5 Replies Latest reply: May 30, 2011 11:04 PM by Arshad Noor RSS

    Java able to read PKI from Mozilla

    862518
      I need to have my java Swing application able to use PKI authenticate for User Login. My application is running on Linux. I'm not able to have my application read PKI from Mozilla. It is able to read PKi certificate from IE on Window.

      I follow the instruction from http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/keystores.html to install JSS in Mozilla , and it still doesn't work.

      Any suggestion/help will be big support for me.

      Thanks,
        • 1. Re: Java able to read PKI from Mozilla
          Arshad Noor
          If the only purpose of the digital certificate (and its private-key) is for authenticating the user through your Swing application, why waste your time using the Mozilla library/keystore (or even IE's keystore)? Just export the keys and certificate to a PKCS12 file, and open the file directly with native JCE calls (making sure you use the SunJSSE provider to open the PKCS12 keystore file):

          http://download.oracle.com/javase/6/docs/api/java/security/KeyStore.html
          http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

          Your code will be simpler and easier to maintain without messing it up with JSS or SunPKCS11 translations to the Mozilla keystore.

          Arshad Noor
          StrongAuth, Inc.
          • 2. Re: Java able to read PKI from Mozilla
            862518
            Hi,

            Thanks for your response.

            Since we have many users use the application, we don't want to load the keystore from each user. It is not just for authenticating the user through my Swing application, the user needs to access to web service via HTTPS. If I cannot find the solution to read key from firefox,
            I may have to end up asking the user to load their PKI in certain directory and access from there.

            Still looking for solution

            Thanks,
            • 3. Re: Java able to read PKI from Mozilla
              Arshad Noor
              A private-key and its corresponding digital certificate in any keystore - including the Java Keystore can be used for all types of applications that use HTTPS - including web-services; it is not an exclusive feature of Firefox.

              If your plan is to load every users key and certificate from a common keystore, have you considered that a user may be able to masquerade as any user whose key/certificate is within the keystore and defeat the purpose of authentication? The goal of a Public Key Infrastructure is to provide strong-authentication. This is only possible if you use the technology with the appropriate controls - in this case, ensuring that every user's keys/certificate are maintained separately and securely. This implies that every user's keys/certificate must be loaded individually when authenticating them to the remote server. To put all their keys/certificates in a single keystore (if I understand your implementation goals correctly) is to defeat the very security that a PKI enables.

              Arshad Noor
              StrongAuth, Inc.
              • 4. Re: Java able to read PKI from Mozilla
                862518
                HI,

                Thanks for your response.

                Every user has their own PKI which is already loaded in their own desktop/Firefox browser. This is the reason why I want to access the keystore from Firefox instead of asking each user to give my application their PKI file and password.

                No, I don't plan to load every users key and certificate from a common keystore. And YES, every user's key/certificates (PKCS12) will be loaded individually when authenticating them to the remote server. The server needs to know who the user is in order to grant permission for certain access.

                Thanks
                • 5. Re: Java able to read PKI from Mozilla
                  Arshad Noor
                  I have not used JSS myself, but I do know that it is possible to use a Mozilla keystore from Java using the SunPKCS11 library in JCE; have you tried dong it that way? See http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html for details.

                  You can also find a working example of Java code accessing the Mozilla keystore using the SunPKCS11 bridge at http://sourceforge.net/projects/strongkey.

                  Arshad Noor
                  StrongAuth, Inc.