Re: Selecting private key with Windows-MY

Wed, 05 Jun 2019 09:18:51 -0700 

Am 2019-06-05 um 11:54 schrieb Oleg Kalnichevski:

On Tue, 2019-06-04 at 23:33 +0200, Michael Osipov wrote:

Folks,

I am trying to perform TLS auth with a PKCS12 and Windows-MY
keystores
with HttpClient 4.5.6 + Java 8, Update 212.

While with the .p12 (contains one key and its cert) file everything
goes
smoothly and fast, I am having trouble with Windows-MY on Windows 7
with
my smartcard.
Loading the store with KeyStore.getInstance("Windows-MY",
"SunMSCAPI")
takes very long (compared to PKCS12).

Another issue is the alias selection. While PKCS12 works just with:

SSLContext sslContext =
SSLContexts.custom().loadKeyMaterial(keyStore, null).build();


Windows-MY just won't. I have to fiddle and search until I came up
selecting the key myself with:

SSLContext sslContext =
SSLContexts.custom().loadKeyMaterial(keyStore, null, new
PrivateKeyStrategy() {
   @Override
   public String chooseAlias(Map<String, PrivateKeyDetails> aliases,
Socket socket) {
     for (String alias : aliases.keySet()) {
       PrivateKeyDetails privateKeyDetails = aliases.get(alias);
       for (X509Certificate certificate :
privateKeyDetails.getCertChain()) {
         try {
           certificate.checkValidity();
           List<String> extKeyUsage =
certificate.getExtendedKeyUsage();
           if (extKeyUsage != null &&
extKeyUsage.contains("1.3.6.1.5.5.7.3.2"))
             return alias;
         } catch (CertificateExpiredException |
CertificateNotYetValidException | CertificateParsingException e) {
           continue;
         }
       }
     }

     return null;
   }
}).build();


I am quite certain thas this is not HttpClient-related, but purely a
provider issue, especially because I have found this [1] answer by
Oleg.

Maybe someone can share experience?! Can't this be easier?
It this better suited for security-dev@openjdk?



Hi Michael

I am not sure if I personally can be of any help here. I do not have
any experience with Windows-MY. Indeed, security-dev@openjdk might be abetter 
place to seek assistance in this matter.

If you have any idea how to improve Windows-MY support, httpclient-win
module would be a good place for it.
I will inquire with them, I know some of those people on the list. Surprisingly, if I use curl with Schannel from the command prompt the smartcard prompt comes prettry fast and I do not need to provide any key alias. So, there is some room for improvement. 

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to