Fwd: Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore

Jean-Yves Cronier cronier.jy at gmail.com
Mon May 3 17:16:52 UTC 2021 

Following the advice of Wei-Jun Wang, I share/forward to this mailing-list, details of a problem that I encounter on MacOS.

At the moment, I don't know how to modify the existing code so that the Apple Provider can behave like SunMSCAPI


> Début du message réexpédié :
> 
> De: Wei-Jun Wang <weijun.wang at oracle.com>
> Objet: Rép. : Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore
> Date: 3 mai 2021 à 18:11:12 UTC+2
> À: Jean-Yves Cronier <cronier.jy at gmail.com>
> 
> And BTW, it’s better to write to an area-specific mail list next time when you find an issue in OpenJDK. The jdk-dev@ mail list is probably too big and people discuss more grand things there. :-)
> 
> For security, it’s security-dev at openjdk.java.net.
> 
> Thanks,
> Weijun
> 
>>>> Le 3 mai 2021 à 16:03, Wei-Jun Wang <weijun.wang at oracle.com> a écrit :
>>>> 
>>>> Hi Jean-Yves,
>>>> 
>>>> On macOS there’s only native key/certificate management but no signature signing/verification. If you look at https://docs.oracle.com/javase/9/security/oracleproviders.htm, the Apple provider only implements KeyStore. If you need to use a key in client auth, it needs to extract that key and use another provider (SunRsaSign or SunEC) to use it.
>>>> 
>>>> On the other hand, SunMSCAPI has implemented both KeyStore and Signature, therefore it can do both things inside the provider and the key does not need to be extracted.
>>>> 
>>>> I’ve filed https://bugs.openjdk.java.net/browse/JDK-8266439.
>>>> 
>>>> Thanks,
>>>> Weijun
>>>> 
>>>>> On May 1, 2021, at 8:19 AM, Jean-Yves Cronier <cronier.jy at gmail.com> wrote:
>>>>> 
>>>>> Description
>>>>> 
>>>>> I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html<https://ss64.com/osx/security-export.html>).
>>>>> Private key is now protected, and we can't export private key from macOS KeyChain
>>>>> But I am unable to establish connexion with a web-API which require client certificate for mutual authentication with Java
>>>>> It work perfectly well with curl/git, and browsers (safari/chrome)
>>>>> 
>>>>> 
>>>>> <>System / OS / Java Runtime Information
>>>>> 
>>>>> openjdk 11.0.11
>>>>> macOS 11.3
>>>>> 
>>>>> 
>>>>> <>Steps to Reproduce
>>>>> 
>>>>> 1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
>>>>> security import my-certificate.p12 -x -P « my-strong-password"
>>>>> 2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ <https://server.cryptomix.com/secure/> )
>>>>> 
>>>>> 
>>>>> <>Expected Result
>>>>> 
>>>>> Display content detail of selected client certificate
>>>>> 
>>>>> 
>>>>> <>Actual Result
>>>>> 
>>>>> Error: No TLS client certificate presented 
>>>>> 
>>>>> 
>>>>> <>Source code for an executable test case
>>>>> 
>>>>> import javax.net.ssl.HttpsURLConnection;
>>>>> import java.io.IOException;
>>>>> import java.net.URL;
>>>>> import java.security.cert.X509Certificate;
>>>>> 
>>>>> public class MutualAuthenticationTest {
>>>>> 	public static void main(String[] args) throws IOException {
>>>>> 		System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
>>>>> 		System.setProperty("javax.net.ssl.keyStore", "NONE");
>>>>> 		System.setProperty("javax.net.ssl.keyStorePassword", "-");
>>>>> 		testUrl(new URL("https://server.cryptomix.com/secure/"));
>>>>> 	}
>>>>> 
>>>>> 	public static void testUrl(URL targetUrl) throws IOException {
>>>>> 		HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
>>>>> 		// Open the connection
>>>>> 		con.getResponseCode();
>>>>> 
>>>>> 		assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
>>>>> 		X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
>>>>> 		assert personalCertificate.getSubjectDN() != null;
>>>>> 	}
>>>>> }
>>>>> 
>>>>> 
>>>>> <>Workaround
>>>>> 
>>>>> No possible workaround on MacOS which Apple/KeychainStore
>>>>> NB : Perfectly work on Windows/MSCAPI with personnel certificate (with non-exportable private key option)
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210503/5c840e4a/attachment.htm>

More information about the security-dev mailing list