SSL Client Authentication in Java using macOS Keychainstore

Then java tries to export the key material in JVM and tries to authenticate with the peer. But this step is failing since the key marked is non exportable.

Right. The only option here is to do the crypto operations using Apple APIs, which work regardless of whether the key is exportable or not. If you use Apple’s built-in TLS (Secure Transport, or anything layered on top of it), this happens by default. I don’t know enough about Java to say whether there’s a way to convince it to use the system’s TLS.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,

Thanks for the reply.

So as i conclude that it will be possible through Apple APIs ...java may not be the otpion.

Are you also aware of how browsers achieve this ?

Best Regards,
Saurav

So as i conclude that it will be possible through Apple APIs ... java may not be the otpion.

I would expect that Java’s networking stack is flexible enough for you to either:

• Replace its TLS with code that calls Secure Transport

• Replace its public key crypto with code that calls the Security framework

However, I don’t know enough about Java to help you with that.

Are you also aware of how browsers achieve this ?

Safari uses NSURLSession, which uses Secure Transport for TLS. Non-Apple browsers either use Secure Transport (directly or indirectly) or plug Apple’s public key crypto into the bottom of their TLS stack.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"