Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8144604

Problem with SSL Client Authentication having multiple certificates on smartcard

    Details

    • Subcomponent:
    • CPU:
      x86_64
    • OS:
      windows_7

      Description

      FULL PRODUCT VERSION :
      1.8.0.60

      ADDITIONAL OS VERSION INFORMATION :
      Windows 7 / Windows 8.1 32-bit or 64-bit

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Tomcat 7.0.60, configured HTTPS with SSL client authentication required

      A DESCRIPTION OF THE PROBLEM :
      Calling a JNLP via javaws
      Smartcard with 3 certificates (for authentication, signing and encryption) on the card connected via a Smartcard middlware (different card types and different middlewares tested with same result)
      The smartcard middleware propagates the certificates via CSP successfully to the Windows certificate store.
      The certifcates all have the same common name.

      Calling a website on that tomcat via Internet Explorer works fine, all relevant certificates are displayed and can be selected for Client authentication.

      Issue with java:
      Calling in the same environment a JNLP page via Java Web Start, the Java Certificate Popup comes up. Java displays 3 certificates but refers always to the first certificate on the card (verified by the certificate serial number – I can click into the details of all 3 certificates and get always presented the first certificate). It seems that if the first certificate on the card is no login certificate, I do not get a certificate presented in the popup at all.
      As soon as the certificates have different Common names, the login seems to work, so obviously there seems to be a bug in Java, so that certificate based login is not possible as soon as a CN is used multiple times.
      Hint: Friendly name is also not set/ not possible to set via windows CSP smartcard propagation. As soon as a friendly name is set manually it also works (which is not an option in a production environment)


      REGRESSION. Last worked in version 8u45

      ADDITIONAL REGRESSION INFORMATION:
      It properly worked in 1.8.0_40-b26.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      See description

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Java popup should show all certificates instead of one single three times.
      ACTUAL -
      Java popup shows three certificates, which however all reference to the first certificate on the card.

      REPRODUCIBILITY :
      This bug can be reproduced always.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alitvinov Anton Litvinov
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: