Java and Certmonger Continued

Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.

I’ve modified the test code to just try and load a provider.

import java.util.Enumeration;
public class ReadNSSProps{
    public static char[] password = new char[0];
    public static void main(String[] args) throws Exception{
         for (Provider p: Security.getProviders()){
        Provider p = Security.getProvider("SunPKCS11-NSScrypto");
        KeyStore ks = KeyStore.getInstance("PKCS11", p); //p is the provider created above
        ks.load(null, password);
        for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();){
        KeyStore.ProtectionParameter protParam =
           new KeyStore.PasswordProtection(password);
        KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
            ks.getEntry("RHSSO", protParam);
        PrivateKey pkey =  pkEntry.getPrivateKey();

The pkcs11.cfg file still is pretty much the same:

# cat pkcs11.cfg 
name = NSScrypto
nssModule = keystore
nssDbMode = readOnly
nssLibraryDirectory = /lib64/
nssSecmodDirectory = /etc/opt/rh/rh-sso7/keycloak/standalone/keystore

Call the code like this:

java$PWD/  ReadNSSProps

And…lots of output including a dump of the private key.

Thanks to these two articles for pointing the way.

Next up is trying to use these to provide the keystore for HTTPS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.