Following the advice of Wei-Jun Wang, I share/forward to this mailing-list, details of a problem that I encounter on MacOS.
At the moment, I don't know how to modify the existing code so that the Apple Provider can behave like SunMSCAPI > Début du message réexpédié : > > De: Wei-Jun Wang <weijun.w...@oracle.com> > Objet: Rép. : Java Bug : Mutual HTTPS authentication not possible with a > non-extractable private key with Apple/KeychainStore > Date: 3 mai 2021 à 18:11:12 UTC+2 > À: Jean-Yves Cronier <cronier...@gmail.com> > > And BTW, it’s better to write to an area-specific mail list next time when > you find an issue in OpenJDK. The jdk-dev@ mail list is probably too big and > people discuss more grand things there. :-) > > For security, it’s security-dev@openjdk.java.net. > > Thanks, > Weijun > >>>> Le 3 mai 2021 à 16:03, Wei-Jun Wang <weijun.w...@oracle.com> a écrit : >>>> >>>> Hi Jean-Yves, >>>> >>>> On macOS there’s only native key/certificate management but no signature >>>> signing/verification. If you look at >>>> https://docs.oracle.com/javase/9/security/oracleproviders.htm, the Apple >>>> provider only implements KeyStore. If you need to use a key in client >>>> auth, it needs to extract that key and use another provider (SunRsaSign or >>>> SunEC) to use it. >>>> >>>> On the other hand, SunMSCAPI has implemented both KeyStore and Signature, >>>> therefore it can do both things inside the provider and the key does not >>>> need to be extracted. >>>> >>>> I’ve filed https://bugs.openjdk.java.net/browse/JDK-8266439. >>>> >>>> Thanks, >>>> Weijun >>>> >>>>> On May 1, 2021, at 8:19 AM, Jean-Yves Cronier <cronier...@gmail.com> >>>>> wrote: >>>>> >>>>> Description >>>>> >>>>> I have imported my personal certificate in macOS keychain with >>>>> "non-extractable" option (cf. >>>>> https://ss64.com/osx/security-export.html<https://ss64.com/osx/security-export.html>). >>>>> Private key is now protected, and we can't export private key from macOS >>>>> KeyChain >>>>> But I am unable to establish connexion with a web-API which require >>>>> client certificate for mutual authentication with Java >>>>> It work perfectly well with curl/git, and browsers (safari/chrome) >>>>> >>>>> >>>>> <>System / OS / Java Runtime Information >>>>> >>>>> openjdk 11.0.11 >>>>> macOS 11.3 >>>>> >>>>> >>>>> <>Steps to Reproduce >>>>> >>>>> 1. Add personal certificate with "non-extractable" option. Example with a >>>>> personal certificate sent to me in a P12 file named "my-certificate.p12", >>>>> with following command-line: >>>>> security import my-certificate.p12 -x -P « my-strong-password" >>>>> 2. Connect a site require mutual authentication (for example : >>>>> https://server.cryptomix.com/secure/ >>>>> <https://server.cryptomix.com/secure/> ) >>>>> >>>>> >>>>> <>Expected Result >>>>> >>>>> Display content detail of selected client certificate >>>>> >>>>> >>>>> <>Actual Result >>>>> >>>>> Error: No TLS client certificate presented >>>>> >>>>> >>>>> <>Source code for an executable test case >>>>> >>>>> import javax.net.ssl.HttpsURLConnection; >>>>> import java.io.IOException; >>>>> import java.net.URL; >>>>> import java.security.cert.X509Certificate; >>>>> >>>>> public class MutualAuthenticationTest { >>>>> public static void main(String[] args) throws IOException { >>>>> System.setProperty("javax.net.ssl.keyStoreType", >>>>> "KeychainStore"); >>>>> System.setProperty("javax.net.ssl.keyStore", "NONE"); >>>>> System.setProperty("javax.net.ssl.keyStorePassword", "-"); >>>>> testUrl(new URL("https://server.cryptomix.com/secure/";)); >>>>> } >>>>> >>>>> public static void testUrl(URL targetUrl) throws IOException { >>>>> HttpsURLConnection con = (HttpsURLConnection) >>>>> targetUrl.openConnection(); >>>>> // Open the connection >>>>> con.getResponseCode(); >>>>> >>>>> assert con.getLocalCertificates() != null && >>>>> con.getLocalCertificates().length > 0 : "Must use a personnel certificate >>>>> for mutual authentication"; >>>>> X509Certificate personalCertificate = (X509Certificate) >>>>> con.getLocalCertificates()[0]; >>>>> assert personalCertificate.getSubjectDN() != null; >>>>> } >>>>> } >>>>> >>>>> >>>>> <>Workaround >>>>> >>>>> No possible workaround on MacOS which Apple/KeychainStore >>>>> NB : Perfectly work on Windows/MSCAPI with personnel certificate (with >>>>> non-exportable private key option) >>> >> >
