Home/ Questions/Q 6096269
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T12:54:29+00:00

I have an applet that allows users to sign documents using their personal certificates.

  • 0

I have an applet that allows users to sign documents using their personal certificates. The applet is already signed, but when it tries to load their keystore, I get an access denied error related to sunMSCAPI. It’s being caused by the following lines of code:

store = KeyStore.getInstance("Windows-MY");
store.load(null, null);

From what I understand of applet signing, there are no additional steps after the signing process that I need to jump through (editing policy files and such). I tried wrapping all the applet functionality within:

AccessController.doPrivileged(new PrivilegedAction() {
  public Object run() {
    etc...

But that didn’t help. I’ve rooted around and found some comments on various forums that sunMSCAPI is only available in JDK 6…which I’ve got. I’m running out of ideas, and any help would be appreciated.

For potential aid, here’s the stack trace of the access denied error:

java.security.AccessControlException: access denied (java.security.SecurityPermission authProvider.SunMSCAPI)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at sun.security.mscapi.KeyStore.engineLoad(KeyStore.java:736)
    at sun.security.mscapi.KeyStore$MY.engineLoad(KeyStore.java:43)
    at java.security.KeyStore.load(Unknown Source)
    at com.bloop.signature.PKCS11.loadKeyStore(PKCS11.java:42)
    at com.bloop.signature.PKCS11.sign(PKCS11.java:29)
    at com.bloop.signature.applet.SignApplet.signDocument(SignApplet.java:103)
    at com.bloop.signature.applet.SignApplet.access$200(SignApplet.java:19)
    at com.bloop.signature.applet.SignApplet$1.run(SignApplet.java:64)
    at java.lang.Thread.run(Unknown Source)
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It seems that the keystore I was using to sign the applet was invalid somehow. I generated a new one, signed with it, cleared the java cache, and everything started working nicely.

    For completeness sake, here’s the command I ran to generate the new store:

    keytool -genkey -alias keyPair -keyalg RSA -validity 500 -keystore myKeyStore -keypass <password> -storepass <password> -dname "<CN,OU,O,L,ST,C details>"

    If anyone else ever has this problem, hopefully the above helps.

    • 0