Bug ID: JDK-6356886 Authentication dialog shows certificates not marked for authentication

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other	JDK 7
5.0u17Resolved	7Resolved

FULL PRODUCT VERSION :
java version "1.5.0_04"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_04-b05)
Java HotSport(TM) Client VM (build 1.5.0_04-b05, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Setec SetWEB certificate loader, SCM331 Smart card reader, Finnish Electornic ID card (FINEID), using certificates and keys in browser keystore

A DESCRIPTION OF THE PROBLEM :
When using client authentication required web site and accessing a web page where is an applet, the plug-in pops up a dialog from which contains all the certificates in the browser keystore. The browser itself filters only those certificates to be visibile which have marked for authentication purposes. The plug-in does not.

This causes problems where there are certificates with same common name (like FINEID which has a certificate for authentication and another for non-repudiation ie. digital signatures) as user is not aware which one of the two listed certificates is for authentication purposes. If selected the one that is not, loading of the applets will fail.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Access any website with client authentication on, and having a web page with an applet. Also have at least two certificates in your browser store, of which the other one is not for authentication purposes.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
You should be listed only the certificates suitable for authentication.
ACTUAL -
You are listed with both the certificates including the one not for authentication. If chosen that one for authentication, the loading of the applet will fail.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Use JRE 1.3.1 which does not suffer from this as it relies on the browsers HTTP(S) connection.

Release Regression From : 1.3.1
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.

EVALUATION I got customer's reply in Incident 513630, add it into Comments section. The client certificates showed in client authentication dialog box are all the certificate issued by the https server, we don't check for the authentication extended Key Usage at this moment, therefore not all of the certificate display in client authentication will work with https server. Well it is good to check extendedKeyUsage before popup client authentication dialog box, we will consider this feature in the next release. At the same time, I think the workaround is using different alias name in smart card to distinguish different purpose certificate.

14-03-2006

EVALUATION Here are some questions we need to clarify: 1. Which Browser do you use? IE or Mozilla. 2. The client authentication certificate are stored in Browser keystore, not smartcard, am I right? 3. If it is in IE browser, the client certificate should be imported into "Personal" tab, where thosed two certificates appears in IE browser? under which tab? 4. The customer mentioned in bug report that one certificate is for authentication purpose, the other isn't, how do you distinguish them? Any extension bit difference inside certificate or they are just in different IE browser keystore? 5. If you import these two certificates into JRE keystore, any difference? 6. Any testcase or cerificate provided will be helpful for us to investigate.

02-12-2005