-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
11.0.11
-
x86_64
-
os_x
ADDITIONAL SYSTEM INFORMATION :
openjdk 11.0.11
macOS 11.3
A DESCRIPTION OF THE PROBLEM :
I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html). Private key is now protected, and we can't export private key from macOS KeyChain
I am unable to establish connexion.
It work perfectly well with curl/git, and browsers (safari/chrome), but not with Java
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
security import my-certificate.p12 -x -P "my-string-password"
2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ )
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Display content detail of client certificate (auto-selected for mutual authentication)
ACTUAL -
Error: No TLS client certificate presented
---------- BEGIN SOURCE ----------
import javax.net.ssl.HttpsURLConnection;
import java.io.IOException;
import java.net.URL;
import java.security.cert.X509Certificate;
public class MutualAuthenticationTest {
public static void main(String[] args) throws IOException {
System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
System.setProperty("javax.net.ssl.keyStore", "NONE");
System.setProperty("javax.net.ssl.keyStorePassword", "-");
testUrl(new URL("https://server.cryptomix.com/secure/"));
}
public static void testUrl(URL targetUrl) throws IOException {
HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
// Open the connection
con.getResponseCode();
assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
assert personalCertificate.getSubjectDN() != null;
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
No possible workaround on MacOS with Apple/KeychainStore
NB : it perfectly work on Windows with MSCAPI with a personal certificate imported with "non-exportable" option.
FREQUENCY : always
openjdk 11.0.11
macOS 11.3
A DESCRIPTION OF THE PROBLEM :
I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. https://ss64.com/osx/security-export.html). Private key is now protected, and we can't export private key from macOS KeyChain
I am unable to establish connexion.
It work perfectly well with curl/git, and browsers (safari/chrome), but not with Java
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
security import my-certificate.p12 -x -P "my-string-password"
2. Connect a site require mutual authentication (for example : https://server.cryptomix.com/secure/ )
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Display content detail of client certificate (auto-selected for mutual authentication)
ACTUAL -
Error: No TLS client certificate presented
---------- BEGIN SOURCE ----------
import javax.net.ssl.HttpsURLConnection;
import java.io.IOException;
import java.net.URL;
import java.security.cert.X509Certificate;
public class MutualAuthenticationTest {
public static void main(String[] args) throws IOException {
System.setProperty("javax.net.ssl.keyStoreType", "KeychainStore");
System.setProperty("javax.net.ssl.keyStore", "NONE");
System.setProperty("javax.net.ssl.keyStorePassword", "-");
testUrl(new URL("https://server.cryptomix.com/secure/"));
}
public static void testUrl(URL targetUrl) throws IOException {
HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
// Open the connection
con.getResponseCode();
assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
assert personalCertificate.getSubjectDN() != null;
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
No possible workaround on MacOS with Apple/KeychainStore
NB : it perfectly work on Windows with MSCAPI with a personal certificate imported with "non-exportable" option.
FREQUENCY : always
- duplicates
-
JDK-8266439 Cannot use non-extractable private key with Apple/KeychainStore
-
- Open
-