• Post Reply Bookmark Topic Watch Topic
  • New Topic

NSS/JSS: load user imported cert along with PKCS#11 smartcard in Java  RSS feed

 
Nope Torres
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To my surprise there's no "Java Security" sub-forum so I guess I must publish the post in "Java in general". Help from the admins is welcome for moving it to another forum, if necessary.

-------------------------------
Scenario
-------------------------------
I am working on a Java Swing project, where I must develop a feature of listing certificates for users to choose for authentication via SSL against the server.

These certificates must contain the user imported ones in Firefox, and if a smartcard is inserted, those in the card will be listed, too. The environment is Linux/MacOS. In Windows the Internet Explorer handles it all, and what we would like to achieve is much like what happens in Windows: list all certificates, along with those in card, for users to choose.
-------------------------------
Situation
-------------------------------
When using NSS (Network Security Service) of Mozilla in Ubuntu, I found I am lost. With no code samples for using JSS in Java, I can only get it to work partially, depending on the way how I load the config file for the provider.

What I do now, is:

read the cert in firefox (with KeyStore, Provider and KeyStore.Builder.
Load the cert from card with CryptoManager and get all its modules. (CryptoManager.initialize(profileDir), cm.getModules(), module.getTokens(), etc. )



-------------------------------
Problem
-------------------------------
Approach 1
-------------------------------
If I load the provider with libsoftoken3.so, I can see the user certificates. But, when I initialize the CryptoManager after constructing the provider, the external modules (e.g., my smart cards) are not listed in cryptoManager.getModules().

config = "library=" + NSS_JSS_Utils.NSS_LIB_DIR + "/libsoftokn3.so\n"
            + "name=\"Soft Token\"\n"
            + "slot=2\n" //for softoken, can only be 2.
            + "attributes=compatibility\n"
            + "allowSingleThreadedModules=true\n"
            + "showInfo=true\n"
            + "nssArgs=\"configdir='" + NSS_JSS_Utils.getFireFoxProfilePath() + "' "
                + "certPrefix='' "
                + "keyPrefix='' "
                + "secmod='secmod.db' "
                + "flags='readOnly'\""
//              + "flags='noDb'\""
            + "\n";




Approach 2
-------------------------------
If I load the provider with NNS's secmod.db, the card will be listed, even if it's not present/inserted, in the keyStore constructed with this provider. When it's inserted, in the second step above, I can see the external modules, but then the card is listed twice, with the same alias.

config = "name=\"NSS Module\"\n"
            + "attributes=compatibility\n"
            + "showInfo=true\n"
            + "allowSingleThreadedModules=true\n"
            + "nssUseSecmod=true\n"
            + "nssSecmodDirectory=" + NSS_JSS_Utils.getFireFoxProfilePath();


-------------------------------
Question:
-------------------------------
How can I easily load all certificate in a simple way, not separately with JSS?
If it's not possible, how can I configure the provider to load them separately but without repetition?
 
Campbell Ritchie
Marshal
Posts: 56581
172
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have a security forum, only it is not specific to any languages. I shall add your question there.
 
Nope Torres
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Campbell, you are welcome.
 
Campbell Ritchie
Marshal
Posts: 56581
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a pleasure
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!