Selecting private key with Windows-MY

Sean Mullan sean.mullan at oracle.com
Thu Jun 6 12:05:26 UTC 2019 

Not sure but you could try running with -Djava.security.debug=all on the 
java command line and see if you see anything unusual in the output or 
delays/timeouts (as compared with PKCS12).

--Sean

On 6/5/19 12:25 PM, Michael Osipov wrote:
> Folks,
> 
> I am trying to perform TLS auth with a PKCS12 and Windows-MY keystores
> with HttpClient 4.5.6 + Java 8, Update 212 in Windows 7.
> 
> While with the .p12 (contains one key and its cert) file everything goes
> smoothly and fast, I am having trouble with Windows-MY with my smartcard.
> Loading the store with KeyStore.getInstance("Windows-MY", "SunMSCAPI")
> takes very long (compared to PKCS12) -- seconds.
> 
> Another issue is the alias selection. While PKCS12 works just with:
>> SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, 
>> null).build();
> 
> Windows-MY just won't. I have to fiddle and search until I came up
> selecting the key myself with:
>> SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, 
>> null, new PrivateKeyStrategy() {
>>   @Override
>>   public String chooseAlias(Map<String, PrivateKeyDetails> aliases, 
>> Socket socket) {
>>     for (String alias : aliases.keySet()) {
>>       PrivateKeyDetails privateKeyDetails = aliases.get(alias);
>>       for (X509Certificate certificate : 
>> privateKeyDetails.getCertChain()) {
>>         try {
>>           certificate.checkValidity();
>>           List<String> extKeyUsage = certificate.getExtendedKeyUsage();
>>           if (extKeyUsage != null && 
>> extKeyUsage.contains("1.3.6.1.5.5.7.3.2"))
>>             return alias;
>>         } catch (CertificateExpiredException | 
>> CertificateNotYetValidException | CertificateParsingException e) {
>>           continue;
>>         }
>>       }
>>     }
>>
>>     return null;
>>   }
>> }).build();
> 
> I am quite certain thas this is not HttpClient-related, but purely a
> provider issue, especially because I have found this [1] answer by Oleg
> Kalnichevski.
> 
> If I use curl with Schannel from the command prompt the smartcard prompt
> comes pretty fast and I do not need to provide any key alias. So, there
> is some room for improvement.
> 
> Does someone have an explanation for this? How can this be made better?
> Waiting for seconds and iterating for the proper OID simply don't look
> right. Note that Windows-MY contains only one key from my smartcard to
> perform secure authentication other keys have already expired.
> 
> Michael
> 
> [1] https://stackoverflow.com/a/37775765/696632

More information about the security-dev mailing list