This content has been marked as final. Show 5 replies
If the only purpose of the digital certificate (and its private-key) is for authenticating the user through your Swing application, why waste your time using the Mozilla library/keystore (or even IE's keystore)? Just export the keys and certificate to a PKCS12 file, and open the file directly with native JCE calls (making sure you use the SunJSSE provider to open the PKCS12 keystore file):
Your code will be simpler and easier to maintain without messing it up with JSS or SunPKCS11 translations to the Mozilla keystore.
Thanks for your response.
Since we have many users use the application, we don't want to load the keystore from each user. It is not just for authenticating the user through my Swing application, the user needs to access to web service via HTTPS. If I cannot find the solution to read key from firefox,
I may have to end up asking the user to load their PKI in certain directory and access from there.
Still looking for solution
A private-key and its corresponding digital certificate in any keystore - including the Java Keystore can be used for all types of applications that use HTTPS - including web-services; it is not an exclusive feature of Firefox.
If your plan is to load every users key and certificate from a common keystore, have you considered that a user may be able to masquerade as any user whose key/certificate is within the keystore and defeat the purpose of authentication? The goal of a Public Key Infrastructure is to provide strong-authentication. This is only possible if you use the technology with the appropriate controls - in this case, ensuring that every user's keys/certificate are maintained separately and securely. This implies that every user's keys/certificate must be loaded individually when authenticating them to the remote server. To put all their keys/certificates in a single keystore (if I understand your implementation goals correctly) is to defeat the very security that a PKI enables.
Thanks for your response.
Every user has their own PKI which is already loaded in their own desktop/Firefox browser. This is the reason why I want to access the keystore from Firefox instead of asking each user to give my application their PKI file and password.
No, I don't plan to load every users key and certificate from a common keystore. And YES, every user's key/certificates (PKCS12) will be loaded individually when authenticating them to the remote server. The server needs to know who the user is in order to grant permission for certain access.
I have not used JSS myself, but I do know that it is possible to use a Mozilla keystore from Java using the SunPKCS11 library in JCE; have you tried dong it that way? See http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html for details.
You can also find a working example of Java code accessing the Mozilla keystore using the SunPKCS11 bridge at http://sourceforge.net/projects/strongkey.