[security-dev] Database driven Java Keystore

Anil Saldhana Anil.Saldhana at redhat.com
Wed Aug 22 09:56:18 EDT 2012


Bill,
   do you have the links to what you have done?  I like your idea.

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
This is the Keystore api. It is a decent API if the keys have been 
stored into a keystore.  The keystore can be the file based,  a store 
based (DB/LDAP etc) or hardware based.

But if the keys do not exist in a keystore that is loaded by the 
Keystore API,  then you will need an higher level api, to have the 
flexibility.

Regards,
Anil

On 08/21/2012 06:25 PM, Bill Burke wrote:
> Or maybe you should create a new abstraction for key discovery?  I did
> this for resteasy for the key-based features I have so that the user has
> different options for storing keys.  i.e. from cert.pem or cert.der
> files, or .pem text embedded in LDAP entries, DNS entries, etc.
>
> On 8/21/2012 12:44 PM, Anil Saldhana wrote:
>> Hi all,
>>     you are familiar with the file based standard Java keystore. KeyTool
>> is a command line utility to deal with the standard keystore.
>>
>> The challenges with a file based keystore are plenty:
>> a) Each node in a cluster needs to have a local copy. NFS based keystore
>> does solve this problem.
>> b) Updates to keystore need to be done with each copy in a cluster.
>>
>> I put in a DB backed keystore that is standalone with dependence on
>> Bouncycastle jars alone.
>> https://docs.jboss.org/author/display/SECURITY/Java+Keystores
>>
>> There are multiple TBD items listed on the page.
>>
>> There is a master salt.  It is used to MD5 hash+salt the keystore
>> password (master password) and also individual key passwords.
>>
>> Feedback welcome.
>>
>> Regards,
>> Anil


More information about the security-dev mailing list