This content has been marked as final. Show 4 replies
Having access to your clients' certificates is not enough. One signs with the private key associated with the public key contained in a certificate and not with the certificate. The certificate can only be used to verify the signature and identify the owner. In general a client should be unwilling to let you have access to his private key since this allows you to pretend to be him (which on the surface you actually seem to be trying to do).
That's exactly right....the Web Start application needs to use an end user's key. The web start application is run by the end user and should use their key.
In my customer's environment, each user has a PKI certificate installed in their web browser's certificate store. They use this certificate to authenticate to a website that hosts a JNLP file. They also use these certificates to sign email (but that's not related to this post)
Once the user launches the Webstart, The webstart application needs to figure out who the user is and sign all JMS traffic (as the user). Signing as the user does a couple of things:
1. authenticates who the user is
2. the signature is salted with a timestamp to try to mitigate against man in the middle attacks
One option I've thought of is to create a new keystore in the user's home directory when the WebStart app starts. The app can ask the user to provide their PKI (at which time they will have to authenticate the cert they are installing). A simpler route (for the user) would be for the webstart application to access their certificate store which already contains the key I want to use.
I see a certificates area in the "javaws -viewer" control panel. This store looks a lot like the certifcate store baked in to Internet Explorer......but I have no idea how to access that certificate store.
Edited by: user3571899 on Aug 4, 2012 1:57 PM
Do you have an example of MSCAPI that works on Windows 7 64 bit using java 6? It doesn't work for me. XP 32 bit works fine.
Here's the bug:
Here's a discussion of the problem:
Re: SunMSCAPI in 64-bit J2SE distributions
My customer has LOTS of computers. Updating java with a custom DLL isnt an option. I find it interesting that Oracle/Sun has decided to leave the bug in 6 but fix it in 7.
So far, it looks like making my own keystore is my best option.