Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Developer
Posts: 41
Registered: ‎08-01-2008
My Device: Not Specified
Accepted Solution

PersistableRIMKeyStore usage

[ Edited ]

I need to save some generated RSA keys across device reboots. I presume this needs to be done with the PersistableRIMKeyStore class, but I have been unable to find any code samples explaining how to do this. Particular points I don't understand are the requirement that the simplest constructor for this class requires a CodeSigningKey object and a PersistableRIMKeyStoreFactory object.

 

I presume the CodeSigningKey should be something I personally create to ensure only my application can access this keystore. Are instructions available for how to generate this key?

 

As for the factory, i see this is an interface which requires me to implement a method createInstance() - but the documentation is fairly unclear on what this actually needs to do, apart from on a very abstract level.

 

If anyone could provide guidance or code samples for how to do this that would be much appreciated. The idea crossed my mind of just using the normal persistentStore in conjunction with ControlledAccess, but presumably the existence of the KeyStore classes is because the normal persistent store is not a secure enough place to store keys?

 

Edit: after some searching I found this: http://www.blackberry.com/developers/docs/4.3.0api/net/rim/device/api/crypto/doc-files/Tutorial_KeyStore.html but it seems to contain a number of mistakes (what looks like syntactically invalid Java in places, and also says to use a get() method which doesn't appear to exist) and doesn't make things much clearer. I've also found the TrustedKeyStore class, I'm not sure if I want to use that as opposed to PersistableRIMKeyStore for my purposes (basically I'm generating a large RSA key, generating it on each run of the program will take far too long, so I want to generate it on first run and then store it in NV storage, loading it out on each launch of the application). The fact that I'm generating the keys locally means I obviously consider them trusted..

Message Edited by malcolm on 09-03-2008 10:27 AM
Highlighted
Retired
Posts: 179
Registered: ‎07-14-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage

Malcolm,

 

There are several much easier solutions for you in this case that do not require you to create your own keystore.  The concept behind the PersistableRIMKeyStore was really for people who wanted to write their own keystore on the device and could use the existing implementation to reduce the complexity.  There is common instantiations of the SyncableRIMKeyStore (which extends the Persistent one) that you could use with very little effort called the DeviceKeyStore.  You can simply add or remove your keys from there. 

 

Note that the user would be prompted for their keystore password when you placed the key in the store and also on subsequent attempts to access the contents of the keystore depending on the security level of the key.  This is the same keystore that the device uses when synchronizing keys/certificates using the Desktop Manager program.

 

Another option is to simply create and persist the key itself on the device.  You could leverage the Signing Authority product to secure that persistent store in your application without using the KeyStore at all.  This leaves you open to a very sophisticated attacker (someone who can read the flash on the device using hardware) so it is best to consider the risks you have to counter.

 

 

 

Mike Kirkup
Director, Developer Relations
Developer
Posts: 41
Registered: ‎08-01-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage


mkirkup wrote:

 

Another option is to simply create and persist the key itself on the device.  You could leverage the Signing Authority product to secure that persistent store in your application without using the KeyStore at all.  This leaves you open to a very sophisticated attacker (someone who can read the flash on the device using hardware) so it is best to consider the risks you have to counter.

 

 

 


 

I think this sounds like the best solution, at least for the moment. I take it this requires generating a fourth key to go with the RRT, RCR and RBB keys we already have, signing the application with that, and then just using placing the keys in normal persistent storage using a ControlledAccess object? That certainly looks simple enough from the API specs. Are there instructions somewhere to generate a key in the right format?

Retired
Posts: 179
Registered: ‎07-14-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage

Correct.  There is documentation on how to set this up in the Signing Authority Administrator guide which will generate a .key file for you.  You would then add it to your project in the JDE and you are off to the races.

 

 

Mike Kirkup
Director, Developer Relations
New Developer
Posts: 4
Registered: ‎09-10-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage

Hi,

I've already saved my keys and  certificates in a DeviceKeyStore, but i don't know how to recover them to sign or do another operation. Can you give me an example of how to recover the keys or any information that i've already saved before in the DeviceKeyStore?

 

Thanks

New Developer
Posts: 4
Registered: ‎09-10-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage

Hi,

I've already saved my keys and  certificates in a DeviceKeyStore, but i don't know how to recover them to sign or do another operation. Can you give me an example of how to recover the keys or any information that i've already saved before in the DeviceKeyStore?

 

Thanks

BlackBerry Development Advisor
Posts: 15,809
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: PersistableRIMKeyStore usage

Do you mean you have lost your .key file or that you are trying to read a persistent store that was created using your key?  They .key file should be backed up from your PC, not from the BlackBerry.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
New Developer
Posts: 4
Registered: ‎09-10-2008
My Device: Not Specified

Re: PersistableRIMKeyStore usage

Yes, I'm trying to read a persistent store that was created using my key. I need to sign a file using the key that i saved before in the persistent store ( in this case, the DeviceKeystore). But i don't know how to read it. I appreciate your help in this issue.

 

 

BlackBerry Development Advisor
Posts: 15,809
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: PersistableRIMKeyStore usage

Please refer to the sample code in the JavaDocs for the ControlledAccess class for an example.
Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
New Developer
Posts: 7
Registered: ‎03-09-2009
My Device: Not Specified

Re: PersistableRIMKeyStore usage

hi,

i am trying to devlop an app which tries to installs certs OTA for blackberry.

 

i used keystore.set method obtaining a ticket of device key store and added certificates to device. but even the root certificate is showing a red cross mark. i do not want to go and explictly trust the certificate from main menu. is there any way i can add the root certificate to trusted key store or mark it trusted from the code itself..

i need this by end of wednesday..can anyone help...

 

Thanks

Pankaj soni