Specifying NDBS as a Keystore SPI

As an example of how to specify NDBS as a keystore service provider, a test program called ShowAliases.java is provided within the NDBS 2.0 zip file. To specify NDBS as the keystore service provider, you need to use the method java.security.KeyStore.getInstance("NDBS"). Sample code is provided in Figure 2.

if (args.length == 0 || args.length > 2) {
       System.out.println("Syntax: java ShowAliases keystore-configuration-file [password]");
       }
else {
     try {       
     // Gets NDBS instance
     keyStore = KeyStore.getInstance("NDBS");
     // Checks if password was not provided, and if not sets //it as the empty string
     if (args.length > 1) {
        password = args[1];
     }
     else {
       password = new String("");
     }
     // Loads configuration file
     keyStoreFile = (InputStream) new 
     FileInputStream(args[0]);
         
     // Loads keystore file
     keyStore.load(keyStoreFile, password.toCharArray());
     // Displays number of certificates in keystore
     System.out.println("File contains " + keyStore.size() + " certificates.");
     // Displays certificate aliases in keystore
     for (Enumeration e = keyStore.aliases() ; e.hasMoreElements() ;) {
       System.out.println(count + ". " + e.nextElement());
       count++;
     }
}
catch (Exception e) {
  System.out.println(e.getMessage());
}
       

Figure 2: Code Sample from ShowAliases.java

Specifying a Different Crypto Provider

The default algorithm names supported by NDBS 2.0 are:

HMAC with SHA-1: HmacSha1, HMAC/SHA, HMACwithSHA1
Triple DES with CBC and Standard Block Padding: DESede/CBC/PKCS5Padding, Triple-DES/CBC

If a crypto provider is different from the ones listed in Table 6, it has to be ensured that the crypto provider supports Triple DES with CBC and Standard Block Padding, and HMAC with SHA-1 algorithms. This new crypto provider must be installed according to its documentation. The entries TRIPLE_DES_ALGORITHM_NAME and HMAC_SHA1_ALGORITHM_NAME within the configuration file (testdb) must be set to the algorithm name specified according to the new crypto provider documentation, if they are not included in the previous list of algorithm names.

Table 7 shows a list of crypto providers that support the specified default algorithm names.

Provider Name
Triple DES Algorithm Name
HMAC/SHA1 Algorithm Name
SunJCE
DESede/CBC/PKCS5Padding
HmacSha1
IAIK
DESede/CBC/PKCS5Padding
HMAC/SHA
JCSI
DESede/CBC/PKCS5Padding
HMACwithSHA1

Table 7: Providers and supported and algorithm names

For additional information on JCE 1.2 compliant crypto providers and supported algorithms, see
http://www.nue.et-inf.uni-siegen.de/SignStreams/csp/overview_provider.html.

For example, if Crypto-J was used as a crypto provider, the configuration file would like Table 8, which is in the testdbalgo file included in the zip file.

# Read key3.db and cert7.db from the specified directory.
# Provide the specified directory to the key3.db and cert7.db.
# If the backslash character is required as part of the PATH, then 
# double backslash must be used. For example, you would specify
# a PATH=d:\ndbs\doc as PATH=d:\\ndbs\\doc.
PATH=.

# This allows the keystore class to be set dynamically.
KEYSTORE_CLASS_NAME=edu.cmu.sei.cbs.ndbs.NetscapeKeyStore

# This sets the TripleDES algorithm name dynamically.
# Provide the Triple DES algorithm name for the crypto 
# provider installed, if it does not use one of the default
# algorithm names DESede/CBC/PKCS5Padding or Triple-DES/CBC.
# For example, you may specify an algorithm name as 
# TRIPLE_DES_ALGORITHM_NAME=DESede/CBC/PKCS5Padding with no
# quote around the algorithm name. # TRIPLE_DES_ALGORITHM_NAME=3DES_EDE/CBC/PKCS5Padding # This sets the HmacSha1 algorithm name dynamically. # Provide the Triple DES algorithm name for the crypto # provider installed, if it does not use one of the default # algorithm names HmacSha1, HMACwithSHA1, or HMAC/SHA. # For example, you may specify an algorithm name as # HMAC_SHA1_ALGORITHM_NAME=HmacSha1 without no quote # around the algorithm name. #HMAC_SHA1_ALGORITHM_NAME=HMAC/SHA1

Table 8: Configuration file with entries for non-default algorithm names

Adding Other Keystore Implementations

Currently, NDBS 2.0 supports only Netscape Database Keystore, but the system is designed to provide extensibility features that will allow it to support other keystore files such as Microsoft Crypto Service Provider (CSP keystore files) or others. In order to add other keystore implementations, you must create a new Java class that implement the GenericKeyStore interface. For details on the GenericKeyStore class, view the JavaDoc documentation, index.html.

For example, if the new keystore is called CSPKeyStore, then the configuration file (testdb) must also specify the new keystore class name with KEYSTORE_CLASS_NAME = edu.cmu.sei.cbs.ndbs.CSPKeyStore. This would set the class that implements GenericKeyStore to edu.cmu.sei.cbs.ndbs.CSPKeyStore. The configuration file should look like table 9 below.

# Read key3.db and cert7.db from the specified directory.
# Provide the specified directory to the key3.db and cert7.db.
# If the backslash character is required as part of the PATH, then 
# double backslash must be used. For example, you would specify
# a PATH=d:\ndbs\doc as PATH=d:\\ndbs\\doc.
PATH=.

# This allows the keystore class to be set dynamically.
KEYSTORE_CLASS_NAME=edu.cmu.sei.cbs.ndbs.CSPKeyStore

# This sets the TripleDES algorithm name dynamically.
# Provide the Triple DES algorithm name for the crypto 
# provider installed, if it does not use one of the default
# algorithm names DESede/CBC/PKCS5Padding or Triple-DES/CBC.
# For example, you may specify an algorithm name as 
# TRIPLE_DES_ALGORITHM_NAME=DESede/CBC/PKCS5Padding with no 
# quote around the algorithm name.
# TRIPLE_DES_ALGORITHM_NAME=

# This sets the HmacSha1 algorithm name dynamically.
# Provide the Triple DES algorithm name for the crypto 
# provider installed, if it does not use one of the default
# algorithm names HmacSha1, HMACwithSHA1, or HMAC/SHA.
# For example, you may specify an algorithm name as 
# TRIPLE_DES_ALGORITHM_NAME=DESede/CBC/PKCS5Padding with no 
# quote around the algorithm name.
#HMAC_SHA1_ALGORITHM_NAME=  

Table 9: Configuration file with new keystore implementation

JavaDoc Documentation

JavaDoc documentation is provided within the downloaded files or from the NDBS 2.0 web site. The main page to the JavaDoc documentation that contains NDBSKeyStore and GenericKeyStore classes is index.html.