Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore

Jean-Yves Cronier cronier.jy at gmail.com
Sat May 1 12:19:53 UTC 2021 

Description
I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html <https://ss64.com/osx/security-export.html>).
Private key is now protected, and we can't export private key from macOS KeyChain
But I am unable to establish connexion with a web-API which require client certificate for mutual authentication with Java
It work perfectly well with curl/git, and browsers (safari/chrome)
 <>System / OS / Java Runtime Information
openjdk 11.0.11
macOS 11.3
 <>Reproducing the Issue
 <>Steps to Reproduce
1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
security import my-certificate.p12 -x -P « my-strong-password"
2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ <https://server.cryptomix.com/secure/> )
 <>Expected Result
Display content detail of selected client certificate
 <>Actual Result
Error: No TLS client certificate presented 
 <>Source code for an executable test case
import javax.net.ssl.HttpsURLConnection;
import java.io.IOException;
import java.net.URL;
import java.security.cert.X509Certificate;

public class MutualAuthenticationTest {
	public static void main(String[] args) throws IOException {
		System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
		System.setProperty("javax.net.ssl.keyStore", "NONE");
		System.setProperty("javax.net.ssl.keyStorePassword", "-");
		testUrl(new URL("https://server.cryptomix.com/secure/"));
	}

	public static void testUrl(URL targetUrl) throws IOException {
		HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
		// Open the connection
		con.getResponseCode();

		assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
		X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
		assert personalCertificate.getSubjectDN() != null;
	}
}
 <>Workaround
No possible workaround on MacOS which Apple/KeychainStore
NB : Perfectly work on Windows/MSCAPI with personnel certificate (with non-exportable private key option)

More information about the jdk-dev mailing list