4 Replies Latest reply on Aug 5, 2012 1:38 AM by 953832

    Read client certs from Swing application started via Java WebStart

      I have a Java Webstart application that runs mostly on windows.  The application is launched from a Two-way Authenticated SSL site.  From the site, I know who the user is via a DN stored it their certificate.  

      The problem I'm running into is once I launch the Web Start Application.  The webstart application talks over JMS to several servers.  I need to sign each message from the client with the user's cert and then verify the signature at the server.

      On the server, I can query an enterprise LDAP server to fetch all user's public keys to verify signatures.  So, that's no problem.

      My question is....How do I access the user's certificate from the Java Web Start app to sign outbound messages?  I tried an example using MSCAPI like this: Keystore.getInstance("Windows-MY")  This seems to work on XP 32bit but not Windows 7 64bit.  

      I've thought about passing the user's DN to the Web Start through a parameter in a run-time generated JNLP.  That will at least let me which key I should be looking for in their certificate store.

      Thanks for any advice......
        • 1. Re: Read client certs from Swing application started via Java WebStart
          Having access to your clients' certificates is not enough. One signs with the private key associated with the public key contained in a certificate and not with the certificate. The certificate can only be used to verify the signature and identify the owner. In general a client should be unwilling to let you have access to his private key since this allows you to pretend to be him (which on the surface you actually seem to be trying to do).
          • 2. Re: Read client certs from Swing application started via Java WebStart
            That's exactly right....the Web Start application needs to use an end user's key. The web start application is run by the end user and should use their key.

            In my customer's environment, each user has a PKI certificate installed in their web browser's certificate store. They use this certificate to authenticate to a website that hosts a JNLP file. They also use these certificates to sign email (but that's not related to this post)

            Once the user launches the Webstart, The webstart application needs to figure out who the user is and sign all JMS traffic (as the user). Signing as the user does a couple of things:
            1. authenticates who the user is
            2. the signature is salted with a timestamp to try to mitigate against man in the middle attacks

            One option I've thought of is to create a new keystore in the user's home directory when the WebStart app starts. The app can ask the user to provide their PKI (at which time they will have to authenticate the cert they are installing). A simpler route (for the user) would be for the webstart application to access their certificate store which already contains the key I want to use.

            I see a certificates area in the "javaws -viewer" control panel. This store looks a lot like the certifcate store baked in to Internet Explorer......but I have no idea how to access that certificate store.

            Edited by: user3571899 on Aug 4, 2012 1:57 PM
            • 3. Re: Read client certs from Swing application started via Java WebStart
              That's what the Sun MSCAPI is for. It's a security provider that you install and lets you see the Windows keystore.
              • 4. Re: Read client certs from Swing application started via Java WebStart
                Do you have an example of MSCAPI that works on Windows 7 64 bit using java 6? It doesn't work for me. XP 32 bit works fine.

                Here's the bug:

                Here's a discussion of the problem:
                Re: SunMSCAPI in 64-bit J2SE distributions

                My customer has LOTS of computers. Updating java with a custom DLL isnt an option. I find it interesting that Oracle/Sun has decided to leave the bug in 6 but fix it in 7.

                So far, it looks like making my own keystore is my best option.