Example: Developing a key or key pair generation class for automated key generation
A class that generates keys for cryptographic operations can be created automatically. With this capability, the key management infrastructure can maintain a list of keys for a predefined key set, and applications can access these keys.
We can schedule new key generation at predefined frequencies. Remember that key generation frequency affects the security of the data. For example, for persistent data, we might schedule key generation less frequently than for real time communications, which require that the keys be generated more often as old keys expire.
When you develop a key generation class, decide if we are creating a shared key or a key pair because this decision determines the interface use.
If developing shared keys, refer to the following example, which uses the KeyGenerator class to implement the com.ibm.websphere.crypto.KeyGenerator interface. The interface returns a java.security.Key key, which is stored as a SecretKey in a JCEKS keystore type. Use any other keystore type that supports storing secret keys.
package com.ibm.test; import java.util.*; import com.ibm.ws.ssl.core.*; import com.ibm.ws.ssl.config.*; import com.ibm.websphere.crypto.KeyException; public class KeyGenerator implements com.ibm.websphere.crypto.KeyGenerator { private java.util.Properties customProperties = null; private java.security.Key secretKey = null; public KeyGenerator() { } /** * This method is called to pass any custom properties configured with * the KeySet to the implementation of this interface. * * @param java.util.Properties **/ public void init (java.util.Properties customProps) { customProperties = customProps; } /** * This method is called whenever a key needs to be generated either * from the schedule or manually requested. The key is stored in the * KeyStore referenced by the configured KeySet that contains the * keyGenerationClass implementing this interface. The implementation of * this interface manages the key type. The user of the KeySet * must know the type that is returned by this keyGenerationClass. * * @return java.security.Key * @throws com.ibm.websphere.crypto.KeyException **/ public java.security.Key generateKey () throws KeyException { try { // Assume generate3DESKey is there to create the key. byte[] tripleDESKey = generate3DESKey(); secretKey = new javax.crypto.spec.SecretKeySpec(tripleDESKey, 0, 24, "3DES"); if (secretKey != null) { return secretKey; } else { throw new com.ibm.websphere.crypto.KeyException ("Key could not be generated."); } } catch (Exception e) { e.printStackTrace(); // handle exception } } }If developing a key pair, refer to the following example, which uses the KeyPairGenerator class to implement the com.ibm.websphere.crypto.KeyPairGenerator interface.
package com.ibm.test; import java.util.*; import javax.crypto.spec.SecretKeySpec; import com.ibm.websphere.crypto.KeyException; /** * This implementation defines the method to generate a java.security.KeyPair. * When a keyGeneration class implements this method, the generateKeyPair method * is called and a KeyPair is stored in the keystore. The isKeyPair * attribute is ignored since the KeyGenerationClass is an * implementation of KeyPairGenerator. The isKeyPair attributes is for when * the keys already exist in a KeyStore, and are just read (not * generating them). * * @author IBM Corporation * @version WAS 6.1 * @since WAS 6.1 **/ public class KeyPairGenerator implements com.ibm.websphere.crypto.KeyPairGenerator { private java.util.Properties customProperties = null; public KeyPairGenerator() { } /** * This method is called to pass any custom properties configured with * the KeySet to the implementation of this interface. * * @param java.util.Properties **/ public void init (java.util.Properties customProps) { customProperties = customProps; } /** * This method is called whenever a key needs to be generated either * from the schedule or manually requested and isKeyPair=true in the KeySet * configuration. The key is stored in the KeyStore referenced by * the configured KeySet which contains the keyGenerationClass implementing * this interface. The implementation of this interface manages the * type of the key. The user of the KeySet must know the type that * is returned by this keyGenerationClass. * * @return com.ibm.websphere.crypto.KeyPair * @throws com.ibm.websphere.crypto.KeyException **/ public com.ibm.websphere.crypto.KeyPair generateKeyPair () throws KeyException { try { java.security.KeyPair keyPair = generateKeyPair(); // Store as SecretKeySpec if (keyPair != null) { java.security.PrivateKey privKey = keyPair.getPrivate(); java.security.PublicKey pubKey = keyPair.getPublic(); SecretKeySpec publicKeyAsSecretKey = new SecretKeySpec (pubKey.getEncoded(), "RSA_PUBLIC"); SecretKeySpec privateKeyAsSecretKey = new SecretKeySpec (privKey.getEncoded(), "RSA_PRIVATE"); com.ibm.websphere.crypto.KeyPair pair = new com.ibm.websphere.crypto.KeyPair(publicKeyAsSecretKey, privateKeyAsSecretKey); return pair; } else { throw new com.ibm.websphere.crypto.KeyException ("Key pair could not be generated."); } } catch (Exception e) { e.printStackTrace(); // handle exception } } }This interface returns a com.ibm.websphere.crypto.KeyPair key pair, which can contain either a X509Certificate and PrivateKey object or PublicKey and PrivateKey objects. If the com.ibm.websphere.crypto.KeyPair interface contains aX509Certificate and PrivateKey object, the certificate and private key are stored in the keystore. Consequently, they can use any KeyStore type.
If the com.ibm.websphere.crypto.KeyPair interface contains PublicKey and PrivateKey objects, convert the encoded values to the SecretKeySpec object in order to store them. The WAS runtime stores and retrieves the key pair as secret keys. The runtime converts the key pair back to PublicKey and PrivateKey objects when the server retrieves the pair during the handshake. Use the following constructors to develop the com.ibm.websphere.crypto.KeyPair interface:
- Public and private constructor
public KeyPair(java.security.Key publicKey, java.security.Key privateKey)- Certificate and private constructor.
public KeyPair(java.security.cert.Certificate[] certChain, java.security.Key privateKey)
The previous example code shows the KeyPairGenerator class using the public and private constructor. Each call to this class generates a new and unique key pair, and this class is invoked by a KeySet to create a new key pair when isKeyPair=true. The version number in the key set increments each time it is called.
Related tasks
Create a key set group configuration