Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266867

[macos]Mutual HTTPS authentication not possible with a non-extractable private key

    XMLWordPrintable

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      openjdk 11.0.11
      macOS 11.3

      A DESCRIPTION OF THE PROBLEM :
      I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html). Private key is now protected, and we can't export private key from macOS KeyChain

      I am unable to establish connexion.

      It work perfectly well with curl/git, and browsers (safari/chrome), but not with Java

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:

      security import my-certificate.p12 -x -P "my-string-password"

      2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ )

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Display content detail of client certificate (auto-selected for mutual authentication)
      ACTUAL -
      Error: No TLS client certificate presented

      ---------- BEGIN SOURCE ----------
      import javax.net.ssl.HttpsURLConnection;
      import java.io.IOException;
      import java.net.URL;
      import java.security.cert.X509Certificate;

      public class MutualAuthenticationTest {
      public static void main(String[] args) throws IOException {
      System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
      System.setProperty("javax.net.ssl.keyStore", "NONE");
      System.setProperty("javax.net.ssl.keyStorePassword", "-");
      testUrl(new URL("https://server.cryptomix.com/secure/"));
      }

      public static void testUrl(URL targetUrl) throws IOException {
      HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
      // Open the connection
      con.getResponseCode();

      assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
      X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
      assert personalCertificate.getSubjectDN() != null;
      }
      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      No possible workaround on MacOS with Apple/KeychainStore

      NB : it perfectly work on Windows with MSCAPI with a personal certificate imported with "non-exportable" option.

      FREQUENCY : always


        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tongwan Andrew Wang
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: