Folks,
I am trying to perform TLS auth with a PKCS12 and Windows-MY keystores
with HttpClient 4.5.6 + Java 8, Update 212.
While with the .p12 (contains one key and its cert) file everything goes
smoothly and fast, I am having trouble with Windows-MY on Windows 7 with
my smartcard.
Loading the store with KeyStore.getInstance("Windows-MY", "SunMSCAPI")
takes very long (compared to PKCS12).
Another issue is the alias selection. While PKCS12 works just with:
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore,
null).build();
Windows-MY just won't. I have to fiddle and search until I came up
selecting the key myself with:
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null,
new PrivateKeyStrategy() {
@Override
public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket
socket) {
for (String alias : aliases.keySet()) {
PrivateKeyDetails privateKeyDetails = aliases.get(alias);
for (X509Certificate certificate : privateKeyDetails.getCertChain()) {
try {
certificate.checkValidity();
List<String> extKeyUsage = certificate.getExtendedKeyUsage();
if (extKeyUsage != null && extKeyUsage.contains("1.3.6.1.5.5.7.3.2"))
return alias;
} catch (CertificateExpiredException | CertificateNotYetValidException
| CertificateParsingException e) {
continue;
}
}
}
return null;
}
}).build();
I am quite certain thas this is not HttpClient-related, but purely a
provider issue, especially because I have found this [1] answer by Oleg.
Maybe someone can share experience?! Can't this be easier?
It this better suited for security-dev@openjdk?
Michael
[1] https://stackoverflow.com/a/37775765/696632
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
