Bug ID: 6680432 Display only Digital Signature key usage certificate in client authentication dialog box.

6680432 : Display only Digital Signature key usage certificate in client authentication dialog box.

Details

Type:	Bug	Submit Date:	2008-03-26
Status:	Closed	Updated Date:	2010-06-02
Project Name:	JDK	Resolved Date:	2008-06-10
Component:	deploy	OS:	solaris_9,windows_nt,windows_xp
Sub-Component:	deployment_toolkit	CPU:	x86,sparc
Priority:	P3
Resolution:	Fixed
Affected Versions:	5.0,6u5
Fixed Versions:	6u10

Related Reports

Backport:	JDK-2165807 - Display only Digital Signature key usage certificate in client authentication dialog box.
Backport:	JDK-2174423 - Display only Digital Signature key usage certificate in client authentication dialog box.
Duplicate:	JDK-6356886 - Authentication dialog shows certificates not marked for authentication
Duplicate:	JDK-2165806 - Authentication dialog shows certificates not marked for authentication

Sub Tasks

Description

DoDIIS PKI Environment
Each user in the DoDIIS environment has 2 PKI certificates; each certificate has th
e same name and same DN, but has different key usages (Digital Signature vs. Key En
cipherment).  Both keys are loaded into Internet Explorer (IE).  The Key Encipherme
nt certificate is required for email encryption, and the Digital Signature certific
ate is used for identity verification on the web.

Internet Explorer - When IE prompts to choose the correct certificate, it will only
 allow the user to pick a certificate with a key usage of Digital Signature.

Java - When Java prompts the user to choose the correct certificate, it will allow
the user to select either type of certificate.  Since both certificates have the sa
me name, they appear to be the same, and the user is unable to tell the difference.
  There is absolutely no way to determine which the correct certificate is.  Additi
onally, each time the user it prompted, the order that the certificated appear in t
he list changes, forcing the user to guess at which certificate is the one with the
 correct type.

Problems:
When the user is prompted to choose the correct certificate from Java, they are una
ble to tell which certificate is the Digital Signature certificate.
If the user selects the wrong certificate from the list, the DUKE web server will r
eject the certificate because it\306s the wrong type.

DUKE Workaround - The DUKE team has been manually loading the Digital Signature cer
tificate into the Java keystore and disabling Java from looking in the IE keystore
for each user.

Comments

EVALUATION

We will check client certificate key usage and extension before display to user.

2008-03-31

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together