Michael Hall wrote:
>Although I think a java KeyStore may still be the solution to my
>original cross-platform problem, since I can't count on a login
>keychain or even access permissions being present. One problem there
>being a single KeyStore password might be required rather than
>KeyStore + alias passwords. So somewhat weaker protection for secure
>private information like mysql passwords.
Try creating a "JKS" keystore and finding out how it uses its password
args. This appears to be fairly easy to do. I think the 'keytool' command
can do it.
Then create a single-purpose KeyStore that contains only the one key or
database password or whatever your access-granting token is. Your
user-interactive dialog initially prompts for the KeyStore and/or key-item
password, and thereafter the single-purpose KeyStore remains open, loaded,
and accessible without any further dialogs.
Or if you don't believe the JKS KeyStore is encrypting the database
password sufficiently, then just do it all yourself with JCE's standard
password-based encryption (PBE), and read/write the encrypted data directly
in a file of your choice.
As simple as this seems, it appears to solve all the requirements you've
stated. If it doesn't, you'll have to explain what it doesn't solve.
The one part you might have to tailor to a platform is the location of the
keystore-file. I wouldn't just slam it into "user.home", but select a
location appropriate to the platform.
The keystore-file itself is presumably protected by PBE, so it's reasonably
safe against brute-force attacks on its encrypted data even if that data is
publically visible. File-system protections against overwriting are a
different story, though, so it may be wise to apply chmod if that's
available.
-- GG
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
