Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: KeychainStore can only read one private key at most?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KeychainStore can only read one private key at most?





Bruno Harbulot wrote:
In short, the bug that consists of only one private key being presented at most is going to entail another bug (or request for enhancement) to make it possible to distinguish between the various keys in a useful manner. The two problems are closely linked and should certainly be addressed at the same time.


I had overlooked something here, and the second problem might be rather
minor (it would have a work-around if it was possible to load more than one key).
Indeed, the fact that isCertificateEntry(alias) returns false does not
mean that getCertificate(alias) will return null.
I had paid attention to write my test using this without "else" in
between the "if" statements, but it wasn't enough:
if (keyStore.isKeyEntry(alias)) { /* ... */ }
if (keyStore.isCertificateEntry(alias)) { /* ... */ }



The code attached at the end of this e-mail produces this for the two entries corresponding to my pair of key and certificate: - Alias: bruno harbulot 1 isKeyEntry? false isCertificateEntry? true Subject DN: CN=bruno harbulot,L=MC,OU=Manchester,O=eScience,C=UK Does getKey work on this certificate entry as well? false

 - Alias: bruno harbulot
     isKeyEntry? true
     isCertificateEntry? false
    Key loaded successfully. Type: PKCS#8
  Does getCertificate work on this key entry? Yes CN=bruno
harbulot,L=MC,OU=Manchester,O=eScience,C=UK

It is thus possible to retrieve the corresponding certificate from a key
alias, even if isCertificateEntry returns false. The opposite is not
true (it doesn't seem to be possible to get the key from the
certificate, even if it's there).
This is probably the reason why the alias corresponding to the CN of the
certificate is used for the key entry.
I find it a bit confusing, but this is fine in fact. Anyway, this is
compliant with the documentation about KeyStore.


This does not solve the main problem: only one private key is returned. Naming will also remain an issue since there can be several certificates with the same CN and it seems impossible to rename the certificates in the Keychain utility.


Regards,


Bruno.



KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);

System.out.println("List of the aliases present in the keystore
("+keyStore.getType()+")");
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
	String alias = aliases.nextElement();
	System.out.println(" - Alias: " + alias);
	System.out.println("     isKeyEntry? "+keyStore.isKeyEntry(alias));
	System.out.println("     isCertificateEntry?
"+keyStore.isCertificateEntry(alias));
	if (keyStore.isKeyEntry(alias)) {
		try {
			PrivateKey key = (PrivateKey) keyStore.getKey(alias, "-".toCharArray());
			System.out.println("    Key loaded successfully. Type: " +
key.getFormat());
		} catch (RuntimeException e) {
			System.out.println("    Key failed to load ("+e.getMessage()+")");
		}
		Certificate certificate = keyStore.getCertificate(alias);
		String subject = "";
		if ((certificate != null) && (certificate instanceof X509Certificate)) {
			subject =
((X509Certificate)certificate).getSubjectX500Principal().getName();
		}
		System.out.println("  Does getCertificate work on this key entry? "+
				((keyStore.getCertificate(alias) != null) ? "Yes "+subject : "No"));
	}
	if (keyStore.isCertificateEntry(alias)) {
		Certificate certificate = keyStore.getCertificate(alias);
		if (certificate instanceof X509Certificate) {
			X509Certificate x509certificate = (X509Certificate) certificate;
			System.out.println("    Subject DN: "
					+ x509certificate.getSubjectX500Principal()
							.getName());
		} else {
			System.out.println("    Unknown format certificate.");
		}
		System.out.println("  Does getKey work on this certificate entry as
well? "+(keyStore.getKey(alias, "-".toCharArray()) != null));
	}
	System.out.println();
}

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


References: 
 >Re: KeychainStore can only read one private key at most? (From: Greg Guerin <email@hidden>)
 >Re: KeychainStore can only read one private key at most? (From: Bruno Harbulot <email@hidden>)
 >Re: KeychainStore can only read one private key at most? (From: Michael Hall <email@hidden>)
 >Re: KeychainStore can only read one private key at most? (From: Bruno Harbulot <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.