Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled application, using only environment variables.
I’ve modified the test code to just try and load a provider.
import java.util.Enumeration;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import sun.security.pkcs11.SunPKCS11;
public class ReadNSSProps{
public static char[] password = new char[0];
public static void main(String[] args) throws Exception{
for (Provider p: Security.getProviders()){
System.out.println(p);
}
Provider p = Security.getProvider("SunPKCS11-NSScrypto");
System.out.println(p);
KeyStore ks = KeyStore.getInstance("PKCS11", p); //p is the provider created above
ks.load(null, password);
for (Enumeration aliases = ks.aliases(); aliases.hasMoreElements();){
System.out.println(aliases.nextElement());
}
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(password);
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
ks.getEntry("RHSSO", protParam);
System.out.println(pkEntry);
PrivateKey pkey = pkEntry.getPrivateKey();
System.out.println(pkey);
}
}
The pkcs11.cfg file still is pretty much the same:
# cat pkcs11.cfg
name = NSScrypto
nssModule = keystore
nssDbMode = readOnly
nssLibraryDirectory = /lib64/
nssSecmodDirectory = /etc/opt/rh/rh-sso7/keycloak/standalone/keystore
Call the code like this:
java -Djava.security.properties=$PWD/java.security.properties ReadNSSProps
And…lots of output including a dump of the private key.
Thanks to these two articles for pointing the way.
Next up is trying to use these to provide the keystore for HTTPS.
