Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4957907

Support Mozilla browser keystore and smart card in Java Plug-in and Web Start



    • b44
    • unknown, x86
    • solaris_9, windows_xp


      1. History

      Prior to Merlin, Java Plug-in used browser APIs in Internet Explorer and Netscape to support HTTPS. Browser keystores were used transparently by the browser APIs, and the certificates and keys in browser keystores were used in signing verification, SSL server/client authentication. Also, Internet Explorer and Netscape supports smart card for SSL client authentication through their keystore providers as well.

      Unfortunately, the browser APIs exposed for HTTPS were problematic especially in Netscape, and customers found many general cases that HTTPS didn't work properly in plugin because of the underlying problem in the browser APIs. As a result, in Merlin, Java Plug-in switched to JSSE (Java Secure Socket Extension) to support HTTPS, and it solved most of the outstanding HTTPS plugin bugs submitted by customers.

      However, by default, JSSE uses its own keystore that is not integrated with the browsers, and there is no support for enterprise keystore deployment. While customers could deploy their certificates/keys using keytool on each machine, this is unacceptable to them on a large scale deployment basis. They would like Java Plug-in to recognize certificates and keys in browser keystore, so they could use their existing deployment mechanism for the browser to deploy certificates/keys for plugin. Also, JSSE doesn't have built-in smart card support, so customers could not use their smart card in SSL client authentication in Merlin.

      2. Solution

      The solution is to expose the browser keystores to JSSE when running in plugin/webstart in Tiger. Microsoft exposed browser keystore access through Crypto APIs, and Netscape exposed the access through PKCS#11. The browser keystore would be used in three areas:

      a. Signing verification using root CA and trusted certificates from browser's root CA store and trusted store.
      b. SSL server authentication using root CA certificates from browser's root CA store.
      c. SSL client authentication using personal certificates and keys from browser's personal store.

      Plugin/webstart would leverage certificates and keys from the browser in additional to the default Java keystore. Browser keystore providers also has built-in smart card support, so the smart card support would be incorporated automatically into plugin as the result of the browser keystore support. In addition, a new advanced option would be added to the Java Control Panel, and customers could disable the browser keystore support on their machines if necessary.

              Based on customer feedbacks, this RFE should support the following:

      a. Browser keystore and smart card support through Internet Explorer on Windows
      b. Browser keystore and smart card support through Mozilla on Windows/Solaris/Linux

      In Tiger, the underlying deployment infrastructure have been merged between Java Plug-in and Java Web Start; adding browser keystore and smart card support in plugin would automatically enable the support in webstart as well.

              This RFE is similar to 4480333 but is specific for Mozilla browsers.

      ###@###.### 2003-11-20
      ###@###.### 2003-11-20


        Issue Links



              dgu Dennis Gu (Inactive)
              stanleyh Stanley Ho (Inactive)
              0 Vote for this issue
              0 Start watching this issue