Listing -Keystore Contents

diff -r 4816d766a08a -r f345bda72bc4 Symbian3/PDK/Source/GUID-6DF71555-1AB0-5B50-9FEA-E775F3AFEF8B.dita --- a/Symbian3/PDK/Source/GUID-6DF71555-1AB0-5B50-9FEA-E775F3AFEF8B.dita Tue Mar 30 11:42:04 2010 +0100 +++ b/Symbian3/PDK/Source/GUID-6DF71555-1AB0-5B50-9FEA-E775F3AFEF8B.dita Tue Mar 30 11:56:28 2010 +0100 @@ -1,256 +1,256 @@ - - - - - -Listing -Keystore Contents -

The list command is used to display the content of the key store. It can -be used to display the overall content of all key store implementations, to -display the content of a specific key store implementation, or to display -details about a specific key if we know its label.

Listing the content of all key store implementations

To see all the private keys available on the device, use the command:

keytool -list

The output, depending on the actual keys present on the device, will look -similar to:

-Symbian OS KeyStore Manipulation Tool -Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. -Store Label: Software key store -gm0 is a 512 bits RSA key - -Store Label: Software key store -gm1 is a 512 bits DSA key - -Store Label: Software key store -Tls RSAKey is a 1024 bits RSA key - -

In this case, there are two RSA keys and one DSA key. You can get information -in addition to the above output by using the –details (-d for short) option:

-keytool –l –d -keytool –l –d -Symbian OS KeyStore Manipulation Tool -Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. -Store Label: Software key store -Version: 1.00 Serial Number: 0 Manufacturer: Nokia Corporation Store Type: Read only - Algorithm: RSA Size: 512 bits - Usage : PKCS15 DecryptSignSignRecover Code: 0xe - Owner : 0x101f7e95 - User : 0x101f7e95 - Access flags: Extractable - ID: 4d 15 e9 01 c6 ea ff a0 11 57 05 60 f4 ba 0c 0f 58 db ae e7 - Label: gm0 - Native: Yes - Start date: not set End date: not set - -

The following table details the fields that make up the output of the list -command:

- - - - -Output type -Description - - - - -

Algorithm

The algorithm field shows the type of keys available. The valid -values are RSA and DSA.

- - -

Size

The size of the key in bits. For instance, in the example above, -there are three RSA keys with sizes ranging from 512 to 2048 bits. The maximum -allowed key size, as of now, is 2048 bits.

- - -

Usage

The usage attribute specifies the tasks which we can perform with -the given key. Valid values for usage are:

sign and signrecover -for DSA keys
sign, signrecover, decrypt -and unwrap for RSA keys

Usage attributes are set during key import. Attempts to set invalid -usages will result in an error.

- - -

Owner

Each key belongs to a specific UID. This UID represents the owner -of the key. Typically the owner of a key is the application which imported -the key. Only the owner of the key can remove it from the keystore. Additionally -only the owner can set the users of a key.

The owner of the key can -be changed by writedevicedata after it is imported, using keytool --m <keyname>. All processes that have writedevicedata capability -can manipulate the keys.

- - -

User

The user attribute is a list of application UIDs. Each of those -UIDs is allowed to use the key to perform a task allowed by its usage attribute, -for example, sign data, verify a signature, and so on.

Each key user -belongs to a specific UID, which is, by default the process owner. It can -be set to all by using keytool –a <keyname>.

- - -

Access Flags

Access flags reflect those defined in the PKCS#11 standard. The -values are:

1. Sensitive – -The key can only be exported in encrypted form. A key marked as sensitive -might have been imported either from a cleartext or encrypted source.
2. Extractable – -The key can be exported.
3. AlwaysSensitive – -The key has never existed outside the keystore in unencrypted form. This access -flag is set automatically by the key store. You do not have explicit access -to it. It will be set only if the key has been imported as Sensitive from -an encrypted source.
4. NeverExtractable – -The key cannot be exported, and has never existed outside the keystore. This -implies that the key was created on the device.
5. Local – -The key was created on the device, rather than being imported.

The access flag can be set only during import and the only the values Sensitive and Extractable are -available to the users. See the section Importing -private keys.

- - -

A unique identifier for the key. It is in hexadecimal format.

- - -

Label

The key label. A human-readable handle for the key.

- - -

Native

Specifies whether cryptographic operations involving the key will -be performed on the cryptographic token or outside it. For instance, a hardware -keystore might provide key storage but no facilities for encryption which -will then be executed outside the token (native is false). This is always -true for the Symbian file key store implementation.

- - -

Start and End date

The period of time when the key is actually valid. The key cannot -be used outside this time frame.

- - - -

Listing the content of a specific key store implementation

If the content of only a specific key store implementation is required, -the list command can be restricted to that implementation using the –store -option. Suppose the content of the key store implementation with index 0 (see -the section Working -with multiple keystore implementations for details on how to list the -available key store implementations) is required, you can issue the following -command:

-keytool –store 0 –list -

Depending on the content of the key store implementation with index 0, -output similar to the following is displayed:

-Symbian OS KeyStore Manipulation Tool -Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. - Algorithm: RSA Size: 512 bits - Usage: Pkcs15 Sign Code: 0x4 - Owner: 0x101f7e95 - User: 0x101f7e95 - Access Flags: Extractable - ID: … - Label: rsa1 - Native: Yes - Start Date: not set End Data: not set - -

If you try to specify a non-existing key store implementation, the following -error will occur:

-Symbian OS KeyStore Manipulation Tool -Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. -The specified keystore implementation does not exist. -Error during list! -Error code KErrArgument. - -

Displaying information about a specific private key

It is possible to display information about a specific key whose label -is known. This is useful, for instance, when the key store contains a significant -amount of keys and only a particular store's keys are required. For example, -to display information about a key with label “rsa1”, you can issue the command:

-keytool –list rsa1 -d -

Remember that labels are case sensitive. The output should be similar to:

If no key in the key store corresponds to the given label, the following -error will occur:

Wildcards

The list commands supports wildcards (“*” and “?”) on key labels. For instance -the following command lists information about all keys whose label contains -the string “dsa”:

c:\>keytool –l *dsa*

- - - - -Internal name -Algorithm -Key size - - - - -

ECipherDES_CBC

DES

64 bits

- - -

ECipher3DES_CBC

Triple DES

192 bits

- - -

ECipherRC2_CBC_40

RC2

Effective key length 1024 bits

- - -

ECipherRC2_CBC_128

RC2

Effective key length 1024 bits

- - -

ECipherRC2_CBC_40_16

RC2

Effective key length 128 bits

- - -

ECipherRC2_CBC_128_16

RC2

Effective key length 128 bits

- - - -

-Removing -Keys + + + + + +Listing +Keystore Contents +

The list command is used to display the content of the key store. It can +be used to display the overall content of all key store implementations, to +display the content of a specific key store implementation, or to display +details about a specific key if we know its label.

Listing the content of all key store implementations

To see all the private keys available on the device, use the command:

keytool -list

The output, depending on the actual keys present on the device, will look +similar to:

+Symbian KeyStore Manipulation Tool +Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. +Store Label: Software key store +gm0 is a 512 bits RSA key + +Store Label: Software key store +gm1 is a 512 bits DSA key + +Store Label: Software key store +Tls RSAKey is a 1024 bits RSA key + +

In this case, there are two RSA keys and one DSA key. You can get information +in addition to the above output by using the –details (-d for short) option:

+keytool –l –d +keytool –l –d +Symbian KeyStore Manipulation Tool +Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. +Store Label: Software key store +Version: 1.00 Serial Number: 0 Manufacturer: Nokia Corporation Store Type: Read only + Algorithm: RSA Size: 512 bits + Usage : PKCS15 DecryptSignSignRecover Code: 0xe + Owner : 0x101f7e95 + User : 0x101f7e95 + Access flags: Extractable + ID: 4d 15 e9 01 c6 ea ff a0 11 57 05 60 f4 ba 0c 0f 58 db ae e7 + Label: gm0 + Native: Yes + Start date: not set End date: not set + +

The following table details the fields that make up the output of the list +command:

+ + + + +Output type +Description + + + + +

Algorithm

The algorithm field shows the type of keys available. The valid +values are RSA and DSA.

+ + +

Size

The size of the key in bits. For instance, in the example above, +there are three RSA keys with sizes ranging from 512 to 2048 bits. The maximum +allowed key size, as of now, is 2048 bits.

+ + +

Usage

The usage attribute specifies the tasks which we can perform with +the given key. Valid values for usage are:

sign and signrecover +for DSA keys
sign, signrecover, decrypt +and unwrap for RSA keys

Usage attributes are set during key import. Attempts to set invalid +usages will result in an error.

+ + +

Owner

Each key belongs to a specific UID. This UID represents the owner +of the key. Typically the owner of a key is the application which imported +the key. Only the owner of the key can remove it from the keystore. Additionally +only the owner can set the users of a key.

The owner of the key can +be changed by writedevicedata after it is imported, using keytool +-m <keyname>. All processes that have writedevicedata capability +can manipulate the keys.

+ + +

User

The user attribute is a list of application UIDs. Each of those +UIDs is allowed to use the key to perform a task allowed by its usage attribute, +for example, sign data, verify a signature, and so on.

Each key user +belongs to a specific UID, which is, by default the process owner. It can +be set to all by using keytool –a <keyname>.

+ + +

Access Flags

Access flags reflect those defined in the PKCS#11 standard. The +values are:

1. Sensitive – +The key can only be exported in encrypted form. A key marked as sensitive +might have been imported either from a cleartext or encrypted source.
2. Extractable – +The key can be exported.
3. AlwaysSensitive – +The key has never existed outside the keystore in unencrypted form. This access +flag is set automatically by the key store. You do not have explicit access +to it. It will be set only if the key has been imported as Sensitive from +an encrypted source.
4. NeverExtractable – +The key cannot be exported, and has never existed outside the keystore. This +implies that the key was created on the device.
5. Local – +The key was created on the device, rather than being imported.

The access flag can be set only during import and the only the values Sensitive and Extractable are +available to the users. See the section Importing +private keys.

+ + +

A unique identifier for the key. It is in hexadecimal format.

+ + +

Label

The key label. A human-readable handle for the key.

+ + +

Native

Specifies whether cryptographic operations involving the key will +be performed on the cryptographic token or outside it. For instance, a hardware +keystore might provide key storage but no facilities for encryption which +will then be executed outside the token (native is false). This is always +true for the Symbian file key store implementation.

+ + +

Start and End date

The period of time when the key is actually valid. The key cannot +be used outside this time frame.

+ + + +

Listing the content of a specific key store implementation

If the content of only a specific key store implementation is required, +the list command can be restricted to that implementation using the –store +option. Suppose the content of the key store implementation with index 0 (see +the section Working +with multiple keystore implementations for details on how to list the +available key store implementations) is required, you can issue the following +command:

+keytool –store 0 –list +

Depending on the content of the key store implementation with index 0, +output similar to the following is displayed:

+Symbian KeyStore Manipulation Tool +Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. + Algorithm: RSA Size: 512 bits + Usage: Pkcs15 Sign Code: 0x4 + Owner: 0x101f7e95 + User: 0x101f7e95 + Access Flags: Extractable + ID: … + Label: rsa1 + Native: Yes + Start Date: not set End Data: not set + +

If you try to specify a non-existing key store implementation, the following +error will occur:

+Symbian KeyStore Manipulation Tool +Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. +The specified keystore implementation does not exist. +Error during list! +Error code KErrArgument. + +

Displaying information about a specific private key

It is possible to display information about a specific key whose label +is known. This is useful, for instance, when the key store contains a significant +amount of keys and only a particular store's keys are required. For example, +to display information about a key with label “rsa1”, you can issue the command:

+keytool –list rsa1 -d +

Remember that labels are case sensitive. The output should be similar to:

If no key in the key store corresponds to the given label, the following +error will occur:

Wildcards

The list commands supports wildcards (“*” and “?”) on key labels. For instance +the following command lists information about all keys whose label contains +the string “dsa”:

c:\>keytool –l *dsa*

+ + + + +Internal name +Algorithm +Key size + + + + +

ECipherDES_CBC

DES

64 bits

+ + +

ECipher3DES_CBC

Triple DES

192 bits

+ + +

ECipherRC2_CBC_40

RC2

Effective key length 1024 bits

+ + +

ECipherRC2_CBC_128

RC2

Effective key length 1024 bits

+ + +

ECipherRC2_CBC_40_16

RC2

Effective key length 128 bits

+ + +

ECipherRC2_CBC_128_16

RC2

Effective key length 128 bits

+ + + +

+Removing +Keys

\ No newline at end of file