Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Https client smart card #795

Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

Https client smart card #795

wants to merge 10 commits into from

Conversation

sclassen
Copy link
Contributor

Original contribution by @DavidTavoularis in #729:

a. Better HTTPS with Client authentication :

In order to avoid too many PIN/Password requests (HTTPS hanshakes), downloads first the initial jar (mono-thread) then all remaining ones (multi-thread)
In case of initial jar download failure (Client Certificate Selection cancel, incorrect PIN/Password, ...), fail fast and do not try to download remaining jars
No resource prefetch, otherwise deployment.cache.parallelDownloadCount is not enforced

b. New Security Dialog UI for Client Certificate Selection :

Ability to display details on each certificate
Shown in TaskBar
Cancellable
Selection using double-click, Enter key or OK button
Internationalization

c. SmartCard support on Windows

Introduction of a Merged Key Manager for user, system and browser key stores
Client alias selection using a preference algorithm :
a) Get all non-expired aliases with extension ClientCert (1.3.6.1.5.5.7.3.2) or ANY (2.5.29.37.0)
if only one, it is selected, if more than one, a UI helps to select one of them.
b) Otherwise, get all expired aliases with extension ClientCert (1.3.6.1.5.5.7.3.2) or ANY (2.5.29.37.0)
if only one, it is selected, if more than one, a UI helps to select one of them.
c) Otherwise, get all remaining aliases
if only one, it is selected, if more than one, a UI helps to select one of them.
UI will display the suffix " (from user keystore)" or " (from system keystore)" or " (from browser keystore)"
If user cancels the Client Certificate UI, it is remembered for next chooseClientAlias call
Client alias selection is cached per remote host

DavidTavoularis and others added 7 commits December 15, 2020 14:11
a. Better HTTPS with Client authentication :
 - In order to avoid too many PIN/Password requests (HTTPS hanshakes), downloads first the initial jar (mono-thread) then all remaining ones (multi-thread)
 - In case of initial jar download failure (Client Certificate Selection cancel, incorrect PIN/Password, ...), fail fast and do not try to download remaining jars
 - No resource prefetch, otherwise deployment.cache.parallelDownloadCount is not enforced

 b. New Security Dialog UI for Client Certificate Selection :
 - Ability to display details on each certificate
 - Shown in TaskBar
 - Cancellable
 - Selection using double-click, Enter key or OK button
 - Internationalization

 c. SmartCard support on Windows
 - Introduction of a Merged Key Manager for user, system and browser key stores
 - Client alias selection using a preference algorithm :
 a) Get all non-expired aliases with extension ClientCert (1.3.6.1.5.5.7.3.2) or ANY (2.5.29.37.0)
 if only one, it is selected, if more than one, a UI helps to select one of them.
 b) Otherwise, get all expired aliases with extension ClientCert (1.3.6.1.5.5.7.3.2) or ANY (2.5.29.37.0)
 if only one, it is selected, if more than one, a UI helps to select one of them.
 c) Otherwise, get all remaining aliases
 if only one, it is selected, if more than one, a UI helps to select one of them.
 - UI will display the suffix " (from user keystore)" or " (from system keystore)" or " (from browser keystore)"
 - If user cancels the Client Certificate UI, it is remembered for next chooseClientAlias call
 - Client alias selection is cached per remote host
Better HTTPS with Client Authentication & SmartCard support on Windows
@sclassen sclassen marked this pull request as draft July 27, 2021 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants