Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Loading keystores from a smartcard

782 views
Skip to first unread message

Thomaspantalacci311

unread,
Apr 27, 2011, 12:08:22 PM4/27/11
to
To: comp.lang.java.security
Hello.
I want to connect to an Apache server using ssl (so https protocol),
with client certificate in a smartcard. On the website there is an
html page and a java applet. While loading the applet, the client is
required to present his client certificate, though it has been already
loaded when i connect to the server (and so it is on the firefox
keystore), and then the applet is not loaded (classNotFound Exception
is raised).

I think the problem is the client certificate is not found in java
keystore. In the smartcard, I have 2 certificates: one for
authenticate, and the other for sign. How could i proceed to load the
both certificates from the smartcard, using java.security.KeyStore ?
(actually l can load only signature certificate)
Note that i have a pkcs11 provider.

Every idea is welcome to solve my problem

---
* Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Dave Miller

unread,
Jul 29, 2008, 10:58:59 PM7/29/08
to
Thomaspan...@hotmail.com wrote:

<snip>


> While loading the applet, the client is
> required to present his client certificate, though it has been already

I have no idea what you're trying to accomplish here, but...

<snip>


How could i proceed to load the
> both certificates from the smartcard, using java.security.KeyStore ?
> (actually l can load only signature certificate)

To access the client keystore you need access to the client. The user
(obviously) has access to the keystore - he's sitting in front of the
console. You could have a html page before the page with the applet with
instructions on how to load his certificate into his store.

--
Dave Miller
Java Web Hosting
http://www.cheap-jsp-hosting.com/

Thomaspantalacci311

unread,
Apr 27, 2011, 12:08:23 PM4/27/11
to
To: comp.lang.java.security
I solved my problem. In fact i had to install jss (some dll and a jar
file to place in the current jre) in mozilla firefox. This done, the
JVM can access the firefox keystore and the client authentication is
OK (and so the applet is loaded). I also must check "Use certificates
and keys in browser keystore" in the java control panel->advanced-
>security.

Dave Miller

unread,
Apr 27, 2011, 12:08:23 PM4/27/11
to
To: comp.lang.java.security

Thomaspan...@hotmail.com wrote:
> I solved my problem. In fact i had to install jss (some dll and a jar
> file to place in the current jre) in mozilla firefox. This done, the
> JVM can access the firefox keystore and the client authentication is
> OK (and so the applet is loaded). I also must check "Use certificates
> and keys in browser keystore" in the java control panel->advanced-
>> security.
If you have access to the client side, there are many ways to load
certs. Applets are usually delivered to clients to which you do not have
access.

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/

Thomaspantalacci311

unread,
Apr 27, 2011, 12:08:24 PM4/27/11
to
To: comp.lang.java.security
I had an other question, but i couldn't found any response. I have two
certificates in my smartcard. How can i load the both certificates.
I tryed this code

char[] pin = smartCardPIN.toCharArray();
KeyStore keyStore = null;
try{
keyStore = KeyStore.getInstance("PKCS11");//
}catch(Exception e){
e.printStackTrace();
}
keyStore.load(null, pin);
Enumeration aliases = keyStore.aliases();
if (aliases.hasMoreElements()) {
String alias = (String)aliases.nextElement();
System.out.println("alias:"+alias);
//getting the certificate chain and the private key
Certificate[] certificationChain =
keyStore.getCertificateChain(alias);
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias,
null);
....

}

...


But aliases enumeration has only one element, since it prints
"Signature certificate" (the alias of my signature certificate)
It seems that the other certificate is not loaded. Maybe i must
instantiate a new keystore ?
Maybe the problem (if it's a problem) is due to my pkcs11 provider. Do
you have any suggestion?
Thanks for your answers

Dave Miller

unread,
Apr 27, 2011, 12:08:24 PM4/27/11
to
To: comp.lang.java.security

Thomaspan...@hotmail.com wrote:
> I had an other question, but i couldn't found any response. I have two
> certificates in my smartcard. How can i load the both certificates.
> I tryed this code
>
> char[] pin = smartCardPIN.toCharArray();
> KeyStore keyStore = null;
> try{
> keyStore = KeyStore.getInstance("PKCS11");//
> }catch(Exception e){
> e.printStackTrace();
> }
> keyStore.load(null, pin);
> Enumeration aliases = keyStore.aliases();
> if (aliases.hasMoreElements()) {
> String alias = (String)aliases.nextElement();
> System.out.println("alias:"+alias);
> //getting the certificate chain and the private key
> Certificate[] certificationChain =
> keyStore.getCertificateChain(alias);
> PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias,
> null);
> ....
>
> }
>
> ...
>
>
> But aliases enumeration has only one element, since it prints

You've created a keystore and placed one element into it. When you say
"show me elements" it... shows you the one that you've entered.

I've never tried to manipulate the keystore on the client's machine so I
won't be any help there. My sense is that doing so would take a bit of a
hack (or crack). As the keystore holds the keys (literally) to the
client's security, the JVM probably tries to keep it pretty well locked up.

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/

---

Thomaspan...@hotmail.com

unread,
Jul 31, 2008, 4:25:21 AM7/31/08
to
My bad, the keystore does contain the both certificates. In my code,
replace " if (aliases.hasMoreElements()) " with "while
( aliases.hasMoreElements() ){ ...
Sorry for such a trivial error lol
So everything is OK.
Thanks for the time you spent answering my questions (whose some are a
little bit stupid..)

Roedy Green

unread,
Apr 27, 2011, 12:08:26 PM4/27/11
to
To: comp.lang.java.security
On Tue, 29 Jul 2008 06:40:21 -0700 (PDT),
Thomaspan...@hotmail.com wrote, quoted or indirectly quoted
someone who said :

>I think the problem is the client certificate is not found in java
>keystore. In the smartcard, I have 2 certificates: one for
>authenticate, and the other for sign. How could i proceed to load the
>both certificates from the smartcard, using java.security.KeyStore ?
>(actually l can load only signature certificate)
>Note that i have a pkcs11 provider.

First get rid of the complication of the smartcard by copying your
keystore to hard disk. Then have a read up on keytool for all the
things you can do with it.

see http://mindprod.com/jgloss/keytoolexe.html

Keytool has a big restriction. It will never export a private key. You
have to use the private keys on the certs inside the keystore.

--

Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com

0 new messages