Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4901036

Java Plug-in Cannot make use of token keystores

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 1.4.2
    • Fix Version/s: None
    • Component/s: deploy
    • Labels:
      None
    • Subcomponent:
    • CPU:
      unknown
    • OS:
      solaris_9

      Description

      Firstly a comment: I understand the out of the box java supports only
      PKCS12 and JKS. However, the JCE provider architecture allows for third
      parties to support other KeyStore providers. Our client is using such
      third party providers.

      As of v1.4.2, if the third party KeyStore provider uses a FILE to store
      its keys and certs, then everything works fine. For example, if I use
      the NDBS provider (from http://agora.sei.cmu.edu/ndbs/)to read Netscape
      format keystores it works fine. To do this, I install the provider with
      a line in the java.security file, then pass
      -Djavax.net.ssl.keyStore=<location of file>
      -Djavax.net.ssl.keyStorePassword=<password>
      -Djavax.net.ssl.keyStoreType=ndbs
      This is great. It is certainly a step forward as this did not work in
      java 1.4.1

      However, there is still a problem.
      When using a hardware token as the keystore, there is no filename that can be passed as javax.net.ssl.keyStore or javax.net.ssl.trustStore, as the keystore/truststore is on a smartcard.

      When the plug-in is establishing the JSSE session, it calls java.security.KeyStore.load(). As the javadoc for java.security.KeyStore.load says, null may be passed as the first parameter to Keystore.load when a token is used for the keystore/truststore.

      But, when javax.net.ssl.keyStore is empty, the plugin attempts to
      verify that the keystore/truststore file exists. If it doesn't, a
      java.io.FileNotFoundException exception is thrown.

      I think correct behaviour should be to ignore that the file doesn't exist,
      and pass null as the first parameter to the KeyStore.load() method. In any case, there needs to be a way to pass null as the first parameter to this method.

      While this doesn't affect the java out of the box keystores (JKS and
      PKCS12), it is preventing 3rd party token keystore providers from being
      used by the plugin.

      Also, I need to know that this mechanism will continue to be available in java 1.5. I would hate to see the plugin being unable to make use of third party
      providers when that is exactly what the JCE provider architecture is
      there for. Our client would be most distressed if this happened!

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dgu Dennis Gu (Inactive)
              Reporter:
              duke J. Duke (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: