Merge pull request #83 from cconlon/wksMapping

Add fake mapping from JKS/PKCS12 KeyStore to WKS for FIPS Compliance

IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java

@@ -80,7 +80,7 @@ public class MainActivity extends AppCompatActivity {
     public void testFindProvider(TextView tv)
             throws NoSuchProviderException, NoSuchAlgorithmException {
 
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         if (p == null) {

README_JCE.md

@@ -36,6 +36,40 @@ file for JCE provider customization:
 | --- | --- | --- | --- |
 | wolfjce.wks.iterationCount | 210,000 | Numeric | PBKDF2 iteration count (10,000 minimum) |
 | wolfjce.wks.maxCertChainLength | 100 | Integer | Max cert chain length |
+| wolfjce.mapJKStoWKS | UNSET | true | Register fake JKS KeyStore service mapped to WKS |
+| wolfjce.mapPKCS12toWKS | UNSET | true | Register fake PKCS12 KeyStore service mapped to WKS |
+
+**wolfjce.mapJKStoWKS** - this Security property should be used with caution.
+When enabled, this will register a "JKS" KeyStore type in wolfJCE, which means
+calling applications using `KeyStore.getInstance("JKS")` will get a KeyStore
+implementation from wolfJCE. BUT, this KeyStore type will actually be a
+WolfSSLKeyStore (WKS) type internally. Loading actual JKS files will fail.
+This can be helpful when FIPS compliance is required, but existing code gets
+a JKS KeyStore instance - and this assumes the caller has the flexibility to
+actually load a real WKS KeyStore file into this KeyStore object. If this
+property is being set at runtime programatically, the wolfJCE provider services
+will need to be refreshed / reloaded, by doing:
+
+```
+WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+prov.refreshServices();
+```
+
+**wolfjce.mapPKCS12toWKS** - this Security property should be used with caution.
+When enabled, this will register a "PKCS12" KeyStore type in wolfJCE, which
+means calling applications using `KeyStore.getInstance("PKCS12")` will get a
+KeyStore implementation from wolfJCE. BUT, this KeyStore type will actually be a
+WolfSSLKeyStore (WKS) type internally. Loading actual PKCS12 files will fail.
+This can be helpful when FIPS compliance is required, but existing code gets
+a PKCS12 KeyStore instance - and this assumes the caller has the flexibility to
+actually load a real WKS KeyStore file into this KeyStore object. If this
+property is being set at runtime programatically, the wolfJCE provider services
+will need to be refreshed / reloaded, by doing:
+
+```
+WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+prov.refreshServices();
+```
 
 #### System Property Support
 

examples/certs/update-jks-wks.sh

@@ -50,19 +50,19 @@ CERT_LOCATION=$1
 export LD_LIBRARY_PATH=../../lib:$LD_LIBRARY_PATH
 export DYLD_LIBRARY_PATH=../../lib:$DYLD_LIBRARY_PATH
 
-# ARGS: <keystore-name> <cert file> <alias> <password>
+# ARGS: <keystore-name> <keystore-type> <cert file> <alias> <password>
 add_cert() {
-    keytool -import -keystore "$1" -file "$CERT_LOCATION/$2" -alias "$3" -noprompt -trustcacerts -deststoretype JKS -storepass "$4" &> /dev/null
+    keytool -import -keystore "$1" -file "$CERT_LOCATION/$3" -alias "$4" -noprompt -trustcacerts -deststoretype "$2" -storepass "$5" &> /dev/null
     if [ $? -ne 0 ]; then
         printf "fail"
         exit 1
     fi
 }
 
-# ARGS: <keystore-name> <cert file> <key file> <alias> <password>
+# ARGS: <keystore-name> <keystore-type> <cert file> <key file> <alias> <password>
 add_cert_key() {
-    openssl pkcs12 -export -in "$CERT_LOCATION/$2" -inkey "$CERT_LOCATION/$3" -out tmp.p12 -passin pass:"$5" -passout pass:"$5" -name "$4" &> /dev/null
+    openssl pkcs12 -export -in "$CERT_LOCATION/$3" -inkey "$CERT_LOCATION/$4" -out tmp.p12 -passin pass:"$6" -passout pass:"$6" -name "$5" &> /dev/null
-    keytool -importkeystore -deststorepass "$5" -destkeystore "$1" -deststoretype JKS -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$5" -alias "$4" &> /dev/null
+    keytool -importkeystore -deststorepass "$6" -destkeystore "$1" -deststoretype "$2" -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$6" -alias "$5" &> /dev/null
     if [ $? -ne 0 ]; then
         printf "fail"
         exit 1
@@ -85,26 +85,32 @@ jks_to_wks() {
 # Client cert: both RSA 2048-bit and ECC
 printf "\tCreating client.jks ..."
 rm client.jks &> /dev/null
-add_cert_key "client.jks" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword"
+add_cert_key "client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword"
-add_cert_key "client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+add_cert_key "client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+printf "done\n"
+
+printf "\tCreating client.p12 ..."
+rm client.p12 &> /dev/null
+add_cert_key "client.p12" "PKCS12" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword"
+add_cert_key "client.p12" "PKCS12" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
 printf "done\n"
 
 # Client cert: RSA, 1024-bit only
 printf "\tCreating client-rsa-1024.jks ..."
 rm client-rsa-1024.jks &> /dev/null
-add_cert_key "client-rsa-1024.jks" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfsslpassword"
+add_cert_key "client-rsa-1024.jks" "JKS" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfsslpassword"
 printf "done\n"
 
 # Client cert: RSA 2048-bit only
 printf "\tCreating client-rsa.jks ..."
 rm client-rsa.jks &> /dev/null
-add_cert_key "client-rsa.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+add_cert_key "client-rsa.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
 printf "done\n"
 
 # Client cert: ECC only
 printf "\tCreating client-ecc.jks ..."
 rm client-ecc.jks &> /dev/null
-add_cert_key "client-ecc.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+add_cert_key "client-ecc.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
 printf "done\n"
 
 #################### SERVER KEYSTORES ####################
@@ -112,26 +118,26 @@ printf "done\n"
 # Server cert: both RSA 2048-bit and ECC
 printf "\tCreating server.jks ..."
 rm server.jks &> /dev/null
-add_cert_key "server.jks" "/server-cert.pem" "/server-key.pem" "server" "wolfsslpassword"
+add_cert_key "server.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server" "wolfsslpassword"
-add_cert_key "server.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
+add_cert_key "server.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
 printf "done\n"
 
 # Server cert: RSA, 1024-bit only
 printf "\tCreating server-rsa-1024.jks ..."
 rm server-rsa-1024.jks &> /dev/null
-add_cert_key "server-rsa-1024.jks" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfsslpassword"
+add_cert_key "server-rsa-1024.jks" "JKS" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfsslpassword"
 printf "done\n"
 
 # Server cert: RSA, 2048-bit only
 printf "\tCreating server-rsa.jks ..."
 rm server-rsa.jks &> /dev/null
-add_cert_key "server-rsa.jks" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfsslpassword"
+add_cert_key "server-rsa.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfsslpassword"
 printf "done\n"
 
 # Server cert: ECC only
 printf "\tCreating server-ecc.jks ..."
 rm server-ecc.jks &> /dev/null
-add_cert_key "server-ecc.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
+add_cert_key "server-ecc.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword"
 printf "done\n"
 
 #################### CA CERT KEYSTORES ###################
@@ -139,12 +145,12 @@ printf "done\n"
 # Contains all CA certs (RSA and ECC), verifies both client and server certs
 printf "\tCreating cacerts.jks ..."
 rm cacerts.jks &> /dev/null
-add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfsslpassword"
-add_cert_key "cacerts.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
-add_cert_key "cacerts.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
-add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
-add_cert_key "cacerts.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
-add_cert_key "cacerts.jks" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfsslpassword"
+add_cert_key "cacerts.jks" "JKS" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfsslpassword"
 printf "done\n"
 
 # Contains CA certs used to verify client certs:
@@ -152,8 +158,8 @@ printf "done\n"
 # client-ecc-cert.pem verifies itself (self signed)
 printf "\tCreating ca-client.jks ..."
 rm ca-client.jks &> /dev/null
-add_cert_key "ca-client.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
+add_cert_key "ca-client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword"
-add_cert_key "ca-client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
+add_cert_key "ca-client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword"
 printf "done\n"
 
 # Contains CA certs used to verify server certs:
@@ -161,24 +167,22 @@ printf "done\n"
 # ca-ecc-cert.pem verifies server-ecc.pem
 printf "\tCreating ca-server.jks ..."
 rm ca-server.jks &> /dev/null
-add_cert_key "ca-server.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
+add_cert_key "ca-server.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
-add_cert_key "ca-server.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
+add_cert_key "ca-server.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
 printf "done\n"
 
 # Contains CA cert used to verify RSA 2048-bit server cert:
 # ca-cert.pem verifies server-cert.pem
 printf "\tCreating ca-server-rsa-2048.jks ..."
 rm ca-server-rsa-2048.jks &> /dev/null
-#add_cert_key "ca-server-rsa-2048.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword"
+add_cert "ca-server-rsa-2048.jks" "JKS" "/ca-cert.pem" "ca-rsa" "wolfsslpassword"
-add_cert "ca-server-rsa-2048.jks" "/ca-cert.pem" "ca-rsa" "wolfsslpassword"
 printf "done\n"
 
 # Contains CA cert used to verify ECC P-256 server cert:
 # ca-ecc-cert.pem verifies server-ecc.pem
 printf "\tCreating ca-server-ecc-256.jks ..."
 rm ca-server-ecc-256.jks &> /dev/null
-#add_cert_key "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword"
+add_cert "ca-server-ecc-256.jks" "JKS" "/ca-ecc-cert.pem" "ca-ecc" "wolfsslpassword"
-add_cert "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "ca-ecc" "wolfsslpassword"
 printf "done\n"
 
 ################### CONVERT JKS TO WKS ###################

src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java

@@ -22,6 +22,7 @@
 package com.wolfssl.provider.jce;
 
 import java.security.Provider;
+import java.security.Security;
 import com.wolfssl.wolfcrypt.FeatureDetect;
 import com.wolfssl.wolfcrypt.Fips;
 
@@ -37,6 +38,27 @@ public final class WolfCryptProvider extends Provider {
      */
     public WolfCryptProvider() {
         super("wolfJCE", 1.7, "wolfCrypt JCE Provider");
+        registerServices();
+    }
+
+    /**
+     * Refresh the services provided by this JCE provider.
+     *
+     * This is required when one of the Security properties has been changed
+     * that affect the services offered by this provider. For example:
+     *     wolfjce.mapJKStoWKS
+     *     wolfjce.mapPKCS12toWKS
+     */
+    public void refreshServices() {
+        registerServices();
+    }
+
+    /**
+     * Register services provided by wolfJCE, called by class constructor.
+     */
+    private void registerServices() {
+        String mapJksToWks = null;
+        String mapPkcs12ToWks = null;
 
         /* MessageDigest */
         if (FeatureDetect.Md5Enabled()) {
@@ -222,6 +244,32 @@ public final class WolfCryptProvider extends Provider {
         put("KeyStore.WKS",
                 "com.wolfssl.provider.jce.WolfSSLKeyStore");
 
+        /* Fake mapping of JKS to WKS type. Use with caution! This is
+         * usually used when FIPS compliance is needed but code cannot be
+         * changed that creates a JKS KeyStore object type. Any files loaded
+         * into this fake JKS KeyStore MUST be of actual type WKS or failures
+         * will happen. Remove service first here in case of refresh. */
+        remove("KeyStore.JKS");
+        mapJksToWks = Security.getProperty("wolfjce.mapJKStoWKS");
+        if (mapJksToWks != null && !mapJksToWks.isEmpty() &&
+            mapJksToWks.equalsIgnoreCase("true")) {
+            put("KeyStore.JKS",
+                "com.wolfssl.provider.jce.WolfSSLKeyStore");
+        }
+
+        /* Fake mapping of PKCS12 to WKS type. Use with caution! This is
+         * usually used when FIPS compliance is needed but code cannot be
+         * changed that creates a JKS KeyStore object type. Any files loaded
+         * into this fake JKS KeyStore MUST be of actual type WKS or failures
+         * will happen. Remove service first here in case of refresh. */
+        remove("KeyStore.PKCS12");
+        mapPkcs12ToWks = Security.getProperty("wolfjce.mapPKCS12toWKS");
+        if (mapPkcs12ToWks != null && !mapPkcs12ToWks.isEmpty() &&
+            mapPkcs12ToWks.equalsIgnoreCase("true")) {
+            put("KeyStore.PKCS12",
+                "com.wolfssl.provider.jce.WolfSSLKeyStore");
+        }
+
         /* If using a FIPS version of wolfCrypt, allow private key to be
          * exported for use. Only applicable to FIPS 140-3 */
         if (Fips.enabled) {

src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyAgreementTest.java

@@ -140,7 +140,7 @@ public class WolfCryptKeyAgreementTest {
         System.out.println("JCE WolfCryptKeyAgreementTest Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMacTest.java

@@ -92,7 +92,7 @@ public class WolfCryptMacTest {
         System.out.println("JCE WolfCryptMac Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestMd5Test.java

@@ -64,7 +64,7 @@ public class WolfCryptMessageDigestMd5Test {
         System.out.println("JCE WolfCryptMessageDigestMd5Test");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha256Test.java

@@ -64,7 +64,7 @@ public class WolfCryptMessageDigestSha256Test {
         System.out.println("JCE WolfCryptMessageDigestSha256 Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha384Test.java

@@ -64,7 +64,7 @@ public class WolfCryptMessageDigestSha384Test {
         System.out.println("JCE WolfCryptMessageDigestSha384 Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha512Test.java

@@ -64,7 +64,7 @@ public class WolfCryptMessageDigestSha512Test {
         System.out.println("JCE WolfCryptMessageDigestSha512 Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestShaTest.java

@@ -65,7 +65,7 @@ public class WolfCryptMessageDigestShaTest {
         System.out.println("JCE WolfCryptMessageDigestSha Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptSecretKeyFactoryTest.java

@@ -95,7 +95,7 @@ public class WolfCryptSecretKeyFactoryTest {
         /* Install wolfJCE provider at runtime. Not registering as top priority
          * provider so we can still likely get SunJCE or platform provider
          * when not specifying wolfJCE explicitly. */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider(provider);
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java

@@ -93,7 +93,7 @@ public class WolfCryptSignatureTest {
         System.out.println("JCE WolfCryptSignature Class");
 
         /* install wolfJCE provider at runtime */
-        Security.addProvider(new WolfCryptProvider());
+        Security.insertProviderAt(new WolfCryptProvider(), 1);
 
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);

src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java

@@ -136,6 +136,12 @@ public class WolfSSLKeyStoreTest {
     private static Certificate[] eccServerChain = null; /* ECC chain */
     private static Certificate[] invalidChain = null;
 
+    /* Example .jks KeyStore file paths */
+    private static String clientJKS = null;          /* client.jks */
+
+    /* Examnple .p12 KeyStore file paths */
+    private static String clientP12 = null;          /* client.p12 */
+
     /* Example .wks KeyStore file paths */
     private static String clientWKS = null;          /* client.wks */
     private static String clientRsa1024WKS = null;   /* client-rsa-1024.wks */
@@ -381,6 +387,14 @@ public class WolfSSLKeyStoreTest {
         intEccInt2CertDer =
             certPre.concat("examples/certs/intermediate/ca-int2-ecc-cert.der");
 
+        /* Set paths to example JKS KeyStore files */
+        clientJKS =
+            certPre.concat("examples/certs/client.jks");
+
+        /* Set paths to example PKCS12 KeyStore files */
+        clientP12 =
+            certPre.concat("examples/certs/client.p12");
+
         /* Set paths to example WKS KeyStore files */
         clientWKS =
             certPre.concat("examples/certs/client.wks");
@@ -1426,6 +1440,139 @@ public class WolfSSLKeyStoreTest {
         assertEquals(1, store.size());
     }
 
+    //CHRIS
+    @Test
+    public void testLoadWKSasJKSFromFile()
+        throws KeyStoreException, IOException, FileNotFoundException,
+               NoSuchProviderException, NoSuchAlgorithmException,
+               CertificateException, InvalidKeySpecException,
+               UnrecoverableKeyException {
+
+        WolfCryptProvider prov = null;
+        KeyStore store = null;
+
+        /* Use client.wks (clientWKS) to test. Any WKS KeyStore could be used,
+         * this was just picked since was first used/tested in test above. */
+
+        /* If Security property "wolfjce.mapJKStoWKS=true" has been set,
+         * WolfSSLKeyStore should be able to load a WKS file when using a
+         * "JKS" KeyStore type. */
+        String origProperty = Security.getProperty("wolfjce.mapJKStoWKS");
+
+        /* The wolfJCE service list needs to be refreshed after changing
+         * Security properties that will adjust the services we register */
+        Security.setProperty("wolfjce.mapJKStoWKS", "true");
+        prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+        prov.refreshServices();
+
+        /* Load WKS as JKS, should work w/o exception */
+        store = KeyStore.getInstance("JKS");
+        assertNotNull(store);
+        assertNotNull(store.getProvider());
+        assertTrue(store.getProvider().contains("wolfJCE"));
+        store.load(new FileInputStream(clientWKS), storePass.toCharArray());
+        assertEquals(2, store.size());
+
+        /* Load JKS as JKS when this is set should fail, since using WKS
+         * implementation underneath fake JKS mapping */
+        try {
+            store.load(new FileInputStream(clientJKS), storePass.toCharArray());
+            fail("Loaded JKS as JKS, but shouldn't with fake mapping set");
+        } catch (IOException e) {
+            /* expected */
+        }
+
+        /* Set mapping to false, loading a WKS as JKS should throw exception */
+        Security.setProperty("wolfjce.mapJKStoWKS", "false");
+        prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+        prov.refreshServices();
+        store = KeyStore.getInstance("JKS");
+        assertTrue(!store.getProvider().contains("wolfJCE"));
+        try {
+            store.load(new FileInputStream(clientWKS), storePass.toCharArray());
+            fail("Loaded WKS as JKS, but shouldn't have been able to");
+        } catch (IOException e) {
+            /* expected */
+        }
+
+        /* Loading JKS as JKS should work when mapping not set */
+        store.load(new FileInputStream(clientJKS), storePass.toCharArray());
+
+        /* Restore Security property */
+        if (origProperty == null) {
+            Security.setProperty("wolfjce.mapJKStoWKS", "");
+        }
+        else {
+            Security.setProperty("wolfjce.mapJKStoWKS", origProperty);
+        }
+    }
+
+    @Test
+    public void testLoadWKSasPKCS12FromFile()
+        throws KeyStoreException, IOException, FileNotFoundException,
+               NoSuchProviderException, NoSuchAlgorithmException,
+               CertificateException, InvalidKeySpecException,
+               UnrecoverableKeyException {
+
+        WolfCryptProvider prov = null;
+        KeyStore store = null;
+
+        /* Use client.wks (clientWKS) to test. Any WKS KeyStore could be used,
+         * this was just picked since was first used/tested in test above. */
+
+        /* If Security property "wolfjce.mapPKCS12toWKS=true" has been set,
+         * WolfSSLKeyStore should be able to load a WKS file when using a
+         * "PKCS12" KeyStore type. */
+        String origProperty = Security.getProperty("wolfjce.mapPKCS12toWKS");
+
+        /* The wolfJCE service list needs to be refreshed after changing
+         * Security properties that will adjust the services we register */
+        Security.setProperty("wolfjce.mapPKCS12toWKS", "true");
+        prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+        prov.refreshServices();
+
+        /* Load WKS as PKCS12, should work w/o exception */
+        store = KeyStore.getInstance("PKCS12");
+        assertNotNull(store);
+        assertNotNull(store.getProvider());
+        assertTrue(store.getProvider().contains("wolfJCE"));
+        store.load(new FileInputStream(clientWKS), storePass.toCharArray());
+        assertEquals(2, store.size());
+
+        /* Load PKCS12 as PKCS12 when this is set should fail, since using WKS
+         * implementation underneath fake PKCS12 mapping */
+        try {
+            store.load(new FileInputStream(clientP12), storePass.toCharArray());
+            fail("Loaded PKCS12 as PKCS12, but shouldn't with fake mapping set");
+        } catch (IOException e) {
+            /* expected */
+        }
+
+        /* Set mapping to false, loading WKS as PKCS12 should throw exception */
+        Security.setProperty("wolfjce.mapPKCS12toWKS", "false");
+        prov = (WolfCryptProvider)Security.getProvider("wolfJCE");
+        prov.refreshServices();
+        store = KeyStore.getInstance("PKCS12");
+        assertTrue(!store.getProvider().contains("wolfJCE"));
+        try {
+            store.load(new FileInputStream(clientWKS), storePass.toCharArray());
+            fail("Loaded WKS as PKCS12, but shouldn't have been able to");
+        } catch (IOException e) {
+            /* expected */
+        }
+
+        /* Loading PKCS12 as PKCS12 should work when mapping not set */
+        store.load(new FileInputStream(clientP12), storePass.toCharArray());
+
+        /* Restore Security property */
+        if (origProperty == null) {
+            Security.setProperty("wolfjce.mapPKCS12toWKS", "");
+        }
+        else {
+            Security.setProperty("wolfjce.mapPKCS12toWKS", origProperty);
+        }
+    }
+
     @Test
     public void testLoadSystemCAKeyStore()
         throws KeyStoreException, IOException, FileNotFoundException,