JDK-7023721 : Client Certificates not retrieved from System KeyStore when using Chromium
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u24,8u31
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • OS: windows_7
  • CPU: x86
  • Submitted: 2011-03-02
  • Updated: 2015-03-11
  • Resolved: 2015-03-11
Description
FULL PRODUCT VERSION :
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
8.0.554.0 (62399) (but is the same for later versions)

A DESCRIPTION OF THE PROBLEM :
Java treats Chrome/Chromium as if it were Mozilla and attempts the read browser certs from the NSS certificate
and key databases

security: Accessing keys and certificate in Mozilla user profile:  XXX
security: JSS package is not found
security: JSS is not configured

Java treats Chrome/Chromium as if it were Mozilla and attempts the read browser certs from the NSS certificate and key databases as opposed to
the System Keystore that Chrome uses.

See below extract from Console logs:
security: Accessing keys and certificate in Mozilla user profile:  XXX
security: JSS package is not found
security: JSS is not configured

I had raised this as an issue with Chromium (http://code.google.com/p/chromium/issues/detail?id=73870) and they have confirmed that it is an issue with Java

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.Enable the "Use certificate and keys in browser store" in the Java security options
2.Create a simple index.html including Java Applet
3.Access over SSL with client authentication enabled
4.User is prompted with Java dialog "Request Authentication" (this should but does NOT have certs available to select).
5. Click cancel as this is the only option.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Applet should work
ACTUAL -
Applet is not found as no client authenticating cert is sent

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Class not found exception

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Access the Jar via a non-client authenticated port, not ideal. May cause security vunerabilities.

Comments
No plans to resolve/fix at this time.
11-03-2015

Seen both on XP and (Per the BugDB) on Windows 7 - hence the more sensible update of the OS in JBS to Win7
19-02-2015

EVALUATION We start to support reading Browser keystore in JDK6, which is using window Crypto API for IE browser keystore, and JSS for Mozilla browser. There is no Chrome browser at that time. We never implement anything to read Chrome browser keystore in JDK, with more user to use Chrome browser, we may need to consider to support it, but need to do evaluation to see how we can read certificiate from Chrome browser, it may not make it in JDK7.
03-03-2011