Java and Certmonger Continued

Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.

I’ve modified the test code to just try and load a provider.

import java.util.Enumeration;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
 
import sun.security.pkcs11.SunPKCS11;
 
public class ReadNSSProps{
 
    public static char[] password = new char[0];
 
    public static void main(String[] args) throws Exception{
 
         for (Provider p: Security.getProviders()){
             System.out.println(p);
        }
        Provider p = Security.getProvider("SunPKCS11-NSScrypto");
        System.out.println(p);
        KeyStore ks = KeyStore.getInstance("PKCS11", p); //p is the provider created above
        ks.load(null, password);
        for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();){
             System.out.println(aliases.nextElement());
        }
 
        KeyStore.ProtectionParameter protParam =
           new KeyStore.PasswordProtection(password);
 
        KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
            ks.getEntry("RHSSO", protParam);
 
        System.out.println(pkEntry);
        PrivateKey pkey =  pkEntry.getPrivateKey();
        System.out.println(pkey);
    }
}

The pkcs11.cfg file still is pretty much the same:

# cat pkcs11.cfg 
name = NSScrypto
nssModule = keystore
nssDbMode = readOnly
nssLibraryDirectory = /lib64/
nssSecmodDirectory = /etc/opt/rh/rh-sso7/keycloak/standalone/keystore

Call the code like this:

java  -Djava.security.properties=$PWD/java.security.properties  ReadNSSProps

And…lots of output including a dump of the private key.

Thanks to these two articles for pointing the way.

Next up is trying to use these to provide the keystore for HTTPS.

Leave a Reply

Your email address will not be published. Required fields are marked *