Problem:

• Product Name: VisiBroker for Java
• Product Version: All
• Product Component: Security Service
• JDK/Compiler Version: All

How to use setPKprinciple() with plain private key

Resolution:

Inside the setPKprincipal(), VisiSecure expected the private key either PKCS#5-encrypted PKCS#8 or PKCS#8 or clear PKCS#8 private key (unencrypted private key).

If the PKCS#5-encrypted PKCS#8 key is used, we only accept "PBEWithMD5AndDES" algorithm. If the certificates are not generated with supported algorithm, user is suggested to use unencrypted private key. This article will describe how to use the setPKprinciple() with plain private key in Java.

Please take note that the unencrypted private key is NOT supported in VisiBroker C . Following exception will be thrown if the password passed in is empty string.

"Pid# 5660 Tim# Mon Sep 07 10:56:36 2009 304000ms Tid# 1136 Src# v_secssl Msg# PKIImportPrivateKey fails, invalid key or wrong password.
Exception: CORBA::BAD_PARAM
Minor: 1447174658
Completion Status: NO"

In this case, user is suggested to use our supported encryption algorithms (which is not described in this article).

In Java, the method setPKPrincipal (byte [][] derCertChain, byte [] privateKey, String passPhrase)  is used in the client or their server to set the certificate chain and private key that must be used for the SSL connection. This is the old method of inserting certificate chain, which exists for backward compatibility. The new and recommended way to add certificate-chain identity is to construct a CertificateWallet.

Unencrypted private key is only supported in VisiBroker Java APIs. To use a plain private key, user should pass a plain string as password when using setPKprincipal(...) method. For example, setPKprincipal( certChain, plainPrivateKey.getBytes(), ""). A simple example is attached to illustrate the use of setPKprincipal(...) in this scenario. Please replace the original SecureServer.java file in the example with the attached file.

Author: Guo Yijing