Avatar of cdfly
cdflyFlag for Afghanistan asked on

SSLSocket in Applet

Hello,
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
Java

Avatar of undefined
Last Comment
CEHJ

8/22/2022 - Mon
for_yan

Is this a signed applet?

Does it make a connection to the same server from which it was loaded (from which was served the HTML page with the applet tag) ?
for_yan

It is probably signed applet as otherwise it would not read a smart card, correct ?
for_yan

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
for_yan

did you see these trails:
I don't think there is a solution there, but the sitautaion seesm to be very similar:

http://www.tek-tips.com/viewthread.cfm?qid=1673598

https://forums.oracle.com/forums/thread.jspa?threadID=2241443
ASKER
cdfly

The tek-tips post is actually one of my old posts. This is a self-signed applet, not sure why the console code works but it has a problem in the applet
CEHJ

Please post the full output from the Java Console, if necessary putting the trace level up to max (5)

You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cdfly

Hi,
I'm attaching the trace file.

Thanks for the help
console-trace.txt
CEHJ

It looks like a client cert problem rather than a server cert problem. If your application manages to work with the same IIS server, make sure that the same trust store is being used in the applet. Your app working implies that you have got a client cert installed and being used when a client of that IIS server
ASKER
cdfly

I'm not sure I understand. In the code both in the console app and the applet I get the keysore from the smart card using an alias that I know exists. Are you thinking that my app is using something else?
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.

Can you tell me how to be sure the applet is using the same trust store as the console app


Thanks
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
CEHJ

C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts is what the applet is using. If you run the app with

 java -Djavax.net.debug=ssl

Open in new window


it will tell you.

btw, by what means are you telling

a. the applet which alias to use?
b. the application which alias to use?
ASKER
cdfly

This is what I had to add to make my console app work, I had to use the alias on the smart card.
   String alias="cert alias";

   managers = new KeyManager[] { new AliasKeyManager(keyStore, alias, aSmartCardPIN) };

  private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

CEHJ

And you're doing that in the applet too?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cdfly

Correct, all the code is the same in the console app and the applet
ASKER CERTIFIED SOLUTION
CEHJ

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
cdfly

I will try that. The console app was just a test to see if I could get connected, the applet is what I really need to get working.
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts I think we should be using java 1.5_06,maybe it's using the wrong trust store, that would be an easy fix
CEHJ

Going through the trace I see ...

Yes, i mentioned that here

What did the application claim it was using as its truststore?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
cdfly

I didn't see that in the application, I will look again when I get back to the shop
CEHJ

java -Djavax.net.debug=ssl YourApp >application.txt 2>&1

Open in new window


should save it to file for you
ASKER
cdfly

I looked at the file I'm not seeing the version though. I'm attaching both the ssl debug and  all debug
application-debug-all.txt
application-debug-ssl.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
CEHJ

I looked at the file I'm not seeing the version though.

That's strange. What command did you give to the app?

Also what was the result of adding debug code to your programmatic key management routines - are they called?
ASKER
cdfly

I ran the command you gave me
                                            
        1:java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
        2:java -Djavax.net.debug=all YourApp >application.txt 2>&1

Open in new window

I didn't add debug code to key management routines yet, I will do that and post the results
ASKER
cdfly

The key managment class is being created in both the console app and the applet, but the two following methods are being called in the application but not the applet

      chooseClientAlias      
    getCertificateChain

Full code of key managment class
private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		


		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			System.out.println("Init ALiasKeyManager");
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseClientAlias returning alias:"+ _alias);
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseServerAlias returning alias:" + _alias);
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				System.out.println("In ALiasKeyManager.getCertificateChain returning chain for alias:" + _alias);
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			System.out.println("In ALiasKeyManager.getClientAliases returning alias:" + _alias);
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
CEHJ

the two following methods are being called in the application but not the applet

I thought that might be the case. In which applet method are you invoking the key management routines?
ASKER
cdfly

Before I left I noticed that when I compiled my application from the command line it compiled fine. I use Eclipse to compile my applet and I noticed that their implementation of the X509KeyManager calls for a couple other methods. I need to double check when I get back to the office to see what methods the applet has that the application doesn't, but the  chooseClientAlias     and    getCertificateChain methods are actually being called in my applet it was just using methods with different signatures. When I get back tomorrow I will verify that those methods are actually returning something.
I have a  method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
CEHJ

when the applet starts up

Which method? The ctor?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cdfly

I'm not sure I understand the question.
ASKER
cdfly

Ok, it's working now. When Eclipse added the other methods to the X509KeyManager class there were two chooseClientAlias methods, the method being called by the applet was different than the method being called in the console app and it was returning null. I changed the value being returned from null to _alias and all seems well now.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know

Take care.
CEHJ

Good - glad you got it working :)
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes