Folks, I am trying to perform TLS auth with a PKCS12 and Windows-MY keystores with HttpClient 4.5.6 + Java 8, Update 212 in Windows 7.
While with the .p12 (contains one key and its cert) file everything goes smoothly and fast, I am having trouble with Windows-MY with my smartcard. Loading the store with KeyStore.getInstance("Windows-MY", "SunMSCAPI") takes very long (compared to PKCS12) -- seconds. Another issue is the alias selection. While PKCS12 works just with:
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null).build();
Windows-MY just won't. I have to fiddle and search until I came up selecting the key myself with:
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null, new PrivateKeyStrategy() { @Override public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) { for (String alias : aliases.keySet()) { PrivateKeyDetails privateKeyDetails = aliases.get(alias); for (X509Certificate certificate : privateKeyDetails.getCertChain()) { try { certificate.checkValidity(); List<String> extKeyUsage = certificate.getExtendedKeyUsage(); if (extKeyUsage != null && extKeyUsage.contains("1.3.6.1.5.5.7.3.2")) return alias; } catch (CertificateExpiredException | CertificateNotYetValidException | CertificateParsingException e) { continue; } } } return null; } }).build();
I am quite certain thas this is not HttpClient-related, but purely a provider issue, especially because I have found this [1] answer by Oleg Kalnichevski. If I use curl with Schannel from the command prompt the smartcard prompt comes pretty fast and I do not need to provide any key alias. So, there is some room for improvement. Does someone have an explanation for this? How can this be made better? Waiting for seconds and iterating for the proper OID simply don't look right. Note that Windows-MY contains only one key from my smartcard to perform secure authentication other keys have already expired. Michael [1] https://stackoverflow.com/a/37775765/696632