PKI KRA Key Retrieve Java API - dogtagpki/pki GitHub Wiki
To retrieve a key with custom security parameters, prepare the input parameters:
// generate session key SymmetricKey sessionKey = crypto.generateSessionKey(); // wrap session key with transport key byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert);
Then prepare a request using the retrieval template, for example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <KeyRecoveryRequest> <Attributes> <Attribute name="keyId">1</Attribute> <Attribute name="requestId">5</Attribute> <Attribute name="transWrappedSessionKey">TsfE72b0JkJRYUUyr7JgQeNzsl8KobsMAROvOg51LBIyAvZxBSx122qmbsygW3Y6
 fk2IJRnWijtY+YyiiK/1pMocFLQzONE7O+EWyYqq2oK/zPQrja3ACB9MnG0SojKd
 JN3QBs1IJhRa5ZbeZnvzvegwOCABWBWt1qgx7BnSjG+lSYehEcOMYkEWw4lMJtOb
 xa7i767J4a/6sRD+rWRKSWfwteu74m9dIWH947SHnbOnbZs7uvrhi05+5WJGaw4n
 Vwuzn/YYfl7iG4VOaZnlIM83EHq38J6pzcM+JBMFPaXHl2V5yTXQnOO+QZ1lzBnj
 Sv3ZrNGRYd3AbdyiHyinHQ==
</Attribute> </Attributes> <ClassName>com.netscape.certsrv.key.KeyRecoveryRequest</ClassName> </KeyRecoveryRequest>
Then submit the request using the following command:
$ pki -n caadmin kra-key-retrieve --input retrieveKey.xml
The result will be returned in the following format:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <KeyData> <wrappedPrivateData>akXd9bqRYzYV6b9yAMNDKx7s2HsM2xA88Pxrk9FTp3qBXk56fkoCMjdbfHqCKwOS
 By/UW5sG7e9HARGVhTArwFQQNNncxlf56jS8rdYJTq9/iltm1Yr+f3ZzoABXylvx
 a8ErmOQU7j3hsAqH5FZOjG2I8x3ainI2dXTzZdJLaTxmM+cOyXPc/KdQxJNALt6B
 5++ChmR6Lu33wgADh8UB834/5xlqMGsUczeEN1/eUqZ5/bxisa3XxP41pqsX1od3
 ZXIzDsPJ2vvusB98qRtEQl5ul3lgX6xXaaeOLHZFkKBpRchjX9PtYMyIBbpnRP6U
 GdawPc/+8yLywniUHUMwChlbt351d1cTbX/LQE0Z+nzR1JyQVHIRlsV5RBv8CDCl
 ygGG5lNKKXnZQJbO+I0Ft9t2MPu5BG28XEUxozuaS3xKPVEHIeWZ6M/JT4y6Q/5I
 OP1dYxm7DqWQQnenoSi/CQLS+JFWVM7EQt5EG3xtQLJmmAgcyitbCWlvmHhvfmkG
 oNa9lvz68mYAuRBs3xplnMr7nw9pE6hZaqq88b070/1rN0/Vcm69cZAIsZ738dUz
 4gR8Mc/JrdLcXVk8Ro3pqqKQrqu4Bn5Vm3xZEA+QQkJrv4XRgGfBk0K8R0csTSCf
 IeVUxiy4ltpJJibjf78IiYV/2f4B+gof1xvfNrHjNHq4GVUmuEWsmDFAujhFDTqM
 OsN4h1N1L8WspzXh9+2Zu4rkTBtOSO/WtRjsqg06FaHLSg8EdXYyvNNqO5jMb3Ed
 6LhdP5igErbR78kkD1TYjSYFlO2JXEjgcMfh8mkTS548sMn4eJL6oHnTQTGAe1fY
 uxXGIRjgvBBdQ+TSqFC0bA==
</wrappedPrivateData> <nonceData>BXrXnCzYYvc=
</nonceData> <algorithm>RSA</algorithm> <size>1024</size> </KeyData>
The key can be decrypted as follows:
// unwrap key with session key byte[] key = crypto.unwrapWithSessionKey(wrappedPrivateData, sessionKey, KeyRequestResource.DES3_ALGORITHM, nonce);