This discussion is archived
8 Replies Latest reply: Mar 4, 2012 5:34 PM by 876346 RSS

Browser Keystores question

862518 Newbie
Currently Being Moderated
Hi all,

Does any one know how to configure Java Plugin 6 to use the Firefox kesystore either in Windows or in Linux environments?

I installed and configured 'JSS' based on the information available at http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/keystores.html

but still the plugin is not using the keys from Firefox keystore.

I follow the steps as follow from the URL:
Linux / Solaris
1. Create jss directory under Mozilla's installed directory.
2. Copy JSS JAR file into the jss directory.
3. Copy JSS native library .so into Mozilla's installed directory.
4. Set environment variable MOZILLA_HOME to Mozilla's installed directory in Mozilla's launch script.
5. Change environment variable LD_LIBRARY_PATH to include Mozilla's installed directory in Mozilla's launch script.


How can I tell if my Mozilla load the JSS library? I run the command "strace -o /tmp/check -f firefox",
I see in file /tmp/check load up libjss4.so : open("...libjss4.so/tls/i686/...libX11.so.5 ...)

I download libjss4.so from https://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_5_RTM/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib/libjss4.so
and jss4.jar from https://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_5_RTM

My firefox 's version is 3.6.10
My machine is Linux 2.6.9-89

Can anyone provide any tips on getting JSS working for to allow access from a JAVA application to the Firefox keystore in order to access to a mutual authenticate SSL server ?

Thanks very much
  • 1. Re: Browser Keystores question
    handat Expert
    Currently Being Moderated
    You can either add sun.security.pkcs11.SunPKCS11 to java.security or dynamically load the provider to use the PKCS#11 bridge that jss4.jar provides to allow you access the mozilla store, or alternatively, you can directly access it through org.mozilla.jss.CryptoManager API.
  • 2. Re: Browser Keystores question
    862518 Newbie
    Currently Being Moderated
    Hi,

    Thanks for your response. I've been searching/working from your response to find the answer.

    I tried to access they keystore through org.mozilla.jss.CryptoManager API. I only can retrieve the Certificates. I need to get keystore to get access SSL to my https connection. How can I do that?

    Thanks
  • 3. Re: Browser Keystores question
    handat Expert
    Currently Being Moderated
    To connect to https, you don't actually need anything except trust the certificate if its not CA signed, unless you are trying to do client authentication.
  • 4. Re: Browser Keystores question
    862518 Newbie
    Currently Being Moderated
    Yes, we deal with a CA signed certificate. I'm doing client authentication.
  • 5. Re: Browser Keystores question
    handat Expert
    Currently Being Moderated
    You should have a look at the JSS/NSS sample code (under mozilla\security\jss\org\mozilla\jss\tests) provided by Netscape/Mozilla, in particular JSS_SSLClient.java
  • 6. Re: Browser Keystores question
    862518 Newbie
    Currently Being Moderated
    Hi,

    Thanks for your suggestion. Using JSS_SSLClient.java I'm able to to have SSLSocket connection happen. However, I need HttpsUrlConnection connect instead of SSLSocket connection. Is there a way I can do this?

    Thank
  • 7. Re: Browser Keystores question
    handat Expert
    Currently Being Moderated
    HttpsURLConnection.setDefaultSSLSocketFactory(new CustomMozillaSSLFactory());

    where you write your own CustomMozillaSSLFactory class with all the stuff you need.
  • 8. Re: Browser Keystores question
    876346 Newbie
    Currently Being Moderated
    Dear sir/madam ,
    i am currently working on PKI PLUGIN ... i needed to access NSS through jss... i m not getting how to use JSS in java(how to install it) .. I have added classpath as jss4.jar in netbeans and i m getting the following error for this code:



    import org.mozilla.jss.CryptoManager;
    import org.mozilla.jss.crypto.*;

    public class NewEmpty {

    public static void main(String args[]) throws Exception {
    /*if( args.length > 2) {
    System.out.println(
    "Usage: java org.mozilla.jss.tests.ListCACerts <dbdir> [verbose]");
    System.exit(1);
    }*/
    try {
    CryptoManager.initialize("/home/sumanth/.mozilla/firefox/ctdip467.default/key3.db");
    CryptoManager cm = CryptoManager.getInstance();

    X509Certificate[] certs = cm.getCACerts();

    //added verbose option to limited the output of the tinderbox
    // and nightly QA.

    System.out.println("Number of CA certs: " + certs.length);
    System.out.println("use option \"verbose\" if you want the CA " +
    "certs printed out");
    if (args.length == 2 && args[1].equalsIgnoreCase("verbose")) {
    for(int i=0; i < certs.length; ++i ) {
    System.out.println(certs.getSubjectDN().toString());
    InternalCertificate ic = (InternalCertificate) certs[i];
    System.out.println("SSL: " + ic.getSSLTrust() +
    ", Email: " + ic.getEmailTrust() +
    ", Object Signing: " + ic.getObjectSigningTrust());
    }
    }

    } catch(Throwable e) {
    e.printStackTrace();
    System.exit(1);
    }
    System.exit(0);
    }
    }



    error:


    java.lang.UnsatisfiedLinkError: no jss4 in java.library.path
         at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1738)
         at java.lang.Runtime.loadLibrary0(Runtime.java:823)
         at java.lang.System.loadLibrary(System.java:1028)
         at org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1443)
         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:912)
         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:885)
         at NewEmpty.main(NewEmpty.java:15)
    Java Result: 1

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points