Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore

Sean Mullan sean.mullan at oracle.com
Mon May 3 13:48:02 UTC 2021 

-bcc jdk-dev

This is not the proper alias for reporting issues.

Please file a bug at https://bugreport.java.com/bugreport/

Thanks,
Sean

On 5/1/21 8:19 AM, Jean-Yves Cronier wrote:
> Description
> I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html <https://ss64.com/osx/security-export.html>).
> Private key is now protected, and we can't export private key from macOS KeyChain
> But I am unable to establish connexion with a web-API which require client certificate for mutual authentication with Java
> It work perfectly well with curl/git, and browsers (safari/chrome)
>   <>System / OS / Java Runtime Information
> openjdk 11.0.11
> macOS 11.3
>   <>Reproducing the Issue
>   <>Steps to Reproduce
> 1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
> security import my-certificate.p12 -x -P « my-strong-password"
> 2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ <https://server.cryptomix.com/secure/> )
>   <>Expected Result
> Display content detail of selected client certificate
>   <>Actual Result
> Error: No TLS client certificate presented
>   <>Source code for an executable test case
> import javax.net.ssl.HttpsURLConnection;
> import java.io.IOException;
> import java.net.URL;
> import java.security.cert.X509Certificate;
> 
> public class MutualAuthenticationTest {
> 	public static void main(String[] args) throws IOException {
> 		System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
> 		System.setProperty("javax.net.ssl.keyStore", "NONE");
> 		System.setProperty("javax.net.ssl.keyStorePassword", "-");
> 		testUrl(new URL("https://server.cryptomix.com/secure/"));
> 	}
> 
> 	public static void testUrl(URL targetUrl) throws IOException {
> 		HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
> 		// Open the connection
> 		con.getResponseCode();
> 
> 		assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
> 		X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
> 		assert personalCertificate.getSubjectDN() != null;
> 	}
> }
>   <>Workaround
> No possible workaround on MacOS which Apple/KeychainStore
> NB : Perfectly work on Windows/MSCAPI with personnel certificate (with non-exportable private key option)
>

More information about the jdk-dev mailing list