Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4901036

Java Plug-in Cannot make use of token keystores



    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 1.4.2
    • Fix Version/s: None
    • Component/s: deploy
    • Labels:
    • Subcomponent:
    • CPU:
    • OS:


      Firstly a comment: I understand the out of the box java supports only
      PKCS12 and JKS. However, the JCE provider architecture allows for third
      parties to support other KeyStore providers. Our client is using such
      third party providers.

      As of v1.4.2, if the third party KeyStore provider uses a FILE to store
      its keys and certs, then everything works fine. For example, if I use
      the NDBS provider (from http://agora.sei.cmu.edu/ndbs/)to read Netscape
      format keystores it works fine. To do this, I install the provider with
      a line in the java.security file, then pass
      -Djavax.net.ssl.keyStore=<location of file>
      This is great. It is certainly a step forward as this did not work in
      java 1.4.1

      However, there is still a problem.
      When using a hardware token as the keystore, there is no filename that can be passed as javax.net.ssl.keyStore or javax.net.ssl.trustStore, as the keystore/truststore is on a smartcard.

      When the plug-in is establishing the JSSE session, it calls java.security.KeyStore.load(). As the javadoc for java.security.KeyStore.load says, null may be passed as the first parameter to Keystore.load when a token is used for the keystore/truststore.

      But, when javax.net.ssl.keyStore is empty, the plugin attempts to
      verify that the keystore/truststore file exists. If it doesn't, a
      java.io.FileNotFoundException exception is thrown.

      I think correct behaviour should be to ignore that the file doesn't exist,
      and pass null as the first parameter to the KeyStore.load() method. In any case, there needs to be a way to pass null as the first parameter to this method.

      While this doesn't affect the java out of the box keystores (JKS and
      PKCS12), it is preventing 3rd party token keystore providers from being
      used by the plugin.

      Also, I need to know that this mechanism will continue to be available in java 1.5. I would hate to see the plugin being unable to make use of third party
      providers when that is exactly what the JCE provider architecture is
      there for. Our client would be most distressed if this happened!


          Issue Links



              dgu Dennis Gu (Inactive)
              duke J. Duke (Inactive)
              0 Vote for this issue
              0 Start watching this issue