62863 – PKCS11 keystores are unusable for TLS

Bug 62863 - PKCS11 keystores are unusable for TLS

Summary: PKCS11 keystores are unusable for TLS

Status:	RESOLVED FIXED

Alias:	None

Product:	JMeter - Now in Github
Classification:	Unclassified
Component:	HTTP (show other bugs)
Version:	4.0
Hardware:	All All

Importance:	P2 enhancement with 1 vote (vote)
Target Milestone:	JMETER_5.2
Assignee:	JMeter issues mailing list

URL:
Keywords:	FixedInTrunk, PatchAvailable

Depends on:
Blocks:

Reported:	2018-10-29 16:21 UTC by clifford.harms
Modified:	2019-04-24 17:00 UTC (History)
CC List:	2 users (show)

Attachments
jmeter pkcs11 patch (9.64 KB, patch) 2018-10-29 17:43 UTC, clifford.harms	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description clifford.harms 2018-10-29 16:21:45 UTC

PKCS11 keystores cannot be used to conduct TLS due to the assumption that keystores will always be file based.  I intend to submit a PR, which will take some time, unless a patch as produced by "git diff" is acceptable (I don't use eclipse).

Comment 1 Felix Schumacher 2018-10-29 16:36:43 UTC

git diff is fine.

Comment 2 clifford.harms 2018-10-29 17:43:06 UTC

Created attachment 36221 [details]
jmeter pkcs11 patch

The attached patch successfully passes tests with the exception of some tests that were failing before the patch was applied in my environment (unable to resolve jmeter.org etc.).  Patch also passes checkstyle as required in submission guidelines.

What the patch does:
- Removes the assumption of a file based keystore
- Adds password masking for the SSLManager password prompt. I included this because it is likely that if the use of a PKCS11 crypto module is required to load test/test, a plain text password prompt is likely to be unacceptable.  

The use of PKCS11 requires configuring the JVM running jmeter as described in https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html

The patch was tested against a PKCS11 configured JVM on Red Hat Enterprise Linux 7 using the libcoolkey pkcs11 smart card driver in conjunction with a smart card.

Note that the PKCS11 module password/pin must be configured via JSSE system properties if running in non-gui mode.  It should be possible to implement a command line prompt when running outside of the GUI mode, but I haven't had time to explore this yet.

Comment 3 Felix Schumacher 2019-03-24 13:16:26 UTC

Thanks for the patch and sorry for the long delay. A variant on your patch has been submitted to trunk. It would be awesome, if you could test it and close the bug, if it works.

Will be included in 5.2 (if nothing speaks against it).

Date: Sun Mar 24 13:13:40 2019
New Revision: 1856146

URL: http://svn.apache.org/viewvc?rev=1856146&view=rev
Log:
Enable PKCS11 keystores for usage with KeyStore Manager

Based on a patch by Clifford Harms (clifford.harms at gmail.com).
Bugzilla Id: 62863

Modified:
    jmeter/trunk/src/core/org/apache/jmeter/util/SSLManager.java
    jmeter/trunk/src/core/org/apache/jmeter/util/keystore/JmeterKeyStore.java
    jmeter/trunk/xdocs/changes.xml
    jmeter/trunk/xdocs/usermanual/component_reference.xml

Comment 4 clifford.harms 2019-03-27 17:32:52 UTC

Did some testing on linux configured with pscsd and a cardreader with a hardware token, the patch appears to work fine.  There is no prompt to select a specific cert if multiple certificate aliases are in a PKCS11 store (first cert encountered is used?), but this is does not hamper my use case.

Comment 5 Felix Schumacher 2019-04-24 17:00:38 UTC

Thanks for confirming, that it passes your tests.

Comment 6 The ASF infrastructure team 2022-09-24 20:38:15 UTC

This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/4906