Jars signed with revoked certificate
Hello,
I have a situation here where i have jars and wars which were signed using jarsigner. The certificate used to sign the jars is now revoked.
When java runtime loads these jars, it does not throw any errors/exceptions. Is it the right behavior ?
Is there any way by which I can configure java runtime to contact the CRL and to throw an error while the jar is loaded. The certificate has information
about CRL distribution point and also has authorityinfo access details. I tried configuring OCSP in java.security file. But still no luck.
Any information on this will be helpful.
Thanks in advance
Hello EJP,
Thanks for replying.
Yes the certificate was valid when the jar was signed. Please note that, there was no timestamp put in the signature.
So now after the certificate has been revoked, if Java runtime tries to load that jar, isn't it the responsibility of Java runtime to make use of the CRL/OCSP information
of the public key certificate (present in the jar put by the jarsigner when signing) and validate it for revocation ? (Also, in this scenario, what happens if OCSP is enabled in java.security ?) -OR--- Is it the responsibility of the code that makes use of the jar, to verify whether the certificate used for jar signing has been revoked or not ?
PS:- I have enabled the security settings in java control panel for certificate revocation checking.
Please let me know if I am wrong or if I am missing something.
Also i noticed something with jarsigner. In a signed jar, If i delete a few files and then verify its signature using jarsigner, "jar verified" is returned as result. Isn't the jar tampered when I delete a few files from it ? and hence the Hash of its data changes ? and hence verification should fail ?
One more question, in case of signed applets, if the certificate is revoked, as soon as the browser tries loading the applet, it throws an error saying certificate that was used for signing has been revoked. (provided browser settings and java control panel settings are all properly set). Is this check initiated by the browser OR Java runtime ?
Thanks a lot
Similar Messages
-
Jars can't be signed with different certificates---even by Sun?
I am deploying an application which uses the following jar files:
com.example.application.jar
com.example.support.jar
javax.activation.jar
javax.mail.jar
The latter two are jars signed from Sun, yet JWS complains that the jars have been signed with different certificates. I'm forced to unpack the Sun jars and repackage them,signing them with my own certificate.
Isn't this a little restrictive? Shouldn't jars signed by Sun be exceptions to the "all jars signed by the same certificate" requirement?
GarretThanks! The JNLP 1.5 MR specification is a bit opaque about exactly how to do this, but the following site has an example that helped:
http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/faq.html
The example didn't mention whether I can request all permissions for the component extension, but I suppose I can. Nothing seems to indicate whether I can have component extensions reference other component extensions (JavaMail requires JAF, for example), but it seems to work.
By requesting full permissions for the component extensions, though, I now get two dialogs presented to the user, the first asking if my application should be trusted, and the second asking if Sun Microsystems should be trusted.
If I remove all-permissions from the JavaMail component extension, yet request it for the main application (thereby only presenting the user with one confirmation dialog), will I still be able to perform restricted functionality using JavaMail, such as connecting to remote servers?
Here's what I'm now using, in hopes that it benefits someone else. The main JNLP:
<resources>
<jar href="com.example.jar"/>
<extension name="JavaMail" href="javax.mail.jnlp"/>
</resources>
...javax.mail.jnlp:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.mail.jnlp">
<information>
<title>JavaMail</title>
<vendor>Sun Microsystems, Inc.</vendor>
<description>JavaMail API.</description>
<homepage href="http://java.sun.com/products/javamail/"/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="javax.mail.jar"/>
<extension name="JAF" href="javax.activation.jnlp"/>
</resources>
<component-desc/>
</jnlp>javax.activation.jnlp:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.activation.jnlp">
<information>
<title>JAF</title>
<vendor>Sun Microsystems, Inc.</vendor>
<description>JavaBeans Activation Framework extension.</description>
<homepage href="http://java.sun.com/products/javabeans/glasgow/jaf.html"/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="lib/javax.activation.jar"/>
</resources>
<component-desc/>
</jnlp>Garret -
What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"
If you had Firefox save your Yahoo password, first try deleting that here:
orange Firefox button ''or'' classic Tools menu > Options > Security > "Saved Passwords"
The "signed out" message seems to be related to how Yahoo authenticates you. Some users have reported that disabling automatic proxy detection solves the problem, and it also resolves an issue of getting logged out every few minutes, if you have ever experienced that.
To make the change:
orange Firefox button ''or'' classic Tools menu > Options > Advanced
On the "Network" mini-tab, click the "Settings" button, then choose "No Proxy" and OK your way back out.
If your work connection requires you to use a proxy server, try the "Use system settings" option instead.
Does that help? -
Able to install the .ipa signed with distribution certificate using iTunes on MacBook Pro. where as the when tried to install using iTune on PC is causing a problem
The sound input going to the mic is not going to pipe through the speakers like that. It doesn't do it because it would cause a feedback loop on itself. The mic input will take sound and output it to a program or to another pathway (like a VoIP or Facetime call, etc.) but it won't behave like a Karaoke machine if that's what you're thinking.
-
Jars not signed with same certificat
Hi,
I have signed my jars with jarsigner and same certificat. I have verify with jarsigner -verify -cert -verbose.
But JWS says than my jars are not signed with the same certificat. I don't undestand why.
Here is the stack :
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1023)
at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:925)
at com.sun.javaws.Launcher.continueLaunch(Launcher.java:814)
at com.sun.javaws.Launcher.handleApplicationDesc(Launcher.java:515)
at com.sun.javaws.Launcher.handleLaunchFile(Launcher.java:218)
at com.sun.javaws.Launcher.run(Launcher.java:165)
at java.lang.Thread.run(Thread.java:595)
How can I know what is the jar with bad certificat ?if you set deployment.property file entry:
deployment.trace.level=all
you should see some debug output in the console and trace file that might help determine what jar it is (I am assuming you are using javaws 5.0)
The problem is probably that although you use the same root certificate chan you purchased for each jar file, the entire certificate chain is not the same.
pleas post the full set of steps you used to sign each jar.
/Andy -
Signing with Code Certificate from COMODO ?
Hi,
does anyone have some experience with a Code Signing Certificate from COMODO ?
I exported the certificate from Chrome or IE and tried the signing for a ja file,
but get:
jar signed.
Warning:
The signer's certificate chain is not validated.
Can anyone help me ?
Many thanks.According to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.
One thing which I am still not sure of:
Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?
Depending on the answer to this question I need to take different action:
YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"
NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.
Thanks for your help. -
Signing with p12 certificate from client
Hy there
Our client provided us with a p12 format certificate and a password for signing AIR Applications.
When I tried to sign the application in question with the certificate I got the following Error:
Unable to build a valid certificate chain for the signer.
What would google do in this situation?
According to http://www.globalsign.com/support/root-certificate/osroot.php I did the following:
Install the certificate in Internetexplorer
Install the GlobalSign ObjectSign CA in Firefox
Export a new p12 certificate from firefox
Sign the application again with the new p12 certificate
Still getting the same error!
Install the new p12 certificate in Internetexplorer
Again exporting the cert in Firefox
and so on...
No matter what I tried I still got the same error. I am now wondering whether our client needs to sign the application, but this does not seem to make sense since I have a p12 certificate and a password...
I really would appreciate any help on this matter.
Kind regardsAccording to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.
One thing which I am still not sure of:
Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?
Depending on the answer to this question I need to take different action:
YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"
NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.
Thanks for your help. -
Adobe Air Install Package Signed by Revoke Certificate?
My security settings may be a little more strick than most. I just download the adobe air install package today. I think the revoked signature is preventing the installation. Can anyone confirm the signature? Thanks.
No problems with the signature on a new Windows 7 x64 / IE10 install with default settings .
-
Signed PDFs cannot be opened with authentication certificate?
Hello,
I have the following problem. I have PDFs that were signed with a certificate from a private CA via Adobe LiveCycle ES2 Verison 9. These PDFs are sent out to users who then need to open and print them. To open the PDFs an authentication certificate is needed. All users have been issued such a certificate from a private CA. The users have Adobe reader version 8 to 11 installed.
Users who have Adobe reader 9 click to open the PDF, they are then ask how they want to authenticate - via password or certificate. They select the certificate option and are then presented with a list of certificates available (from windows certificate store and adobe application) to choose from. They select the right authentication certificate and the PDF opens without issues.
All other users who user Adobe Reader 8, 10 and 11 are presented with the authetication screen to select the password or certificate option. They select "Certificate" and the screen jumps back to the authentication screen where they are presented with the same selection. If they select "certificate" again, nothing happens and the PDF does not open. For these readers they are not presented with a list of certificates available to choose from.
When I now remove the authentication certificate from the computer, and try to open the PDF, I get the authentication screen, select "certificate" and am presented with all available certificates. None of these certificates of course match the one the PDF asks for, so it will also not open.
The private CA certificates are imported in the windows certificate store as well as the Adobe application.
Why is Adobe 9 handling the certificate differently then 8, 10 and 11? What changes have to be done to pass authentication in the effected readers?
I am looking for forward to any suggestions.
Thank you,
NadineAFAIK there were no code changes in this area between XI and DC, Are you doing all your processing on the same platform (Mac) or does the problem manifest when you move encrypted PDF between Mac and Windows. As I recall the problem that I was talking about manifest when encrypted PDFs were moved between platforms. If you do move your PDFs between platforms, then which Acrobat version do you use on which platform? Is it Acrobat DC on both Mac and Windows? On which platform/Acrobat version do you encrypt and on which platform/Acrobat version you try to open?
-
Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)
We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
The application is running on a server within a wide area network which is separated from the internet.
The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
are no problems with certificate revocation checks.
The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
"Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
it cannot fetch the certificate under https://my-site.de:80.
The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
- Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
- Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
our users.
It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
Many thanks!
This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
(sorry for this is in german... and also my english above)
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: OCSP Response: GOOD
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: UNAUTHORIZED
security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 35 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
... 36 more
security: Ungültiges Zertifikat vom HTTPS-Server
network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.
-
How do I protect my JNLP, my JARs etc. (with Basic Authentication)???
hi all,
i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
this is the simplified folder structure of my application on the server:
[application]
[etc]
xyz.xml
[jars]
myapp.jar
launch.jnlp
website.jsp
initial start and basic authentication:*
my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
second start and basic authentication:*
if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
and now the actual problem:*
during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
related thougts:*
i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
my current solution:*
for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
a possible alternative:*
i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
the only real solution:*
should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
WHAT HAVE I MISSED???
AM I COMPLETELY WRONG???
WHAT IS THE EASIEST WAY???
AND WHAT IS THE BEST WAY???
thank you so much,
stephanNot sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
if you have a structure like this:
/ctxroot/
launch.jnlp
/app/
*.jar
*.whateveryou may use in your web.xml:
<servlet>
<servlet-name>JnlpDownloadServlet</servlet-name>
<servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JnlpDownloadServlet</servlet-name>
<url-pattern>*.jnlp</url-pattern>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/app/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>bla</role-name>
<role-name>fahsel</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Subscription</web-resource-name>
<url-pattern>*.jnlp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>whatever-realm</realm-name>
</login-config>
<security-role><role-name>bla</role-name></security-role>
<security-role><role-name>fahsel</role-name></security-role>
...Than you may use the Service stuff like:
BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
URL codeBase = bs.getCodeBase();
URL pu = new URL(codeBase.toString() + "whatever.bla");
HttpURLConnection res = (HttpURLConnection) pu.openConnection();
res.setInstanceFollowRedirects(true);
res.setRequestMethod("GET");
res.setConnectTimeout(10 * 60 * 1000);
res.connect();
String enc = res.getContentType();
...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ... -
The following link says that the public key that corresponds to the private key used to sign the JAR is placed in the JAR, along with its certificate.
http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html
I have a couple of questions: are both the public key and certificate in the DSA file? (The document makes it seem like the public key and its certificate are separate - but doesn't the certificate contain the public key its certifying?)
Are the only 2 ways the public certificate trusted is if the public certificate is imported into the "cacerts" file or into another keystore specified in the jarsigner -verify command? (In the cacerts case you could just omit options relating to the keystore?)
Why are the SHA1-Digest values different in MANIFEST.MF and the SF file for a given file within the JAR?
What's the difference between the SHA1-Digest-Manifest and SHA1-Digest-Manifest-Main-Attributes values in the SF files?
Thanks.I know some answers:
1. Yes, public key is inside the certificate, in DSA file
2. AFAIK, if the certificate is signed by someone in the cacerts file, it's OK
3. In MANIFEST.MF, hash value is for file content. In SF file, hash value is for the section in MANIFEST.MF
4. SHA1-Digest-Manifest-Main-Attributes is the hash value for the header part of MANIFEST.MF
You can find out all the details by reading the source codes in OpenJDK.
BTW, Are you going to write a jarsigner yourself? -
hello, Following the migration of the acrobat reader version with the 11.0.9 release, we have seen a regression on the ability to sign a pdf document with an integrated smart card certificate. The 11.0.8 version allowed to do this. Are you aware of this regression? The certificate has the key usage attribute: critical digitalSignature
Hi,
You can find somes details about the problem to sign with a certificate embedded in the smartcard.
For your information, find somes details about the properties of the certificate embedded with the command openssl x509 -in file -txt :
Netscape Cert Type:
SSL Client
X509v3 Extended Key Usage:
TLS Web Client Authentication, Microsoft Smartcardlogin
X509v3 Key Usage: critical
Digital Signature
In the second point; The return of the information given by the commands CertUtil –SCInfo is :
0: Dell Dell Smart Card Reader Keyboard 0
1: Gemplus USB Smart Card Reader 0
--- Lecteur : Dell Dell Smart Card Reader Keyboard 0
--- Statut : SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Statut : La carte est partagée par un autre processus.
--- Carte : Axalto Cryptoflex .NET
--- ATR :
3b 16 96 41 73 74 72 69 64 ;..Astrid
--- Lecteur : Gemplus USB Smart Card Reader 0
--- Statut : SCARD_STATE_EMPTY
--- Statut : Aucune carte.
--- Carte :
And the configuration of the driver of the smartcard is Gemalto minidriver for .NET Smart Card
Driver provider : Gemalto / Driver Date : 04/06/2011 / Driver version : 8.3.13 / Driver signature : Microsoft Windows Hardware Compatibility Publisher
a- When i Checking the capabilities of the adobe reader XI version 11.0.09 to read the x509 certificate, the adobe reader is able to read the x509 Certificate. It s possible to check that with information about the certificate in the box approved identity.
in a second window confirms that the certificate is able to sign a document. In this way , will to try to sign a test file.
For that, we take a test file and we go on the menu “ File and Sign”. We have a box for draw a square for sign.
First problem, a box window don’t present my certificate embedded the SCard. We have only the software certificate which is presented.
In this way, we try to register my card in the store of adobe reader by create a ID. A window appear with a peripheral connected to the computer.
But the result is no really good and why have a message that adobe is not able to find the hardware token.
"Acrobat None normally found new digital ID. If your digital ID is on a hardware token, verify that it is plugged in and its interface is configured correctly. Contact your system administrator for further assistance."
with the previous version of adobe Reader, we have the capabilities to sign the file and the result is :
Version 9.0.0 - Detail of the signature: The signature is created with Abobe Reader 9.0.0 - the Hash is SHA1
Version 11.0.7 - Detail of the signature: The signature is created with Abobe Reader 11.0.7 - the Hash is SHA256
If i resume with the version 11.0.9, the connection with the smartcard driver is not etablish, but it is possible to read the certificat with the windows store.
Thanks of for yours feedback on this problem -
How to view the certificate that a component has been signed with?
Hi all,
Been using java webstart deployment for a while so understand how to sign and deploy java applications.
Question I have is how to view the certificate that was used to Sign a jar. For example, if I signed a jar "myComponent.jar" how can I then view the certificate details within this jar. I currently have an old component which I signed with an old certificate and want to view the experation details.
Thanks in advance
Simon
Edited by: simon_seagroatt on Sep 22, 2009 4:20 AMYou can use command (it will show CN, OU, O, L, etc... and expiration date, of course):
jarsigner -certs -verify -verbose pathToYourJar.jarI'd suggest redirecting output (>>out.txt).
Bye. -
Signing Bouncy Castle or third party provider's jar file with signtool
Hi,
I am using JDK 1.4.2 and bouncy castle as a provider for RSA.
It worked fine until recently when my company asked me to compile and build the jar from the source code from bouncy castle, instead of using the binary version provided in their website.
But I only have a certificate obtained from Verisign. So I used signtool 1.3 from netscape to sign the jar file, which could be verified by jarsigner. But when use this one signed by my company's certificate. it didn't work. The exception is
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/
ECB/PKCS1Padding
at javax.crypto.Cipher.getInstance(DashoA6275)
When I switch back to the signed jar file provided by bouncy castle, everything worked ok again.
It looks that jar file is not recognized properly.
Can anyone tell me if I can use the signtool to sign the provider's jar file? Or I have to sign with jarsigner?
Thanks for the help.Thanks for your reply.
I am reluctant to use the lightweight crypto API
becaues it will be difficult to switch to anther
service provider.True. However, if you switch to another Provider, you'll have the same trouble you're having with BC regarding rebuilding from source.
In BC's website, they don't have "cleanroom" JCE
listed for JDK 1.4
Can you give some resource for that?Hmmm - no, I can't. I haven't needed the cleanroom impl, so I stopped paying attention to it. I do't know if BC is working on a 1.4-compatible one or not. You might post a note to the dev-crypto mailing list BC runs.
Can I sign BC's jar file by my JCE certificate if I
obtain one from SUN?Unless you're recognized by Sun as a company that does significant security development, you will NOT get a security-signing cert. Several of us have already made the attempt.
The net is, what your bosses are asking for is unreasonable, and is preventing you from getting your job done. If they continue to insist that you build your security code from source, then your CANNOT use the JCE structure, period. In that case, you might as well use the BC lightweight API.
Grant
Maybe you are looking for
-
Bookmarks are not syncing to ONE of my Macs, but showing up on other Mac (work), iPhone 4 and iPad 1. Macs are on Mountain Lion. Tried all of Apple's suggestions - and the one Mac is still not updating/syncing Bookmarks or Reading List. What's going
-
Slide effect doesn't work in IE
Can someone tell me why a slide effect that works fine in Firefox and Safari doesn't work at all in IE7? You can see the problem at this URL: http://www.kateswork.com/projects/portfolio1.1.htm There are three slide effects, triggered by 3 buttons. Th
-
Segment Count is wrong in Oracle B2B
Hi, Greetings to B2B Gurus!!! We are processing 810 invoice files for one of customer and facing an issue with Segment Count (SE01). When i process the files via B2B, payload message is failed with validation error. If i remove validation check, EDI
-
I am using LabVIEW 2013. While using the DAQmx I am facing issue with Fonts. Take a look at screenshots which I have attached.
-
Macbook Pro (10.6.4) thinks there are 2 startup volumes...
I have been having some trouble with Snow Leopard after updating to 10.6.4 and have been trying to troubleshoot some issues and discovered the computer sees 2 "Macintosh HD" startup volumes. I started the computer holding Option to get to the startup