There is a method on KeyStoreSPI: engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) which should be used for storing already protected keys.

I don't understand how the key, that has already been protected before it hits my implementation, can be unprotected within my implementation such that the Key engineGetKey(String alias, char[] password) would work.

Is there a standard "key cipher/encipher" algorithm implementation somewhere that I've missed?