Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.
I’ve modified the test code to just try and load a provider.
import java.util.Enumeration; import java.security.KeyStore; import java.security.PrivateKey; import java.security.Provider; import java.security.Security; import sun.security.pkcs11.SunPKCS11; public class ReadNSSProps{ public static char[] password = new char[0]; public static void main(String[] args) throws Exception{ for (Provider p: Security.getProviders()){ System.out.println(p); } Provider p = Security.getProvider("SunPKCS11-NSScrypto"); System.out.println(p); KeyStore ks = KeyStore.getInstance("PKCS11", p); //p is the provider created above ks.load(null, password); for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();){ System.out.println(aliases.nextElement()); } KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(password); KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks.getEntry("RHSSO", protParam); System.out.println(pkEntry); PrivateKey pkey = pkEntry.getPrivateKey(); System.out.println(pkey); } } |
The pkcs11.cfg file still is pretty much the same:
# cat pkcs11.cfg name = NSScrypto nssModule = keystore nssDbMode = readOnly nssLibraryDirectory = /lib64/ nssSecmodDirectory = /etc/opt/rh/rh-sso7/keycloak/standalone/keystore |
Call the code like this:
java -Djava.security.properties=$PWD/java.security.properties ReadNSSProps |
And…lots of output including a dump of the private key.
Thanks to these two articles for pointing the way.
Next up is trying to use these to provide the keystore for HTTPS.