Key Storage

The encryption adapter has the facility to store public, private, and secret keys. These keys will be stored in the non-volatile storage on the card. As well as key storage, it is also possible to store X.509 Certificates (which contain a public key). SafeNet ProtectToolkit-J provides access to this storage mechanism via the JCE KeyStore API. The JCE name for this KeyStore is CRYPTOKI.

The JCE KeyStore API allows storage of a Key and an associated alias. This alias is simply a unique string which may be used to access the key. To store a key in the key store, use the setKeyEntry(). To retrieve a key, use the getKey(). Keys may be removed from the KeyStore using the deleteEntry() method.

Currently, only two types of keys may be stored in the SafeNet ProtectToolkit-J KeyStore: either SafeNet ProtectToolkit-J keys or javax.crypto.spec.SecretKeySpec keys. Other key types must be converted to their SafeNet ProtectToolkit-J equivalents before storage.

Currently, the Certificate support is based on Sun’s Certificate implementation which is only available on the Sun Java2 JVM.

Per Key password protection is not supported, so a null password may be supplied to the methods used to store and retrieve keys from the KeyStore. The password provided to the load() method will be used to log in to the token, and so to access private objects on the token it is necessary to provide the PIN. If a PIN is not supplied, all objects will be stored as public objects. When a PIN is supplied, only PublicKey and Certificate objects will be stored as public objects; all others will be private. In either case, the InputStream passed to the store() and load() methods will not change the contents of the key store.

Keys stored in the KeyStore are the only thread-safe SafeNet ProtectToolkit-J keys. A key instance obtained from the KeyStore.getKeyEntry() method will return a key that may be used in multiple Cipher, MAC, and Signature instances.

The following example will create a new random DES key, and then store that key in the KeyStore. Note that even though we first create the key and then store it, the actual key value will not leave the hardware and therefore remains secure.

KeyGenerator keyGen = KeyGenerator.getInstance(“DES”, “SAFENET”);
Key key = keyGen.generateKey();
KeyStore keyStore = KeyStore.getInstance(“CRYPTOKI”, “SAFENET”);
keyStore.load(null, null);
keyStore.setKeyEntry(“des key”, key, null, null);
 

The following example can be used to access the previously stored key:

KeyStore keyStore = KeyStore.getInstance(“CRYPTOKI”, “SAFENET”);
keyStore.load(null, null);
Key key = keyStore.getKey(“des key”, null);
 


Customer Support Portal

SafeNet ProtectToolkit 5.5 Product Documentation  08 January 2020  Copyright 2009-2020 Gemalto. All rights reserved.