Forums Register Login

NSS/JSS: load user imported cert along with PKCS#11 smartcard in Java

+Pie Number of slices to send: Send
To my surprise there's no "Java Security" sub-forum so I guess I must publish the post in "Java in general". Help from the admins is welcome for moving it to another forum, if necessary.

-------------------------------
Scenario
-------------------------------
I am working on a Java Swing project, where I must develop a feature of listing certificates for users to choose for authentication via SSL against the server.

These certificates must contain the user imported ones in Firefox, and if a smartcard is inserted, those in the card will be listed, too. The environment is Linux/MacOS. In Windows the Internet Explorer handles it all, and what we would like to achieve is much like what happens in Windows: list all certificates, along with those in card, for users to choose.
-------------------------------
Situation
-------------------------------
When using NSS (Network Security Service) of Mozilla in Ubuntu, I found I am lost. With no code samples for using JSS in Java, I can only get it to work partially, depending on the way how I load the config file for the provider.

What I do now, is:

read the cert in firefox (with KeyStore, Provider and KeyStore.Builder.
Load the cert from card with CryptoManager and get all its modules. (CryptoManager.initialize(profileDir), cm.getModules(), module.getTokens(), etc. )



-------------------------------
Problem
-------------------------------
Approach 1
-------------------------------
If I load the provider with libsoftoken3.so, I can see the user certificates. But, when I initialize the CryptoManager after constructing the provider, the external modules (e.g., my smart cards) are not listed in cryptoManager.getModules().

config = "library=" + NSS_JSS_Utils.NSS_LIB_DIR + "/libsoftokn3.so\n"
           + "name=\"Soft Token\"\n"
           + "slot=2\n" //for softoken, can only be 2.
           + "attributes=compatibility\n"
           + "allowSingleThreadedModules=true\n"
           + "showInfo=true\n"
           + "nssArgs=\"configdir='" + NSS_JSS_Utils.getFireFoxProfilePath() + "' "
               + "certPrefix='' "
               + "keyPrefix='' "
               + "secmod='secmod.db' "
               + "flags='readOnly'\""
//              + "flags='noDb'\""
           + "\n";




Approach 2
-------------------------------
If I load the provider with NNS's secmod.db, the card will be listed, even if it's not present/inserted, in the keyStore constructed with this provider. When it's inserted, in the second step above, I can see the external modules, but then the card is listed twice, with the same alias.

config = "name=\"NSS Module\"\n"
           + "attributes=compatibility\n"
           + "showInfo=true\n"
           + "allowSingleThreadedModules=true\n"
           + "nssUseSecmod=true\n"
           + "nssSecmodDirectory=" + NSS_JSS_Utils.getFireFoxProfilePath();


-------------------------------
Question:
-------------------------------
How can I easily load all certificate in a simple way, not separately with JSS?
If it's not possible, how can I configure the provider to load them separately but without repetition?
1
+Pie Number of slices to send: Send
We have a security forum, only it is not specific to any languages. I shall add your question there.
+Pie Number of slices to send: Send
Thanks Campbell, you are welcome.
+Pie Number of slices to send: Send
That's a pleasure
rubbery bacon. rubbery tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 709 times.
Similar Threads
Does java.security.MessageDigest use the NSS libraries provided by Mozilla?
Sorting correctly, modifying array, then sorting incorrectly
Sorting objects in a cast in alphabetical order
how to create certification request from etoken so that it can be signed by CA?
Problem Removing SmartCard terminal (KeyStore and PKCS11)
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 29, 2024 05:07:12.