Link to home
Start Free TrialLog in
Avatar of cdfly
cdflyFlag for Afghanistan

asked on

SSLSocket in Applet

Hello,
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
Avatar of for_yan
for_yan
Flag of United States of America image

Is this a signed applet?

Does it make a connection to the same server from which it was loaded (from which was served the HTML page with the applet tag) ?
It is probably signed applet as otherwise it would not read a smart card, correct ?
did you see these trails:
I don't think there is a solution there, but the sitautaion seesm to be very similar:

http://www.tek-tips.com/viewthread.cfm?qid=1673598

https://forums.oracle.com/forums/thread.jspa?threadID=2241443
Avatar of cdfly

ASKER

The tek-tips post is actually one of my old posts. This is a self-signed applet, not sure why the console code works but it has a problem in the applet
Avatar of CEHJ
Please post the full output from the Java Console, if necessary putting the trace level up to max (5)

You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
Avatar of cdfly

ASKER

Hi,
I'm attaching the trace file.

Thanks for the help
console-trace.txt
It looks like a client cert problem rather than a server cert problem. If your application manages to work with the same IIS server, make sure that the same trust store is being used in the applet. Your app working implies that you have got a client cert installed and being used when a client of that IIS server
Avatar of cdfly

ASKER

I'm not sure I understand. In the code both in the console app and the applet I get the keysore from the smart card using an alias that I know exists. Are you thinking that my app is using something else?
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.

Can you tell me how to be sure the applet is using the same trust store as the console app


Thanks
C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts is what the applet is using. If you run the app with

 java -Djavax.net.debug=ssl

Open in new window


it will tell you.

btw, by what means are you telling

a. the applet which alias to use?
b. the application which alias to use?
Avatar of cdfly

ASKER

This is what I had to add to make my console app work, I had to use the alias on the smart card.
   String alias="cert alias";

   managers = new KeyManager[] { new AliasKeyManager(keyStore, alias, aSmartCardPIN) };

  private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

And you're doing that in the applet too?
Avatar of cdfly

ASKER

Correct, all the code is the same in the console app and the applet
ASKER CERTIFIED SOLUTION
Avatar of CEHJ
CEHJ
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cdfly

ASKER

I will try that. The console app was just a test to see if I could get connected, the applet is what I really need to get working.
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0_0\lib\security\cacerts I think we should be using java 1.5_06,maybe it's using the wrong trust store, that would be an easy fix
Going through the trace I see ...

Yes, i mentioned that here

What did the application claim it was using as its truststore?
Avatar of cdfly

ASKER

I didn't see that in the application, I will look again when I get back to the shop
java -Djavax.net.debug=ssl YourApp >application.txt 2>&1

Open in new window


should save it to file for you
Avatar of cdfly

ASKER

I looked at the file I'm not seeing the version though. I'm attaching both the ssl debug and  all debug
application-debug-all.txt
application-debug-ssl.txt
I looked at the file I'm not seeing the version though.

That's strange. What command did you give to the app?

Also what was the result of adding debug code to your programmatic key management routines - are they called?
Avatar of cdfly

ASKER

I ran the command you gave me
                                            
        1:java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
        2:java -Djavax.net.debug=all YourApp >application.txt 2>&1

Open in new window

I didn't add debug code to key management routines yet, I will do that and post the results
Avatar of cdfly

ASKER

The key managment class is being created in both the console app and the applet, but the two following methods are being called in the application but not the applet

      chooseClientAlias      
    getCertificateChain

Full code of key managment class
private static class AliasKeyManager implements X509KeyManager
	{

		private KeyStore _ks;
		private String _alias;
		private String _password;

		


		public  AliasKeyManager(KeyStore ks, String alias, String password)
		{
			System.out.println("Init ALiasKeyManager");
			_ks = ks;
			_alias = alias;
			_password = password;
		}

		public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseClientAlias returning alias:"+ _alias);
			return _alias;
		}

		public String chooseServerAlias(String str, Principal[] principal, Socket socket)
		{
			System.out.println("In ALiasKeyManager.chooseServerAlias returning alias:" + _alias);
			return _alias;
		}

		public X509Certificate[] getCertificateChain(String alias)
		{
			try
			{
				System.out.println("In ALiasKeyManager.getCertificateChain returning chain for alias:" + _alias);
				return (X509Certificate[])_ks.getCertificateChain(alias);
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getClientAliases(String str, Principal[] principal)
		{
			System.out.println("In ALiasKeyManager.getClientAliases returning alias:" + _alias);
			return new String[] { _alias };
		}

		public PrivateKey getPrivateKey(String alias)
		{
			try
			{
				
				return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
			}
			catch (Exception e)
			{
				e.printStackTrace();
				return null;
			}
		}

		public String[] getServerAliases(String str, Principal[] principal)
		{
			return new String[] { _alias };
		}

	}

Open in new window

the two following methods are being called in the application but not the applet

I thought that might be the case. In which applet method are you invoking the key management routines?
Avatar of cdfly

ASKER

Before I left I noticed that when I compiled my application from the command line it compiled fine. I use Eclipse to compile my applet and I noticed that their implementation of the X509KeyManager calls for a couple other methods. I need to double check when I get back to the office to see what methods the applet has that the application doesn't, but the  chooseClientAlias     and    getCertificateChain methods are actually being called in my applet it was just using methods with different signatures. When I get back tomorrow I will verify that those methods are actually returning something.
I have a  method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
when the applet starts up

Which method? The ctor?
Avatar of cdfly

ASKER

I'm not sure I understand the question.
Avatar of cdfly

ASKER

Ok, it's working now. When Eclipse added the other methods to the X509KeyManager class there were two chooseClientAlias methods, the method being called by the applet was different than the method being called in the console app and it was returning null. I changed the value being returned from null to _alias and all seems well now.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know

Take care.
Good - glad you got it working :)