6 Replies Latest reply: Mar 3, 2011 6:25 PM by safarmer RSS

    Get a private key through the public key


      I would like to know if it is possible to fetch the private key from the keystore in the smartcard, starting from the point of view that we already posess the corresponding public key, that we had when we access the smartcard without prompting for the PIN, since the public key is right that, PUBLIC.
      When we go to list the contents of the smart card, we use the method aliases(), which return a lists of each alias of each item in the smartcard, and these itens can belong to three types: private key, public key or certificate. When we don't enter the PIN, we can only retrieve the public itens, which are the certificates and its corresponding public keys. What I want is, when we have more than one public key in the smarcard, we can get the corresponding private key, given that we already the public key.
      Is there some kind of API like this, being pubKey a variable of the class PublicKey:

      String privKeyAlias = pubKey.getPrivateKeyAlias();

      PrivateKey privKey = keystore.getKey(privKeyAlias);

      I'm tired of dwelling through all of the Java Cryptography API, without success.

      Looking for an answer from someone of you,

      kind regards,
        • 1. Re: Get a private key through the public key
          Even if one can identify the private key using the public key or certificate as an identity, one will still have to provide the PIN.
          • 2. Re: Get a private key through the public key
            Thanks, that is true. But what I want is to get the private key providing the PIN code, using the fact that we already possess the corresponding public key, which was fetched without the need of the PIN, since it is public. I never told above that what I wanted was to get the private key without the PIN. Sorry, my bad (my english is not great stuff)!
            Again, since we already posess the public key, there is a way to get the corresponding private key from the smart card (which is a keystore like any other ...!) ?
            • 3. Re: Get a private key through the public key
              If you could get the private key out without the PIN it would be a major security breach and the device would be completely pointless. So you can't do it.

              And don't think that because you have the public key you have any entitlement to the private key. Anybody has access to the public key. That's what a public key is for.
              • 4. Re: Get a private key through the public key
                If you have already loaded the keystore then you can easily get the Privatekey using getKey(String alias, char[] pass) if the private key is exportable. The standard keystores like JKS will allow you to access the private key like this, however, smart card devices can and most likely will have a restriction on you being able to access the Privatekey even if you have the pass/pin for it. So most likely, you will not be able to access the private key especially if you are using it through the pkcs11 interface.
                • 5. Re: Get a private key through the public key
                  So it's not possible to do such a thing I was thinking for.
                  Thanks for your all replies,
                  best regards,
                  • 6. Re: Get a private key through the public key

                    If you have control over the keys that are being populated in the smart card, you can use a naming scheme that allows you to derive the private key name from the public key. You could have key-x and have aliases key-x-public and key-x-private. Obviously this only works if you have control over key aliases. As the smartcard is essentially a portable PKCS11 token, you may also be able to have a cert, public and private key with the same alias. This would depend on the P11 provider you have for your card. Note that you will not have the actual key, but a handle to the key that the provider/card will use to perform private key crypto operations on the card.

                    Here is an excerpt from my HSM contents:
                    ./ctkmu l -s 14
                    Do you wish to view private (user) objects [y/N]: y
                    Please enter User's PIN for the token in slot 14: 
                    Public and Private Objects:
                    root-ca                          - PUBLIC_KEY      RSA         
                    root-ca                          - PRIVATE_KEY     RSA         
                    root-ca                          - CERTIFICATE     RSA          (trusted)