JDK-8144604 : Problem with SSL Client Authentication having multiple certificates on smartcard
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u60
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-11-11
  • Updated: 2016-04-06
  • Resolved: 2016-04-06
Related Reports
Duplicate :  
JDK-6483657 - MSCAPI provider does not create unique alias names
Relates :  
JDK-8149344 - Application doesn't work with Java 8U45 using smartcard
Description
FULL PRODUCT VERSION :
1.8.0.60

ADDITIONAL OS VERSION INFORMATION :
Windows 7 / Windows 8.1 32-bit or 64-bit

EXTRA RELEVANT SYSTEM CONFIGURATION :
Tomcat 7.0.60, configured HTTPS with SSL client authentication required

A DESCRIPTION OF THE PROBLEM :
Calling a JNLP via javaws
Smartcard with 3 certificates (for authentication, signing and encryption) on the card connected via a Smartcard middlware (different card types and different middlewares tested with same result)
The smartcard middleware propagates the certificates via CSP successfully to the Windows certificate store.
The certifcates all have the same common name.

Calling a website on that tomcat via Internet Explorer works fine, all relevant certificates are displayed and can be selected for Client authentication.

Issue with java:
Calling in the same environment a JNLP page via Java Web Start, the Java Certificate Popup comes up. Java displays 3 certificates but refers always to the first certificate on the card (verified by the certificate serial number ��� I can click into the details of all 3 certificates and get always presented the first certificate). It seems that if the first certificate on the card is no login certificate, I do not get a certificate presented in the popup at all.
As soon as the certificates have different Common names, the login seems to work, so obviously there seems to be a bug in Java, so that certificate based login is not possible as soon as a CN is used multiple times.
Hint: Friendly name is also not set/ not possible to set via windows CSP smartcard propagation. As soon as a friendly name is set manually it also works (which is not an option in a production environment)


REGRESSION.  Last worked in version 8u45

ADDITIONAL REGRESSION INFORMATION: 
It properly worked in 1.8.0_40-b26.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See description

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Java popup should show all certificates instead of one single three times.
ACTUAL -
Java popup shows three certificates, which however all reference to the first certificate on the card.

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
Closing the bug as a duplicate of JDK-6483657.
06-04-2016
I think this can be closed as a duplicate of JDK-8149344, which was resolved via JDK-6483657
06-04-2016
Though symptom looks little different, may be related to JDK-8079356
03-12-2015