On Wed, Oct 7, 2015 at 7:45 PM, <merlin.w.vinc...@gmail.com> wrote: > Maybe my googling skills are weak, but I found no information on how to > get NSS to use keys from the Windows keystore. In the end, I decided it's > probably a violation of the NSS paradigm anyway. It seems the intent is to > use the NSS database as the sole repository of certs and keys. Especially > in FIPS mode. >
I didn't understand that was what you were trying to do. AFAIK it doesn't have any sense. NSS its a Keystore by "itself", and it's used with PKCS#11 API. You could check OpenSC minidriver experimental component. ie: pkcs#11 wrapper for MSCAPI. > If that's not correct, I would love to know how to do that. Anyone? > > So, once I used pk12util to import a p12 into NSS I was able to get 2-way > SSL, or client-authenticated SSL, to work using the javax.net.ssl classes. > That is, configure the NSS provider as described in the Java 8 docs > referenced above then build an SSLContext and so on, as usual. > > Now my problem is how to choose among multiple certs. If there's more than > one cert that matches the server's set of issuing CAs, the system just > picks the first one. > > If I try to provide my own KeyManager so I can override its > chooseClientAlias method I get an error: > > java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers > may be used > > Is there any way around that? > If I understand properly what you are trying to do, the server is requesting for Client SSL Auth. Browsers usually display a "select a certificate" windows to do it, so you'll need to do the same (a dialog to choose cert, or programatically choose one) > Thanks! > Merlin > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
