey.html
http://docs.oracle.com/javase/6/docs/api/java/security/PublicKey.html
http://docs.oracle.com/javase/6/docs/api/java/security/cert/Certificate.html

Encryption Key:
http://docs.oracle.com/javase/6/docs/api/javax/crypto/SecretKey.html

Generation of these keys is straightforward with the JDK API usage.

The challenge comes with storage and retrieval. The keys can be 
represented in multiple
formats and can come from different storage: keystore, cert mgmt systems 
etc.
The KeyStore API tries to be the abstract format.

Given the above discussion, Bill, would you prefer an API that does 
key/value lookups
and underneath probably uses the KeyStore API as an implementation detail?

I am trying to see what would be appealing to developers from an API 
perspective.


On 08/22/2012 09:34 AM, Bill Burke wrote:
> It was kinda specific to DOSETA/DKIM.  It really probably only needs to
> be name/value lookup?
>
> On 8/22/2012 9:56 AM, Anil Saldhana wrote:
>> Bill,
>>      do you have the links to what you have done?  I like your idea.
>>
>> http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
>> This is the Keystore api. It is a decent API if the keys have been
>> stored into a keystore.  The keystore can be the file based,  a store
>> based (DB/LDAP etc) or hardware based.
>>
>> But if the keys do not exist in a keystore that is loaded by the
>> Keystore API,  then you will need an higher level api, to have the
>> flexibility.
>>
>> Regards,
>> Anil
>>
>> On 08/21/2012 06:25 PM, Bill Burke wrote:
>>> Or maybe you should create a new abstraction for key discovery?  I did
>>> this for resteasy for the key-based features I have so that the user has
>>> different options for storing keys.  i.e. from cert.pem or cert.der
>>> files, or .pem text embedded in LDAP entries, DNS entries, etc.
>>>
>>> On 8/21/2012 12:44 PM, Anil Saldhana wrote:
>>>> Hi all,
>>>>       you are familiar with the file based standard Java keystore. KeyTool
>>>> is a command line utility to deal with the standard keystore.
>>>>
>>>> The challenges with a file based keystore are plenty:
>>>> a) Each node in a cluster needs to have a local copy. NFS based keystore
>>>> does solve this problem.
>>>> b) Updates to keystore need to be done with each copy in a cluster.
>>>>
>>>> I put in a DB backed keystore that is standalone with dependence on
>>>> Bouncycastle jars alone.
>>>> https://docs.jboss.org/author/display/SECURITY/Java+Keystores
>>>>
>>>> There are multiple TBD items listed on the page.
>>>>
>>>> There is a master salt.  It is used to MD5 hash+salt the keystore
>>>> password (master password) and also individual key passwords.
>>>>
>>>> Feedback welcome.
>>>>
>>>> Regards,
>>>> Anil
>>>>