chris.trufan
Visitor
Joined: Nov 10, 2011
Messages: 3
Offline
|
An implementation of the JCE KeyPairGenerator would add a lot of power/security to JCAPI - the ability to generate a key pair entirely within the Microsoft cryptographic store, so that it could be referenced by a JCAPIRSAPrivateKey handle without the private key ever have to leave MS CAPI.
This would be particularly useful if coupled with the ability to update an existing key/certificate pair with a new certificate but the same key (the JCA specifications for KeyStore.setKeyEntry theoretically support this, the biggest complication here would probably be the difference between JCE aliases and MS-CAPI friendly name, and how they respectively deal with collisions).
[Note: Java's built in "SunMSCAPI" provider does already support KeyPairGenerator, but the provider doesn't support many other JCA features, so you still end up having to export the key to do much useful with it. Depending on how the KeyPair references work in SunMSCAPI, a JCAPI KeyFactory implementation capable of converting SunMSCAPI handles to JCAPIRSAPrivateKey handles could provide similar end functionality - I'm not sure Oracle exposes enough of SunMSCAPI to do that without having to export the key first, though]
|
tommy
Pheox Support
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Chris,
A key pair generator is already on our top list together with CNG support and some other utility features.
The biggest problem right now is actually to decide where it should be deployed i.e. in a minor release or together with CNG support in a major release of JCAPI.
But I can tell you that it will come.
Thanks for your constructive input. It's much appreciated.
Regards,
Tommy
|