• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

NSS/JSS: load user imported cert along with PKCS#11 smartcard in Java

 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
To my surprise there's no "Java Security" sub-forum so I guess I must publish the post in "Java in general". Help from the admins is welcome for moving it to another forum, if necessary.

-------------------------------
Scenario
-------------------------------
I am working on a Java Swing project, where I must develop a feature of listing certificates for users to choose for authentication via SSL against the server.

These certificates must contain the user imported ones in Firefox, and if a smartcard is inserted, those in the card will be listed, too. The environment is Linux/MacOS. In Windows the Internet Explorer handles it all, and what we would like to achieve is much like what happens in Windows: list all certificates, along with those in card, for users to choose.
-------------------------------
Situation
-------------------------------
When using NSS (Network Security Service) of Mozilla in Ubuntu, I found I am lost. With no code samples for using JSS in Java, I can only get it to work partially, depending on the way how I load the config file for the provider.

What I do now, is:

read the cert in firefox (with KeyStore, Provider and KeyStore.Builder.
Load the cert from card with CryptoManager and get all its modules. (CryptoManager.initialize(profileDir), cm.getModules(), module.getTokens(), etc. )



-------------------------------
Problem
-------------------------------
Approach 1
-------------------------------
If I load the provider with libsoftoken3.so, I can see the user certificates. But, when I initialize the CryptoManager after constructing the provider, the external modules (e.g., my smart cards) are not listed in cryptoManager.getModules().

config = "library=" + NSS_JSS_Utils.NSS_LIB_DIR + "/libsoftokn3.so\n"
           + "name=\"Soft Token\"\n"
           + "slot=2\n" //for softoken, can only be 2.
           + "attributes=compatibility\n"
           + "allowSingleThreadedModules=true\n"
           + "showInfo=true\n"
           + "nssArgs=\"configdir='" + NSS_JSS_Utils.getFireFoxProfilePath() + "' "
               + "certPrefix='' "
               + "keyPrefix='' "
               + "secmod='secmod.db' "
               + "flags='readOnly'\""
//              + "flags='noDb'\""
           + "\n";




Approach 2
-------------------------------
If I load the provider with NNS's secmod.db, the card will be listed, even if it's not present/inserted, in the keyStore constructed with this provider. When it's inserted, in the second step above, I can see the external modules, but then the card is listed twice, with the same alias.

config = "name=\"NSS Module\"\n"
           + "attributes=compatibility\n"
           + "showInfo=true\n"
           + "allowSingleThreadedModules=true\n"
           + "nssUseSecmod=true\n"
           + "nssSecmodDirectory=" + NSS_JSS_Utils.getFireFoxProfilePath();


-------------------------------
Question:
-------------------------------
How can I easily load all certificate in a simple way, not separately with JSS?
If it's not possible, how can I configure the provider to load them separately but without repetition?
 
Marshal
Posts: 79151
377
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have a security forum, only it is not specific to any languages. I shall add your question there.
 
Nope Torres
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Campbell, you are welcome.
 
Campbell Ritchie
Marshal
Posts: 79151
377
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a pleasure
 
reply
    Bookmark Topic Watch Topic
  • New Topic