<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Following the advice of Wei-Jun Wang, I share/forward to this mailing-list, details of a problem that I encounter on MacOS.<div class=""><br class=""></div><div class="">At the moment, I don't know how to modify the existing code so that the Apple Provider can behave like SunMSCAPI</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Début du message réexpédié :</div><br class="Apple-interchange-newline"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">De: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Wei-Jun Wang <<a href="mailto:weijun.wang@oracle.com" class="">weijun.wang@oracle.com</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Objet: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Rép. : Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">3 mai 2021 à 18:11:12 UTC+2<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">À: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Jean-Yves Cronier <<a href="mailto:cronier.jy@gmail.com" class="">cronier.jy@gmail.com</a>><br class=""></span></div><br class=""><div class=""><div class="">And BTW, it’s better to write to an area-specific mail list next time when you find an issue in OpenJDK. The jdk-dev@ mail list is probably too big and people discuss more grand things there. :-)<br class=""><br class="">For security, it’s <a href="mailto:security-dev@openjdk.java.net" class="">security-dev@openjdk.java.net</a>.<br class=""><br class="">Thanks,<br class="">Weijun<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Le 3 mai 2021 à 16:03, Wei-Jun Wang <<a href="mailto:weijun.wang@oracle.com" class="">weijun.wang@oracle.com</a>> a écrit :<br class=""><br class="">Hi Jean-Yves,<br class=""><br class="">On macOS there’s only native key/certificate management but no signature signing/verification. If you look at <a href="https://docs.oracle.com/javase/9/security/oracleproviders.htm" class="">https://docs.oracle.com/javase/9/security/oracleproviders.htm</a>, the Apple provider only implements KeyStore. If you need to use a key in client auth, it needs to extract that key and use another provider (SunRsaSign or SunEC) to use it.<br class=""><br class="">On the other hand, SunMSCAPI has implemented both KeyStore and Signature, therefore it can do both things inside the provider and the key does not need to be extracted.<br class=""><br class="">I’ve filed <a href="https://bugs.openjdk.java.net/browse/JDK-8266439" class="">https://bugs.openjdk.java.net/browse/JDK-8266439</a>.<br class=""><br class="">Thanks,<br class="">Weijun<br class=""><br class=""><blockquote type="cite" class="">On May 1, 2021, at 8:19 AM, Jean-Yves Cronier <<a href="mailto:cronier.jy@gmail.com" class="">cronier.jy@gmail.com</a>> wrote:<br class=""><br class="">Description</blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. <a href="https://ss64.com/osx/security-export.html<https://ss64.com/osx/security-export.html>" class="">https://ss64.com/osx/security-export.html<https://ss64.com/osx/security-export.html></a>).<br class="">Private key is now protected, and we can't export private key from macOS KeyChain<br class="">But I am unable to establish connexion with a web-API which require client certificate for mutual authentication with Java<br class="">It work perfectly well with curl/git, and browsers (safari/chrome)<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>System / OS / Java Runtime Information<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">openjdk 11.0.11<br class="">macOS 11.3<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>Steps to Reproduce</blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:<br class="">security import my-certificate.p12 -x -P « my-strong-password"<br class="">2. Connect a site require mutual authentication (for example : <a href="https://server.cryptomix.com/secure/" class="">https://server.cryptomix.com/secure/</a> <<a href="https://server.cryptomix.com/secure/" class="">https://server.cryptomix.com/secure/</a>> )<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>Expected Result<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Display content detail of selected client certificate<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>Actual Result<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Error: No TLS client certificate presented <br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>Source code for an executable test case<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">import javax.net.ssl.HttpsURLConnection;<br class="">import java.io.IOException;<br class="">import java.net.URL;<br class="">import java.security.cert.X509Certificate;<br class=""><br class="">public class MutualAuthenticationTest {<br class=""><span class="Apple-tab-span" style="white-space:pre">  </span>public static void main(String[] args) throws IOException {<br class=""><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>System.setProperty("javax.net.ssl.keyStore", "NONE");<br class=""><span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>System.setProperty("javax.net.ssl.keyStorePassword", "-");<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>testUrl(new URL("<a href="https://server.cryptomix.com/secure/" class="">https://server.cryptomix.com/secure/</a>"));<br class=""><span class="Apple-tab-span" style="white-space:pre">        </span>}<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>public static void testUrl(URL targetUrl) throws IOException {<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();<br class=""><span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>// Open the connection<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>con.getResponseCode();<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";<br class=""><span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">    </span>X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>assert personalCertificate.getSubjectDN() != null;<br class=""><span class="Apple-tab-span" style="white-space:pre">     </span>}<br class="">}<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><>Workaround<br class=""></blockquote></blockquote></blockquote></blockquote></div></div></blockquote><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">No possible workaround on MacOS which Apple/KeychainStore<br class="">NB : Perfectly work on Windows/MSCAPI with personnel certificate (with non-exportable private key option)<br class=""></blockquote></blockquote><br class=""></blockquote><br class=""></blockquote><br class=""></div></div></blockquote></div><br class=""></div></body></html>