Symbian3/PDK/Source/GUID-6DF71555-1AB0-5B50-9FEA-E775F3AFEF8B.dita
author Dominic Pinkman <Dominic.Pinkman@Nokia.com>
Tue, 30 Mar 2010 11:56:28 +0100
changeset 5 f345bda72bc4
parent 3 46218c8b8afa
child 14 578be2adaf3e
permissions -rw-r--r--
Week 12 contribution of PDK documentation_content. See release notes for details. Fixes Bug 2054, Bug 1583, Bug 381, Bug 390, Bug 463, Bug 1897, Bug 344, Bug 1319, Bug 394, Bug 1520, Bug 1522, Bug 1892"

<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License 
"Eclipse Public License v1.0" which accompanies this distribution, 
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
    Nokia Corporation - initial contribution.
Contributors: 
-->
<!DOCTYPE concept
  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-6DF71555-1AB0-5B50-9FEA-E775F3AFEF8B" xml:lang="en"><title>Listing
Keystore Contents</title><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>The list command is used to display the content of the key store. It can
be used to display the overall content of all key store implementations, to
display the content of a specific key store implementation, or to display
details about a specific key if we know its label. </p>
<p><b>Listing the content of all key store implementations </b> </p>
<p>To see all the private keys available on the device, use the command: </p>
<p><userinput>keytool -list</userinput> </p>
<p>The output, depending on the actual keys present on the device, will look
similar to: </p>
<codeblock id="GUID-1BCFB869-ABA0-5822-9921-071A6D4BD4A9" xml:space="preserve">Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Store Label: Software key store
gm0 is a 512 bits RSA key 

Store Label: Software key store
gm1 is a 512 bits DSA key 

Store Label: Software key store
Tls RSAKey is a 1024 bits RSA key
</codeblock>
<p>In this case, there are two RSA keys and one DSA key. You can get information
in addition to the above output by using the –details (-d for short) option: </p>
<codeblock id="GUID-08D6C409-938E-56D1-B1A2-C154C1193000" xml:space="preserve">keytool –l –d</codeblock>
<codeblock id="GUID-DB7833DC-E9DE-54F9-B4D3-BAA79BBD5023" xml:space="preserve">keytool –l –d
Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Store Label: Software key store
Version: 1.00      Serial Number: 0      Manufacturer: Nokia Corporation Store Type: Read only
        Algorithm: RSA    Size: 512  bits
        Usage : PKCS15 DecryptSignSignRecover    Code: 0xe 
        Owner : 0x101f7e95 
        User : 0x101f7e95 
        Access flags: Extractable 
        ID: 4d 15 e9 01 c6 ea ff a0 11 57 05 60 f4 ba 0c 0f 58 db ae e7 
        Label: gm0
        Native: Yes 
        Start date: not set    End date: not set
</codeblock>
<p>The following table details the fields that make up the output of the list
command: </p>
<table id="GUID-CBBCDC21-3220-52F5-8C4A-460BCBB26EDC">
<tgroup cols="2"><colspec colname="col0"/><colspec colname="col1"/>
<thead>
<row>
<entry>Output type </entry>
<entry>Description </entry>
</row>
</thead>
<tbody>
<row>
<entry><p>Algorithm </p> </entry>
<entry><p>The algorithm field shows the type of keys available. The valid
values are RSA and DSA. </p> </entry>
</row>
<row>
<entry><p>Size </p> </entry>
<entry><p>The size of the key in bits. For instance, in the example above,
there are three RSA keys with sizes ranging from 512 to 2048 bits. The maximum
allowed key size, as of now, is 2048 bits. </p> </entry>
</row>
<row>
<entry><p>Usage </p> </entry>
<entry><p>The usage attribute specifies the tasks which we can perform with
the given key. Valid values for usage are: </p> <ul>
<li id="GUID-A275AD33-178B-50D8-AE3C-7883E75E0A29"><p>sign and signrecover
for DSA keys </p> </li>
<li id="GUID-894879F1-4764-552A-8570-A5B1DE5C3C4E"><p>sign, signrecover, decrypt
and unwrap for RSA keys </p> </li>
</ul> <p>Usage attributes are set during key import. Attempts to set invalid
usages will result in an error. </p> </entry>
</row>
<row>
<entry><p>Owner </p> </entry>
<entry><p>Each key belongs to a specific UID. This UID represents the owner
of the key. Typically the owner of a key is the application which imported
the key. Only the owner of the key can remove it from the keystore. Additionally
only the owner can set the users of a key. </p> <p>The owner of the key can
be changed by <codeph>writedevicedata</codeph> after it is imported, using <codeph>keytool
-m &lt;keyname&gt;</codeph>. All processes that have <codeph>writedevicedata</codeph> capability
can manipulate the keys. </p> </entry>
</row>
<row>
<entry><p>User </p> </entry>
<entry><p>The user attribute is a list of application UIDs. Each of those
UIDs is allowed to use the key to perform a task allowed by its usage attribute,
for example, sign data, verify a signature, and so on. </p> <p>Each key user
belongs to a specific UID, which is, by default the process owner. It can
be set to <codeph>all</codeph> by using <codeph>keytool –a &lt;keyname&gt;</codeph>. </p> </entry>
</row>
<row>
<entry><p>Access Flags </p> </entry>
<entry><p>Access flags reflect those defined in the PKCS#11 standard. The
values are: </p> <ul>
<li id="GUID-F60CF849-BCB3-5081-80FF-4DCA3D3157C5"><p>1. <codeph>Sensitive</codeph> –
The key can only be exported in encrypted form. A key marked as sensitive
might have been imported either from a cleartext or encrypted source. </p> </li>
<li id="GUID-E96569F6-CD01-56B0-98B4-F905F77B58CF"><p>2. <codeph>Extractable</codeph> –
The key can be exported. </p> </li>
<li id="GUID-D6003F64-DE79-586B-937C-0AC0AD6110A4"><p>3. <codeph>AlwaysSensitive</codeph> –
The key has never existed outside the keystore in unencrypted form. This access
flag is set automatically by the key store. You do not have explicit access
to it. It will be set only if the key has been imported as Sensitive from
an encrypted source. </p> </li>
<li id="GUID-0DCA4585-36AB-5402-9092-6A7C09FD3E1A"><p>4. <codeph>NeverExtractable</codeph> –
The key cannot be exported, and has never existed outside the keystore. This
implies that the key was created on the device. </p> </li>
<li id="GUID-023C2B68-A7EC-5AA4-9428-BF245396B939"><p>5. <codeph>Local</codeph> –
The key was created on the device, rather than being imported. </p> </li>
</ul> <p>The access flag can be set only during import and the only the values <codeph>Sensitive</codeph> and <codeph>Extractable</codeph> are
available to the users. See the section <xref href="GUID-2E02B840-FF86-5535-BA0E-5C4C3B600E9B.dita">Importing
private keys</xref>. </p> </entry>
</row>
<row>
<entry><p>ID </p> </entry>
<entry><p>A unique identifier for the key. It is in hexadecimal format. </p> </entry>
</row>
<row>
<entry><p>Label </p> </entry>
<entry><p>The key label. A human-readable handle for the key. </p> </entry>
</row>
<row>
<entry><p>Native </p> </entry>
<entry><p>Specifies whether cryptographic operations involving the key will
be performed on the cryptographic token or outside it. For instance, a hardware
keystore might provide key storage but no facilities for encryption which
will then be executed outside the token (native is false). This is always
true for the Symbian file key store implementation. </p> </entry>
</row>
<row>
<entry><p>Start and End date </p> </entry>
<entry><p>The period of time when the key is actually valid. The key cannot
be used outside this time frame. </p> </entry>
</row>
</tbody>
</tgroup>
</table>
<p><b>Listing the content of a specific key store implementation </b> </p>
<p>If the content of only a specific key store implementation is required,
the list command can be restricted to that implementation using the –store
option. Suppose the content of the key store implementation with index 0 (see
the section <xref href="GUID-62AE0683-642D-539A-A590-3D8210591BD9.dita">Working
with multiple keystore implementations</xref> for details on how to list the
available key store implementations) is required, you can issue the following
command: </p>
<codeblock id="GUID-87B31B6E-C245-5AEA-A1DC-50CF121F6C4E" xml:space="preserve">keytool –store 0 –list</codeblock>
<p>Depending on the content of the key store implementation with index 0,
output similar to the following is displayed: </p>
<codeblock id="GUID-BBAD731C-7A70-5A22-81E9-7534747ED081" xml:space="preserve">Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
    Algorithm: RSA    Size: 512 bits
    Usage: Pkcs15 Sign     Code: 0x4
    Owner: 0x101f7e95
    User: 0x101f7e95
    Access Flags: Extractable
    ID: …
    Label: rsa1
    Native: Yes
    Start Date: not set     End Data: not set
</codeblock>
<p>If you try to specify a non-existing key store implementation, the following
error will occur: </p>
<codeblock id="GUID-92ADD04D-B22A-55F3-A6F6-3E2747C71B77" xml:space="preserve">Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
The specified keystore implementation does not exist.
Error during list!
Error code KErrArgument.
</codeblock>
<p><b>Displaying information about a specific private key </b> </p>
<p>It is possible to display information about a specific key whose label
is known. This is useful, for instance, when the key store contains a significant
amount of keys and only a particular store's keys are required. For example,
to display information about a key with label “rsa1”, you can issue the command: </p>
<codeblock id="GUID-C954576F-3E5D-52C7-9A67-795B4758769C" xml:space="preserve">keytool –list rsa1 -d</codeblock>
<p>Remember that labels are case sensitive. The output should be similar to: </p>
<codeblock id="GUID-E68F9B25-44F1-5263-A1AE-667129A73C03" xml:space="preserve">Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
    Algorithm: RSA    Size: 512 bits
    Usage: Pkcs15 Sign     Code: 0x4
    Owner: 0x101f7e95
    User: 0x101f7e95
    Access Flags: Extractable
    ID: …
    Label: rsa1
    Native: Yes
    Start Date: not set     End Data: not set
</codeblock>
<p>If no key in the key store corresponds to the given label, the following
error will occur: </p>
<codeblock id="GUID-28F8EA88-1F84-505B-8863-977A8FDA0632" xml:space="preserve">Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Cannot find the specified key.
</codeblock>
<p><b>Wildcards </b> </p>
<p>The list commands supports wildcards (“*” and “?”) on key labels. For instance
the following command lists information about all keys whose label contains
the string “dsa”: </p>
<p><userinput>c:\&gt;keytool –l *dsa*</userinput> </p>
<table id="GUID-6B2F1F3B-A301-5D0A-923A-CA6D9B04A1C1">
<tgroup cols="3"><colspec colname="col0"/><colspec colname="col1"/><colspec colname="col2"/>
<thead>
<row>
<entry>Internal name</entry>
<entry>Algorithm</entry>
<entry>Key size</entry>
</row>
</thead>
<tbody>
<row>
<entry><p> <codeph>ECipherDES_CBC</codeph>  </p> </entry>
<entry><p> <codeph>DES</codeph>  </p> </entry>
<entry><p> <codeph>64 bits</codeph>  </p> </entry>
</row>
<row>
<entry><p> <codeph>ECipher3DES_CBC</codeph>  </p> </entry>
<entry><p> <codeph>Triple DES</codeph>  </p> </entry>
<entry><p> <codeph>192 bits</codeph>  </p> </entry>
</row>
<row>
<entry><p> <codeph>ECipherRC2_CBC_40</codeph>  </p> </entry>
<entry><p> <codeph>RC2</codeph>  </p> </entry>
<entry><p> <codeph>Effective key length 1024 bits</codeph>  </p> </entry>
</row>
<row>
<entry><p> <codeph>ECipherRC2_CBC_128</codeph>  </p> </entry>
<entry><p> <codeph>RC2</codeph>  </p> </entry>
<entry><p> <codeph>Effective key length 1024 bits</codeph>  </p> </entry>
</row>
<row>
<entry><p> <codeph>ECipherRC2_CBC_40_16</codeph>  </p> </entry>
<entry><p> <codeph>RC2</codeph>  </p> </entry>
<entry><p> <codeph>Effective key length 128 bits</codeph>  </p> </entry>
</row>
<row>
<entry><p> <codeph>ECipherRC2_CBC_128_16</codeph>  </p> </entry>
<entry><p> <codeph>RC2</codeph>  </p> </entry>
<entry><p> <codeph>Effective key length 128 bits</codeph>  </p> </entry>
</row>
</tbody>
</tgroup>
</table></conbody><related-links>
<link href="GUID-E90A22C7-0AD7-55C4-83BB-165E1AA1E296.dita"><linktext>Removing
Keys</linktext></link>
</related-links></concept>