cancel
Showing results for 
Search instead for 
Did you mean: 

PGP Keyrings in Keystore

roger_alluivall
Participant
0 Kudos

Hello all,

i have developed a SAP PI Module that encrypts and decrypts PGP messages. I deployed public and private keys inside the EAR file. However i would like to be able, for further maintenance, to store them in SAP PI KeyStore. Do you thinks is it possible to store PGP Keyrings in SAP PI Keystore? If yes, could you tell me how?

Thanks in advance.

Roger Allué i Vall

Accepted Solutions (0)

Answers (4)

Answers (4)

roger_alluivall
Participant
0 Kudos

The method getKeyFromKeystore() returns correctly the public key but when i try to use it fails. Because the keys are not PGP keys.

roger_alluivall
Participant
0 Kudos

Not possible.

roger_alluivall
Participant
0 Kudos

This is the piece of code where i use the method above:


[...]
msg = (Message) inputModuleData.getPrincipalData();
amk = new MessageKey(msg.getMessageId(), msg.getMessageDirection());
in     = new ByteArrayInputStream(msg.getDocument().getContent());	     
action = moduleContext.getContextData(C_ACTION_STRING);
if (action.equals("ENCRYPT")){
      pubKeyStr = moduleContext.getContextData(C_PUBLICKEY_STRING);
      //keyIn = this.getClass().getResourceAsStream(pubKeyStr);
      keyIn = getKeyFromKeystore();

      if ( keyIn != null){  
       if (moduleContext.getContextData(C_ARMORED_STRING).equals(C_YES_STRING)){
      	    armored = true;
       }
       else{
                  armored = false;
                }
             
             if (moduleContext.getContextData(C_INTEGRITYCHECK_STRING).equals(C_YES_STRING)){
            	 withIntegrityCheck = true;
             }
             else{
            	 withIntegrityCheck = false;
             }             
             encryptStream(in,out,readPublicKey(keyIn),armored,withIntegrityCheck);
             }             
	     }
[...]

roger_alluivall
Participant
0 Kudos

As additional information i'm using Bouncy Castle java libraries to encrypt and decrypt PGP messages.

Former Member
0 Kudos

Roger,

I'm not familiar with the GPA suite, but it looks like the keyring thing is a feature aimed at containing key pairs ... Is there any way to export the key pairs w/o exporting the keyring (pfx ? p12 ?) ... Usually, those security suites rely on open standard and format. Can you post the code (or a sample you've used to code) that you use to handle the keys (or keyring) ?

Chris

Edited by: Christophe PFERTZEL on Jan 20, 2010 10:29 AM

roger_alluivall
Participant
0 Kudos

This is a piece of the code i use to read certificates from KeyStore:

private InputStream getKeyFromKeystore(){
		
		String privKeyView = "DEFAULT";
		ByteArrayInputStream key = null;
		PasswordProtection pass = new PasswordProtection("test1".toCharArray());

		try{		
		SAPSecurityResources secRes = SAPSecurityResources.getInstance();
		KeyStoreManager ksMgr = secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);
		java.security.KeyStore ks = ksMgr.getKeyStore(privKeyView);	
  	        KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)ks.getEntry("ENTRY", pass );
               Certificate cert = pkEntry.getCertificate();
	       PublicKey pubKey = cert.getPublicKey();
	       key = new ByteArrayInputStream(pubKey.getEncoded());
	
		}
		catch (Exception e){	
			addInfo ("Exception: " + e.getMessage());
    		StackTraceElement[] stack = e.getStackTrace();
    		for ( int i=0; i<stack.length; i++){ addInfo ("Exception: " + stack<i>.toString());}			
		}
		return key;
		
	}

Former Member
0 Kudos

I think that if you're able to store them using accepted format, that shouldn't be an issue ! Have you looked at the KeyStore specifications (available from Javadoc pages) ?

Chris

roger_alluivall
Participant
0 Kudos

Hello Chris,

thanks for your quick answer. I'll try to explain what i tried, so maybe you can find if i'm doing something wrong. I generated a keyring with GPA (GNU Privacy Assistant). I exported private key and public key and added them to my module. Everything works fine. I can encrypt and decrypt files using the private and public key inside the EAR.

For maintenance reasons i would like to configure the keys in a place easily accessible (for example to regenerate the key) without regenerating the EAR.

The problem is when i try to import this keys into a view (I used DEFAULT) in SAP PI Keystore. It expects a Key-pair or a X.590 certificate and i have a public and private key, so it fails when trying to import them. It doesn't like their format. However, this is the only format i can export the keyring from GPA. What i tried is to generate a private key and public key directly in SAP PI Keystore. I can obtain it with java libraries, but when i try to obtain the key it fails because it can find it in the keyring. I think it's because it's not a keyring. Do you think i'm doing something wrong? Do i'm trying to do something that is not possible to be done?

Thanks in advance.

Roger Allué i Vall.