Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to access certs in the Windows keystore from Java?
510 views
Skip to first unread message
merlin.w...@gmail.com
Oct 4, 2015, 7:28:57 AM10/4/15
to mozilla-dev...@lists.mozilla.org
Hello, all -
I'm new to NSS and I'm having trouble finding information on how to get started with this - any help will be appreciated!
I have a desktop application that needs to make a client-authenticated connection (TLS1.1) to a web server. The particulars:
- Java 8 running on Windows
- user cert resides in the Windows keystore
- using NSS 3.20 in FIPS mode
- configured per http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
Server-authenticated connections are working correctly, but when I try to add client authentication using the Windows-based cert I get this error:
java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
What's the equivalent of the following in NSS land?
KeyStore keystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null, password);
sslContext = SSLContexts.custom().useTLS().loadKeyMaterial(keyStore, password).build();
Thank you!
Merlin
I'm new to NSS and I'm having trouble finding information on how to get started with this - any help will be appreciated!
I have a desktop application that needs to make a client-authenticated connection (TLS1.1) to a web server. The particulars:
- Java 8 running on Windows
- user cert resides in the Windows keystore
- using NSS 3.20 in FIPS mode
- configured per http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
Server-authenticated connections are working correctly, but when I try to add client authentication using the Windows-based cert I get this error:
java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
What's the equivalent of the following in NSS land?
KeyStore keystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null, password);
sslContext = SSLContexts.custom().useTLS().loadKeyMaterial(keyStore, password).build();
Thank you!
Merlin
helpcrypto helpcrypto
Oct 5, 2015, 8:10:21 AM10/5/15
to mozilla's crypto code discussion list, mozilla-dev...@lists.mozilla.org
Hi Merlin
Google is full of references and examples if you look for something like
"java NSS"
Anyhow, to use a certificate stores on Windows Keystore you have to use
MSCAPI provider ("How to java mscapi")
If you want to use a certificate stored on NSS (Firefox/Thunderbird) or a
pkcs#11 token, then you should use SunPKCS11 provider.
Oracle documentation has examples for both of them ;)
> --
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
Google is full of references and examples if you look for something like
"java NSS"
Anyhow, to use a certificate stores on Windows Keystore you have to use
MSCAPI provider ("How to java mscapi")
If you want to use a certificate stored on NSS (Firefox/Thunderbird) or a
pkcs#11 token, then you should use SunPKCS11 provider.
Oracle documentation has examples for both of them ;)
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
helpcrypto helpcrypto
Oct 5, 2015, 8:10:23 AM10/5/15
to mozilla's crypto code discussion list, mozilla-dev...@lists.mozilla.org
merlin.w...@gmail.com
Oct 8, 2015, 6:41:38 AM10/8/15
to mozilla-dev...@lists.mozilla.org
Maybe my googling skills are weak, but I found no information on how to get NSS to use keys from the Windows keystore. In the end, I decided it's probably a violation of the NSS paradigm anyway. It seems the intent is to use the NSS database as the sole repository of certs and keys. Especially in FIPS mode.
If that's not correct, I would love to know how to do that. Anyone?
So, once I used pk12util to import a p12 into NSS I was able to get 2-way SSL, or client-authenticated SSL, to work using the javax.net.ssl classes. That is, configure the NSS provider as described in the Java 8 docs referenced above then build an SSLContext and so on, as usual.
Now my problem is how to choose among multiple certs. If there's more than one cert that matches the server's set of issuing CAs, the system just picks the first one.
If I try to provide my own KeyManager so I can override its chooseClientAlias method I get an error:
java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
Is there any way around that?
Thanks!
Merlin
If that's not correct, I would love to know how to do that. Anyone?
So, once I used pk12util to import a p12 into NSS I was able to get 2-way SSL, or client-authenticated SSL, to work using the javax.net.ssl classes. That is, configure the NSS provider as described in the Java 8 docs referenced above then build an SSLContext and so on, as usual.
Now my problem is how to choose among multiple certs. If there's more than one cert that matches the server's set of issuing CAs, the system just picks the first one.
If I try to provide my own KeyManager so I can override its chooseClientAlias method I get an error:
java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
Is there any way around that?
Thanks!
Merlin
helpcrypto helpcrypto
Oct 8, 2015, 6:49:06 AM10/8/15
to mozilla's crypto code discussion list, mozilla-dev...@lists.mozilla.org
On Wed, Oct 7, 2015 at 7:45 PM, <merlin.w...@gmail.com> wrote:
> Maybe my googling skills are weak, but I found no information on how to
> get NSS to use keys from the Windows keystore. In the end, I decided it's
> probably a violation of the NSS paradigm anyway. It seems the intent is to
> use the NSS database as the sole repository of certs and keys. Especially
> in FIPS mode.
>
I didn't understand that was what you were trying to do. AFAIK it doesn't
> Maybe my googling skills are weak, but I found no information on how to
> get NSS to use keys from the Windows keystore. In the end, I decided it's
> probably a violation of the NSS paradigm anyway. It seems the intent is to
> use the NSS database as the sole repository of certs and keys. Especially
> in FIPS mode.
>
have any sense.
NSS its a Keystore by "itself", and it's used with PKCS#11 API.
You could check OpenSC minidriver experimental component. ie: pkcs#11
wrapper for MSCAPI.
> If that's not correct, I would love to know how to do that. Anyone?
>
> So, once I used pk12util to import a p12 into NSS I was able to get 2-way
> SSL, or client-authenticated SSL, to work using the javax.net.ssl classes.
> That is, configure the NSS provider as described in the Java 8 docs
> referenced above then build an SSLContext and so on, as usual.
>
> Now my problem is how to choose among multiple certs. If there's more than
> one cert that matches the server's set of issuing CAs, the system just
> picks the first one.
>
> If I try to provide my own KeyManager so I can override its
> chooseClientAlias method I get an error:
>
> java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers
> may be used
>
> Is there any way around that?
>
requesting for Client SSL Auth.
Browsers usually display a "select a certificate" windows to do it, so
you'll need to do the same (a dialog to choose cert, or programatically
choose one)
> Thanks!
helpcrypto helpcrypto
Oct 8, 2015, 6:49:08 AM10/8/15
to mozilla's crypto code discussion list, mozilla-dev...@lists.mozilla.org
merlin.w...@gmail.com
Oct 9, 2015, 6:16:31 AM10/9/15
to mozilla-dev...@lists.mozilla.org
I was planning to look at OpenSC for my smart card requirement next. As you say, maybe it'll provide the NSS to Windows bridge I was looking for. But I agree that it probably doesn't make sense.
As for the cert selection issue, I suspect it may be in the Java implementation of FIPS mode. Maybe not everything in X509KeyManager should be allowed in FIPS mode, but I should still be able to choose my aliases. I think I'll submit a bug and see what they say.
Thanks for the advice -
Merlin
As for the cert selection issue, I suspect it may be in the Java implementation of FIPS mode. Maybe not everything in X509KeyManager should be allowed in FIPS mode, but I should still be able to choose my aliases. I think I'll submit a bug and see what they say.
Thanks for the advice -
Merlin
0 new messages