-
Bug
-
Resolution: Incomplete
-
P3
-
None
-
8u131
-
x86
-
windows_10
FULL PRODUCT VERSION :
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) Client VM (build 25.131-b11, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows 10 Pro
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer 11
A DESCRIPTION OF THE PROBLEM :
When we have to use a certificate for the first time (for authenticating o signing) on an applet we are requested to introduce the password. Since this moment the password is not required any more for the rest of applets that need to access to the certifcate.
We assume that the password is saved in cache, but this is a very high security problem because every program that need to authenticate or sign does not need to ask for the passwork and could do whatever it wants.
On the other hand, people who has chosen a high security option when they imported their certificates are annoyed with this funcionality because their certificates can be used without thier permission (and knowledge).
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Import a certificate inside Internet Explorer with high security level.
- Set a password for the private key access
- Use an application which has an applet and needs access to the certificate key (for authenticate or for singing)
- Write the password to access de private certificate key
- Use the same application or another one with an applet which needs access to the certificate key
- Now the password is not required.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I would expect that every time an applet need to access to the private certificate key, the certificate key password would be required
ACTUAL -
The private certificate key is required just one time, and the rest of applets do not need to ask for the password and have free access to the private key
REPRODUCIBILITY :
This bug can be reproduced always.
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) Client VM (build 25.131-b11, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows 10 Pro
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer 11
A DESCRIPTION OF THE PROBLEM :
When we have to use a certificate for the first time (for authenticating o signing) on an applet we are requested to introduce the password. Since this moment the password is not required any more for the rest of applets that need to access to the certifcate.
We assume that the password is saved in cache, but this is a very high security problem because every program that need to authenticate or sign does not need to ask for the passwork and could do whatever it wants.
On the other hand, people who has chosen a high security option when they imported their certificates are annoyed with this funcionality because their certificates can be used without thier permission (and knowledge).
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Import a certificate inside Internet Explorer with high security level.
- Set a password for the private key access
- Use an application which has an applet and needs access to the certificate key (for authenticate or for singing)
- Write the password to access de private certificate key
- Use the same application or another one with an applet which needs access to the certificate key
- Now the password is not required.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I would expect that every time an applet need to access to the private certificate key, the certificate key password would be required
ACTUAL -
The private certificate key is required just one time, and the rest of applets do not need to ask for the password and have free access to the private key
REPRODUCIBILITY :
This bug can be reproduced always.