JDK-4901036 : Java Plug-in Cannot make use of token keystores
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 1.4.2
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: solaris_9
  • CPU: unknown
  • Submitted: 2003-08-05
  • Updated: 2004-06-15
  • Resolved: 2004-06-15
Related Reports
Duplicate :  
JDK-4957907 - Support Mozilla browser keystore and smart card in Java Plug-in and Web Start
Relates :  
JDK-4480333 - Support IE browser keystore and smart card in Java Plug-in and Java Web Start
Description
Firstly a comment: I understand the out of the box java supports only
PKCS12 and JKS. However, the JCE provider architecture allows for third
parties to support other KeyStore providers. Our client is using such
third party providers.

As of v1.4.2, if the third party KeyStore provider uses a FILE to store
its keys and certs, then everything works fine. For example, if I use
the NDBS provider (from http://agora.sei.cmu.edu/ndbs/)to read Netscape
format keystores it works fine. To do this, I install the provider with
a line in the java.security file, then pass
-Djavax.net.ssl.keyStore=<location of file>
-Djavax.net.ssl.keyStorePassword=<password>
-Djavax.net.ssl.keyStoreType=ndbs
This is great. It is certainly a step forward as this did not work in
java 1.4.1

However, there is still a problem.
When using a hardware token as the keystore, there is no filename that can be passed as javax.net.ssl.keyStore or javax.net.ssl.trustStore, as the keystore/truststore is on a smartcard.

When the plug-in is establishing the JSSE session, it calls java.security.KeyStore.load(). As the javadoc for java.security.KeyStore.load says, null may be passed as the first parameter to Keystore.load when a token is used for the keystore/truststore.

But, when javax.net.ssl.keyStore is empty, the plugin attempts to
verify that the keystore/truststore file exists. If it doesn't, a
java.io.FileNotFoundException exception is thrown.

I think correct behaviour should be to ignore that the file doesn't exist,
and pass null as the first parameter to the KeyStore.load() method. In any case, there needs to be a way to pass null as the first parameter to this method.

While this doesn't affect the java out of the box keystores (JKS and
PKCS12), it is preventing 3rd party token keystore providers from being
used by the plugin.

Also, I need to know that this mechanism will continue to be available in java 1.5. I would hate to see the plugin being unable to make use of third party
providers when that is exactly what the JCE provider architecture is
there for. Our client would be most distressed if this happened!
Comments
WORK AROUND none that maintains the required level of security
18-06-2004
SUGGESTED FIX The plug-in needs a mechanism for passing null as the first parameter to keyStore.load when the JSSE session is being established
18-06-2004
EVALUATION We are looking at this issue now, it will be fixed in Mustang if we can't make it in Tiger. ###@###.### 2003-09-16 This bug has been fixed in Tiger, see RFE 4957907 and 4480333 ###@###.### 2004-06-14
16-09-2003