SSLSocket in Applet

Hello,
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
cdflyAsked:
Who is Participating?
 
CEHJCommented:
I would add logging code in your alias manager class. For one thing, you need to establish whether it's been used at all

Of course you could always simply distribute your working app with Web Start, then you might no longer need your applet
0
 
for_yanCommented:
Is this a signed applet?

Does it make a connection to the same server from which it was loaded (from which was served the HTML page with the applet tag) ?
0
 
for_yanCommented:
It is probably signed applet as otherwise it would not read a smart card, correct ?
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
for_yanCommented:
did you see these trails:
I don't think there is a solution there, but the sitautaion seesm to be very similar:

http://www.tek-tips.com/viewthread.cfm?qid=1673598

https://forums.oracle.com/forums/thread.jspa?threadID=2241443
0
 
cdflyAuthor Commented:
The tek-tips post is actually one of my old posts. This is a self-signed applet, not sure why the console code works but it has a problem in the applet
0
 
CEHJCommented:
Please post the full output from the Java Console, if necessary putting the trace level up to max (5)

You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
0
 
cdflyAuthor Commented:
Hi,
I'm attaching the trace file.

Thanks for the help
console-trace.txt
0
 
CEHJCommented:
It looks like a client cert problem rather than a server cert problem. If your application manages to work with the same IIS server, make sure that the same trust store is being used in the applet. Your app working implies that you have got a client cert installed and being used when a client of that IIS server
0
 
cdflyAuthor Commented:
I'm not sure I understand. In the code both in the console app and the applet I get the keysore from the smart card using an alias that I know exists. Are you thinking that my app is using something else?
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.

Can you tell me how to be sure the applet is using the same trust store as the console app


Thanks
0
 
CEHJCommented:
C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts is what the applet is using. If you run the app with

 java -Djavax.net.debug=ssl

Open in new window


it will tell you.

btw, by what means are you telling

a. the applet which alias to use?
b. the application which alias to use?
0
 
cdflyAuthor Commented:
This is what I had to add to make my console app work, I had to use the alias on the smart card.
   String alias="cert alias";

   managers = new KeyManager[] { new AliasKeyManager(keyStore, alias, aSmartCardPIN) };

  private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

0
 
CEHJCommented:
And you're doing that in the applet too?
0
 
cdflyAuthor Commented:
Correct, all the code is the same in the console app and the applet
0
 
cdflyAuthor Commented:
I will try that. The console app was just a test to see if I could get connected, the applet is what I really need to get working.
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts I think we should be using java 1.5_06,maybe it's using the wrong trust store, that would be an easy fix
0
 
CEHJCommented:
Going through the trace I see ...

Yes, i mentioned that here

What did the application claim it was using as its truststore?
0
 
cdflyAuthor Commented:
I didn't see that in the application, I will look again when I get back to the shop
0
 
CEHJCommented:
java -Djavax.net.debug=ssl YourApp >application.txt 2>&1

Open in new window


should save it to file for you
0
 
cdflyAuthor Commented:
I looked at the file I'm not seeing the version though. I'm attaching both the ssl debug and  all debug
application-debug-all.txt
application-debug-ssl.txt
0
 
CEHJCommented:
I looked at the file I'm not seeing the version though.

That's strange. What command did you give to the app?

Also what was the result of adding debug code to your programmatic key management routines - are they called?
0
 
cdflyAuthor Commented:
I ran the command you gave me
                                            
        1:java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
        2:java -Djavax.net.debug=all YourApp >application.txt 2>&1

Open in new window

I didn't add debug code to key management routines yet, I will do that and post the results
0
 
cdflyAuthor Commented:
The key managment class is being created in both the console app and the applet, but the two following methods are being called in the application but not the applet

      chooseClientAlias      
    getCertificateChain

Full code of key managment class
private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		


		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			System.out.println("Init ALiasKeyManager");
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseClientAlias returning alias:"+ _alias);
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseServerAlias returning alias:" + _alias);
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				System.out.println("In ALiasKeyManager.getCertificateChain returning chain for alias:" + _alias);
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			System.out.println("In ALiasKeyManager.getClientAliases returning alias:" + _alias);
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

0
 
CEHJCommented:
the two following methods are being called in the application but not the applet

I thought that might be the case. In which applet method are you invoking the key management routines?
0
 
cdflyAuthor Commented:
Before I left I noticed that when I compiled my application from the command line it compiled fine. I use Eclipse to compile my applet and I noticed that their implementation of the X509KeyManager calls for a couple other methods. I need to double check when I get back to the office to see what methods the applet has that the application doesn't, but the  chooseClientAlias     and    getCertificateChain methods are actually being called in my applet it was just using methods with different signatures. When I get back tomorrow I will verify that those methods are actually returning something.
I have a  method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
0
 
CEHJCommented:
when the applet starts up

Which method? The ctor?
0
 
cdflyAuthor Commented:
I'm not sure I understand the question.
0
 
cdflyAuthor Commented:
Ok, it's working now. When Eclipse added the other methods to the X509KeyManager class there were two chooseClientAlias methods, the method being called by the applet was different than the method being called in the console app and it was returning null. I changed the value being returned from null to _alias and all seems well now.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know

Take care.
0
 
CEHJCommented:
Good - glad you got it working :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.