Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8184903

Applets save cache certificates passwords

    Details

    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_10

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_131"
      Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
      Java HotSpot(TM) Client VM (build 25.131-b11, mixed mode, sharing)

      ADDITIONAL OS VERSION INFORMATION :
      Windows 10 Pro

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Internet Explorer 11

      A DESCRIPTION OF THE PROBLEM :
      When we have to use a certificate for the first time (for authenticating o signing) on an applet we are requested to introduce the password. Since this moment the password is not required any more for the rest of applets that need to access to the certifcate.

      We assume that the password is saved in cache, but this is a very high security problem because every program that need to authenticate or sign does not need to ask for the passwork and could do whatever it wants.

      On the other hand, people who has chosen a high security option when they imported their certificates are annoyed with this funcionality because their certificates can be used without thier permission (and knowledge).

      REGRESSION. Last worked in version 8u111

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.8.0_111"
      Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
      Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      - Import a certificate inside Internet Explorer with high security level.
      - Set a password for the private key access
      - Use an application which has an applet and needs access to the certificate key (for authenticate or for singing)
      - Write the password to access de private certificate key
      - Use the same application or another one with an applet which needs access to the certificate key
      - Now the password is not required.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      I would expect that every time an applet need to access to the private certificate key, the certificate key password would be required
      ACTUAL -
      The private certificate key is required just one time, and the rest of applets do not need to ask for the password and have free access to the private key

      REPRODUCIBILITY :
      This bug can be reproduced always.

        Attachments

          Activity

            People

            • Assignee:
              pardesha Pardeep Sharma
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: