NHS Smart Card Access from Web Browsers (IE, FF, Chrome)


#1

Hi, I am working on a project that requires to read the Smart Card Token generated when a user login to the spine. The problem I have is that I am trying a Java Applet to access the Smart Card Token, using GATicket.jar
The applet loads fine but when trying to access the token, I get the following error:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
…
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
… 68 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
at sun.security.provider.certpath.AlgorithmChecker.check(Unknown Source)
… 73 more

Apparently GATicket.jar was signed with a 1024bit certificate which is not compatible with JRE 8?

Also major browsers does not support applets anymore, is there any other alternative to get the Authentication Token from the client’s computer?


(Adrian Wilkins) #2

From your stack trace there it looks more like an operation is being forbidden by your Java runtime security policy which seems configured to consider MD5 a weak hash (not without justification).

Doesn’t seem to be the signature size, more the algorithm used is weak enough to be forgeable these days.

@robdykedotcom - is this the signature the JAR is packed in with?

You might be able to work around it by reconfiguring the Java security policies but I wouldn’t encourage it.


#3

Hi Adrian, thank your for your reply.
My Applet is signed with a 2048 certificate, but it depends on a external jar file (GATicket.jar) which is the interface provided by the gemalto smart card reader and is producing the above exception.

Would it be possible to distribute the applet without the depend jar?, assuming that the nhs identity agent installs GATicket.jar in the client’s computer.

Sorry to ask this but I am not a java expert.


(Adrian Wilkins) #4

I’m guessing that GATicket.jar is indeed installed on the target computers but Rob is by far the expert on this. I’ve never written applets so I have no idea how they go about classpath discovery or whether they can load jars on the host system though.

It may well be that the sysadmins have configured the client systems to ignore the use of MD5 hashes which is just the kind of duct-tape compromise common in sprawling legacy-rich IT environments, or it may even be that they’re running an older JRE that doesn’t spawn this error.


#5

I was working on this some time ago and seem to remember the IA install puts GATicket.jar into the $JAVA_HOME/lib/applet and $JAVA_HOME/jre/lib/ext directories which makes it available to all java applications but that the signature mechanism was no longer trusted by java. The fact that it existed in the directories above meant that even if you re-signed GATicket.jar yourself and included in your distribution then the locally installed instance would still be picked up and cause a security error. To fix I reimplemented the functionality as a wrapper around the C api: https://bitbucket.org/agreenhalgh/smartcard-authentication/

I only implemented the functionality I needed but it wouldn’t be hard to extend.


#6

Hi Aled,

Thank you very much for your sharing your code.

You are right GATicket.jar will not work on Java 8 and above due to the signature, at the moment I am using Java 7 and it works fine for now. But for the long term it’s better to use the C api as you suggested. I will try your code.

Thank you.


(Adrian Wilkins) #7

Oracle to start charging for support of old Java…

It only mentions Java 8… possibly Java 7 isn’t even going to get patched any more…


(Paul Targett) #8

Hi, we’ve had to use the low level C APIs too. We tried for months to get the .jar approach to work. Massive problem that I hope NHSD will solve soon.

PT


(Rob Dyke) #9

NHSland coughed up to M$… Oracle probably feel left out. That little boat Larry has must cost a few quid to fuel…


(Rob Dyke) #10

@aled.g - SSSSSSHHHHH!

We are not supposed to talk about the GAPPING SECURITY HOLE in SPINE authentication…

/rob