1 Reply Latest reply on May 9, 2011 3:59 AM by handat

    KeyUsage does not allow digital signatures


      I'm getting the security: KeyUsage does not allow digital signatures error (in java log) when trying to authenticate our web-based java app using a smart card (CAC). The smart card authentication works fine on one test system, but not the other. Both are using the same 'certificate' (we believe). Both have the same IIS 6.0 settings, and same java setting...as well as IE browser settings.

      Visually, the symptom presents itself via the sun java login prompt when clicking the link to load the java app. We have an asp client that works fine. Only our java app is asking for re-authentication. If we manually type the credentials of a system admin, it loads the applet fine. What I can't figure out is, "Why are we getting prompted for a log-in to begin?"

      Note: We have verified that IIS (via IIS logs) that authentication is successful, yet still prompted.

      Here is a snippet of the java log: ----------------------------------

      security: Checking if SSL certificate is in Deployment permanent certificate store
      security: KeyUsage does not allow digital signatures
      Exception in thread "HandshakeCompletedNotify-Thread" java.util.ConcurrentModificationException
      at java.util.HashMap$HashIterator.nextEntry(Unknown Source)
      at java.util.HashMap$EntryIterator.next(Unknown Source)
      at java.util.HashMap$EntryIterator.next(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl$NotifyHandshakeThread.run(Unknown Source)
      network: Firewall authentication: site=sditap10086.afsac.wpafb.af.mil/, protocol=https, prompt=, scheme=ntlm
      java.io.IOException: Server returned HTTP response code: 401 for URL: https://sditap10086.afsac.wpafb.af.mil/report.web/ASP/insight-inpage.jar
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

      Any clues?
        • 1. Re: KeyUsage does not allow digital signatures
          One of the KeyUsage extension bits is DIGITAL_SIGNATURE which in your case has most likely not been enabled so try getting a certificate signed with the DIGITAL_SIGNATURE bit enabled. It would be a good idea to actual have a look at your certificate to see which KeyUsage bits are enabled and whether the KeyUsage extension is set as critical or not. If the extension is defined as critical, then all the bits have to be followed, whereas if it is not critical, then the bits can be ignored and it depends on the API used on whether they enforce what the bits say.