On Tue, 2019-06-04 at 23:33 +0200, Michael Osipov wrote:
> Folks,
>
> I am trying to perform TLS auth with a PKCS12 and Windows-MY
> keystores
> with HttpClient 4.5.6 + Java 8, Update 212.
>
> While with the .p12 (contains one key and its cert) file everything
> goes
> smoothly and fast, I am having trouble with Windows-MY on Windows 7
> with
> my smartcard.
> Loading the store with KeyStore.getInstance("Windows-MY",
> "SunMSCAPI")
> takes very long (compared to PKCS12).
>
> Another issue is the alias selection. While PKCS12 works just with:
> > SSLContext sslContext =
> > SSLContexts.custom().loadKeyMaterial(keyStore, null).build();
>
> Windows-MY just won't. I have to fiddle and search until I came up
> selecting the key myself with:
> > SSLContext sslContext =
> > SSLContexts.custom().loadKeyMaterial(keyStore, null, new
> > PrivateKeyStrategy() {
> > @Override
> > public String chooseAlias(Map<String, PrivateKeyDetails> aliases,
> > Socket socket) {
> > for (String alias : aliases.keySet()) {
> > PrivateKeyDetails privateKeyDetails = aliases.get(alias);
> > for (X509Certificate certificate :
> > privateKeyDetails.getCertChain()) {
> > try {
> > certificate.checkValidity();
> > List<String> extKeyUsage =
> > certificate.getExtendedKeyUsage();
> > if (extKeyUsage != null &&
> > extKeyUsage.contains("1.3.6.1.5.5.7.3.2"))
> > return alias;
> > } catch (CertificateExpiredException |
> > CertificateNotYetValidException | CertificateParsingException e) {
> > continue;
> > }
> > }
> > }
> >
> > return null;
> > }
> > }).build();
>
> I am quite certain thas this is not HttpClient-related, but purely a
> provider issue, especially because I have found this [1] answer by
> Oleg.
>
> Maybe someone can share experience?! Can't this be easier?
> It this better suited for security-dev@openjdk?
>
Hi Michael
I am not sure if I personally can be of any help here. I do not have
any experience with Windows-MY. Indeed, security-dev@openjdk might be abetter
place to seek assistance in this matter.
If you have any idea how to improve Windows-MY support, httpclient-win
module would be a good place for it.
Oleg
> Michael
>
> [1] https://stackoverflow.com/a/37775765/696632
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
