Selecting private key with Windows-MY

Michael Osipov 1983-01-06 at gmx.net
Wed Jun 5 16:25:05 UTC 2019 

Folks,

I am trying to perform TLS auth with a PKCS12 and Windows-MY keystores
with HttpClient 4.5.6 + Java 8, Update 212 in Windows 7.

While with the .p12 (contains one key and its cert) file everything goes
smoothly and fast, I am having trouble with Windows-MY with my smartcard.
Loading the store with KeyStore.getInstance("Windows-MY", "SunMSCAPI")
takes very long (compared to PKCS12) -- seconds.

Another issue is the alias selection. While PKCS12 works just with:
> SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null).build();

Windows-MY just won't. I have to fiddle and search until I came up
selecting the key myself with:
> SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null, new PrivateKeyStrategy() {
>   @Override
>   public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
>     for (String alias : aliases.keySet()) {
>       PrivateKeyDetails privateKeyDetails = aliases.get(alias);
>       for (X509Certificate certificate : privateKeyDetails.getCertChain()) {
>         try {
>           certificate.checkValidity();
>           List<String> extKeyUsage = certificate.getExtendedKeyUsage();
>           if (extKeyUsage != null && extKeyUsage.contains("1.3.6.1.5.5.7.3.2"))
>             return alias;
>         } catch (CertificateExpiredException | CertificateNotYetValidException | CertificateParsingException e) {
>           continue;
>         }
>       }
>     }
>
>     return null;
>   }
> }).build();

I am quite certain thas this is not HttpClient-related, but purely a
provider issue, especially because I have found this [1] answer by Oleg
Kalnichevski.

If I use curl with Schannel from the command prompt the smartcard prompt
comes pretty fast and I do not need to provide any key alias. So, there
is some room for improvement.

Does someone have an explanation for this? How can this be made better?
Waiting for seconds and iterating for the proper OID simply don't look
right. Note that Windows-MY contains only one key from my smartcard to
perform secure authentication other keys have already expired.

Michael

[1] https://stackoverflow.com/a/37775765/696632

More information about the security-dev mailing list