Tuesday, 26 November 2013
Import PEM into .P12
OpenSSL> pkcs12 -export -in certFile.pem -inkey keyFile.key -out p12File.p12 -certfile intermediateCertFile.pem
Friday, 15 November 2013
JCE and Thales nCipher HSM
This was an education in JCE. The task was to:
1) Get a private key on a nCipher HSM
2) Use the key to produce a pkcs7 detached signature for a some content
3) Get the public certificate corresponding to the key so that it could be supplied to an external party to verify the signature.
Some terminology:
.pem file - a file that contains a base64 encoded private key or public key certificate, or certificate chain. Often used to pass public certificates / certificate chains around
.p12 file - a file that contains a private key and public certificate. Encrypted so you need passwords to get access to it.
Some JCE terminology
KeyStore - interface that allows you get access to files like .pems and .p12s. You load a keystore with a file, and specific its type, which then allows you to do stuff like gernate keys, obtains keys, certificates etc
Certificate - Represents a certificate! :-)
Provider - abstraction for the implementation classes that provide the implementation of the JCE interfaces like KeyStore. When you want to do s
Some providers, like the nCipher implement the interfaces in such a way that operations are performed on hardware devices. Others, like the SUN and BouncyCastle providers do stuff in memory. The former is more secure because the private key used for encryption does not exist outside the hardware device.
The BouncyCastle provider does stuff in memory, but it also has convenience classes that do translation from one format to another.
So the trick is to use the HSM provider to do all the key generation and signing stuff and then BC to do format changes.
See my private testSign git project for examples of signing.
To get a key into the HSM:
If you want to list certificates in a HSM then:
keytool -list -v -providername ncioherKM -storetype ncipher.sworld -keystore neilltest.dat -storepass [whatever it is]
To get a key into the HSM:
java -Dprotect=module
-DignorePassphrase=true sun.security.tools.KeyTool -genkey -storetype
nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore
d:/temp/neilltest.dat
This will create the .dat file that contains a reference to the private key in the HSM (but not the key itself). The .dat file is then used as a keystore like a normal JKS file, using keytools
This will create the .dat file that contains a reference to the private key in the HSM (but not the key itself). The .dat file is then used as a keystore like a normal JKS file, using keytools
You can use keytool to generate a csr to sign a certificate request that generates a cert that can be used to verify signatures created using the private key
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.htmlIf you want to list certificates in a HSM then:
keytool -list -v -providername ncioherKM -storetype ncipher.sworld -keystore neilltest.dat -storepass [whatever it is]
Subscribe to:
Posts (Atom)