mTLS with HSM in RestClient #48184
-
|
As discussed in #39749 setting a custom SSLContext is not supported. The only option to perform mTLS with the Quarkus RestClient seems to be to have soft keys available in a file-based keystore. I have a number of use-cases, where that is not a viable solution unfortunately because either the keys reside in some kind of HSM (e.g. via PKCS#11 or a proprietary JCE Provider) or some form of Key Management System that also does not expose private keys in plaintext. Is there any way to use the Quarkus RestClient within these requirements? Since both KeyStore lookups as well as private-key-operations (esp. sign) perform some form of IO, is there even a chance this will be supported some day? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
Perhaps the I don''t know if it can work, but with enabling a specific SunPKCS11 configuration (https://quarkus.io/guides/security-customization#sun-pkcs11), and, I guess, setting a keystore provider type to May be worth creating a branch and experimenting against one of the HSMs that must be supported |
Beta Was this translation helpful? Give feedback.
-
|
@MaxFichtelmann Np, I think if you configure it as documented, it should do as far as the Give it a try please and let us know how it goes |
Beta Was this translation helpful? Give feedback.
-
|
So the good news is that i have managed to use a custom KeyStoreSpi by supplying it through a custom KeyStoreProvider onto a named TlsRegistry configuration. Unfortunately the TLS Handshake seems to be performed in the vert.x Event thread without context information. This results in multiple issues - i cannot access state that is stored in request-scoped beans. And I must perform blocking IO which may well take a couple hundred hundreds in normal cases and several seconds or even minutes in error cases. Any ideas? |
Beta Was this translation helpful? Give feedback.
-
Sounds good. If you can share more details, may be we can doc for other users to learn ?
Is it an orthogonal issue ? Or do you think it is related to using the custom KeyStoreSpi ? CC @cescoffier |
Beta Was this translation helpful? Give feedback.
-
|
Yes, the TLS handshake occurs on the event loop (it's handled by Netty). |
Beta Was this translation helpful? Give feedback.
-
|
I will create a MVCE to demonstrate this a bit. At this moment I could solve my issues by using HTTPUrlConnection, but i would prefer to use the rest-client of course. |
Beta Was this translation helpful? Give feedback.
Perhaps the
providerproperty for a given keystore type such as https://quarkus.io/guides/tls-registry-reference#quarkus-tls-registry_quarkus-tls-key-store-p12-provider should help to get keys fetched from the external key storage but using the KeyStore API.I don''t know if it can work, but with enabling a specific SunPKCS11 configuration (https://quarkus.io/guides/security-customization#sun-pkcs11), and, I guess, setting a keystore provider type to
SunPKCS11, it might work. But, REST Client may have to be enhanced to be able to load from anullkeystore, for example, if the key store location is set to anullstring.May be worth creating a branch and experimenting against one of the HS…