Javakey jar signing question

Similar Messages

• Need some advices on jar signing

  Hi, our's company project will have an app server and some desktop apps.
  App server - tomcat, desktop - are just some application.jar.
  The question is how server may know if the data is from our application.jar or from any thirdparties? May jar signing solve this or there is another way.
  P.S. There will be no Java Web Start
  Thanks in advance.

  1) If you can mount those disks on your database server then YES you can store the RMAN backups of those. You must NFS Mount the disks on your DB server so that RMAN can see them put the bakcups on them. Or you can directly write to the tapes.
  2) No, Flash recovery area is only one parameter pointing to one mounted space and you can't spread it over multiple volumes. What is the size of your database?
  Daljit Singh

• Jars signed with revoked certificate

  Hello,
  I have a situation here where i have jars and wars which were signed using jarsigner. The certificate used to sign the jars is now revoked.
  When java runtime loads these jars, it does not throw any errors/exceptions. Is it the right behavior ?
  Is there any way by which I can configure java runtime to contact the CRL and to throw an error while the jar is loaded. The certificate has information
  about CRL distribution point and also has authorityinfo access details. I tried configuring OCSP in java.security file. But still no luck.
  Any information on this will be helpful.
  Thanks in advance

  Hello EJP,
  Thanks for replying.
  Yes the certificate was valid when the jar was signed. Please note that, there was no timestamp put in the signature.
  So now after the certificate has been revoked, if Java runtime tries to load that jar, isn't it the responsibility of Java runtime to make use of the CRL/OCSP information
  of the public key certificate (present in the jar put by the jarsigner when signing) and validate it for revocation ? (Also, in this scenario, what happens if OCSP is enabled in java.security ?) -OR--- Is it the responsibility of the code that makes use of the jar, to verify whether the certificate used for jar signing has been revoked or not ?
  PS:- I have enabled the security settings in java control panel for certificate revocation checking.
  Please let me know if I am wrong or if I am missing something.
  Also i noticed something with jarsigner. In a signed jar, If i delete a few files and then verify its signature using jarsigner, "jar verified" is returned as result. Isn't the jar tampered when I delete a few files from it ? and hence the Hash of its data changes ? and hence verification should fail ?
  One more question, in case of signed applets, if the certificate is revoked, as soon as the browser tries loading the applet, it throws an error saying certificate that was used for signing has been revoked. (provided browser settings and java control panel settings are all properly set). Is this check initiated by the browser OR Java runtime ?
  Thanks a lot

• URGENT SIGNING QUESTION

  hi all,
  for developing reasons i signed an applet with "MS_JAVA-SDK" and a batch file which looks like that:
  @echo off
  cls
  set prefix=MS_JAVA-SDK
  cd classes
  "..\%prefix%\cabarc" -p -r -s 16384 n ..\lernerdata.cab *.*
  cd ..
  "%prefix%\makecert" -sk ADVESCO -n "CN=ADVESCO" ADVESCO.cer
  "%prefix%\cert2spc" ADVESCO.cer ADVESCO.spc
  "%prefix%\signcode" -j javasign.dll -jp low -spc ADVESCO.spc -k ADVESCO lernerdata.cab
  "%prefix%\chkjava" lernerdata.cab
  while using IE everything works great, but as soon as i want to start the same with netscape 7.0 the java console shows a message wich says:
  "Netscape-Sicherheitsmodell wird nicht mehr unterst�tzt.
  Bitte stellen Sie auf das Java 2-Sicherheitsmodell um."
  (in english something like: netscape security model won�t be supported anymore - please change to the java 2 security model)
  what�s the problem?
  what do i have to do when i want to run my applet with ie and netscape?
  thanx a lot !!!!
  andi

  MS jdk is only Java 1 and from the error message you posted it looks as if Netscape isn't supporting Java 1 anymore only Java 2, thats why it isn't working. I don't know much about signing applets, but I believe there is a tool that ships with the JSDK... its called jarsigner.exe I believe. Just download the newest JSDK and use that jar signer and not the MS one. You might want to search the forums for more info about signing applets, I know I have seen it come up a bunch of times and there is probably a good walkthrough somewhere.

• Applets, Policy Files, jar signing, JNI, etc

  Hi,
  I need an Applet to be able to connect to sockets and use some JNI. Hence, as far as I can tell, I need to use a Policy File. In a standalone application, I have written my policy file tried it out by switching on the security manager. However I am not sure how I do this with an applet.
  I have read many examples of Jar signing, yet every example uses appletviewer and the -J-Djava.security.policy to show the security policy in action.
  However I want this to work through a normal browser, so how do I achieve this?
  Do I specify a URL to the java.security.file in the embed/object/applet tags in the HTML?
  Do I put the policy file in the jar and reference it via the Manifest?
  Any ideas much appreciated,
  John B

  The standard AccessControlException:
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
  at java.security.AccessController.checkPermission(AccessController.java:401)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
  at java.lang.ClassLoader.getParent(ClassLoader.java:701)
  Or something like that.
  That's what I'm trying to solve, I wish to use the Java Security Policy system to allow my applet access to various resources, such as writing files. Now I've seen that signing an applet will give it full access (in my view, this is rather insecure, but anyway), however following the steps to sign an applet two or three times has still presented me with the same problem. The signing is ignored, and the exception is thrown.
  Applet signing aside, I fail to see any documentation stating how the policy file is used by the VM when running on a browser. I assumed it might be an entry in the Jar's manifest file, but again, I can find no documentation.
  It's all very annoying, and Sun have done quite a bad job at documenting this. For example, their example talkes about -D-Jjava.security.policy=.... being passed to appletviewer. Who on earth uses appletviewer! If policies only work with that, then they are useless. I want them to work with whatever browser the applet is being run within.
  Surely this isn't too much to ask? :)

• JApplet jar signing

  Hi,
  My requirement is to bring a set of files from the server to the client thru JApplet..
  (Japplet,jdk1.3,weblogic,jre1.3) is the environment.
  I know that the jar file has to signed etc.. but is there any way by which i can accomplish this
  without jar signing..
  If it is not possible, is there any way to test the jar signing (any trial version etc).I just want to
  test it before buying the Verisign etc..
  Could any one help me on this...
  Thanks

  Can we customize sign_webutil.bat to do this?Yes, you can. Only be careful to webutil password

• PJC jar sign

  hi,
  i want to use some jar file as :
  http://forms.pjc.bean.over-blog.com/article-1830062.html
  but need to sign and i don't know how to sign .
  plz help for sign .

  Thanks for the response. I looked over getting JAR signing to work, but this applet is being hosted on the local machine and that process required an online URL. Knowing that my command line argument was wrong helped a lot though, I eventually loaded up the policytool program and got the syntax I needed for the policy file.
  grant codeBase "file:/C:/WINDOWS/java/classes/Client_2.0/classes/Client/*" {
  permission java.security.AllPermission;
  };

• Signing a jar file question

  Hello folks
  Have a tough one here.  We have a Legacy System that uses some 3rd party software called Reflections For Web (RWeb) from Attachmate in order to allow the Legacy System to interface with a mainframe system.  One of the files needed by this RWeb software is a jar file called KeyToolsPro_jce1-2-1_signed.jar which itself was created by another company.  The problem we are having is that due to the security changes in Java 7u51 this file is blocked due to not having the appropriate manifest entries and due to being signed by an unknown certificate CA.  This problem is compounded by the fact that the company that created the file is no longer in business and as such cannot make the changes needed to the manifest file.  Also the problem with the signature it seems is due to it being a cryptographic file it needs to be signed by a JCA code signing CA which is not recognized by the AF.  This page talks about signing it with either a Sun or IBM JCA code signing CA:
  http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html#integritycheck
  My question would be is this still the only way to do this?  Or is it possible that another type of CA could be considered "trusted" for the purposes of signing this type of jar file?  Since it talks about a Sun certificate it does seem like the documentation might be a bit outdated and that perhaps any trusted code signing CA could be used to sign the file.
  Thanks in advance.

  You can add a manifest to a jar file like this:
  jar ufm MyJar.jar manifest.txt
  You'll then need to resign the JAR.  You'll need a code-signing certificate for this.  You can obtain a real one from a provider, or generate your own CA and use it to sign a code-signing certificate yourself.
  You can add a CA to the trusted list like this:
  C:\Program Files (x86)\Java\jre7\lib\security>keytool -importcert -alias MyCA -file c:\cacert.cer -keystore cacerts -storepass changeit -noprompt
  where c:\cacert.cer is the certificate for the CA. 
  However, it may be easier to add your internal server to the exceptions list using the Java control panel.

• Multiple-jar applet question

  Here's a basic question that none of the examples seem to address. If my applet is comprised of multiple jars (some dynamically loaded based on system configuration), do they all have to be signed, or does just the jar file containing the applet entry point need to be signed?
  Conversely, could it be that only the jar files that contain code that wants to write files to the local file system need to be signed, or does everything need to be signed?

  Conversely, could it be that only the jar files that contain code that wants to write files to
  the local file system need to be signedThe Stack needs to be "trusted" code. If an unsigned applet "not trusted" calls a method
  of the signed applet it should not be allowed to do "trusted" things.
  One example is when you call a public method of the applet from javascript. There is a
  sollution other that signing all.
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post

• Understanding JAR signing

  The following link says that the public key that corresponds to the private key used to sign the JAR is placed in the JAR, along with its certificate.
  http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html
  I have a couple of questions: are both the public key and certificate in the DSA file? (The document makes it seem like the public key and its certificate are separate - but doesn't the certificate contain the public key its certifying?)
  Are the only 2 ways the public certificate trusted is if the public certificate is imported into the "cacerts" file or into another keystore specified in the jarsigner -verify command? (In the cacerts case you could just omit options relating to the keystore?)
  Why are the SHA1-Digest values different in MANIFEST.MF and the SF file for a given file within the JAR?
  What's the difference between the SHA1-Digest-Manifest and SHA1-Digest-Manifest-Main-Attributes values in the SF files?
  Thanks.

  I know some answers:
  1. Yes, public key is inside the certificate, in DSA file
  2. AFAIK, if the certificate is signed by someone in the cacerts file, it's OK
  3. In MANIFEST.MF, hash value is for file content. In SF file, hash value is for the section in MANIFEST.MF
  4. SHA1-Digest-Manifest-Main-Attributes is the hash value for the header part of MANIFEST.MF
  You can find out all the details by reading the source codes in OpenJDK.
  BTW, Are you going to write a jarsigner yourself?

• Jar signing may be applied to WAR/EAR files?

  Greetings,
  I wonder if the WAR/EAR files (J2EE related) can be also affected by signing it. I mean, when a signed jar file is updated with class, the JVM will throw an error about the signature of that class doesn't match the class file.
  Now, since a WAR/EAR file is a JAR file but with JAR files instead classes files, I wonder if signing a WAR/EAR file and if someone update it without signing, the application server (e.g., tomcat) will verify the signature?
  If true, that would be just great since I may have resources (JSP files and similar stuff) that would be just great if I could verify its integrity.
  thanks,
  Pedro Salazar.

  Indeed, but I was referring to remove the signature block and also the digests in the manifest file, - a clean (unsigned) jar file :-)
  Now, I have question for you:
  Is it possible to compel that a jar must be signed by a specific entity (certificate) to be validated? For instance, anyone could repack the jar in a clean jar file, and the system wouldn't care about that. So, I would like to say that the jar file to be validade must be signed by a specific entity. Is there any policy to say for a specific jar file? The problem here could be how to refer that to the jar file since it would be deployed in a application server...
  Maybe I should open a new thread about this, but you may also clarify me this shortly...
  regards,
  Pedro salazar.

• Applet and dependency jars signing

  Hi applet gurus,
  I hope to receive help from you with the following issues:
  1) I'm trying to sign an applet application which has dependency jars. So my first question is: Do I have to sign also the dependency jars? If yes, can I sign them with the same certificate?
  2) As I want to suppress warning messages from the applet which might scare ordinary users, I'm putting Permissions and Caller-Allowable-Codebase attribute in the manifest. If I have to sign also the dependency jars, do I have to also put these attributes into their manifest files? If yes, how?

  I'm not a guru, but the answer to question 1) is yes. I know this because I've seen plenty of historical problems in this forum relating to exactly this, especially in combination with Bouncy Castle which seems to already be signed with its own certificate. You should sign them with the same certificate as your application I believe, but that would require experimentation to confirm.
  I don't know anything about 2). The only thing I know is that it is likely impossible to completely remove the popup, a user will have to accept it at least once even when you have a valid signed certificate. I mean I have seen Microsoft software ask if I trust Microsoft
  Final note: be sure you are actually allowed to legally modify and distribute the jars in such a way! Probably yes, but it would be very unfortunate if you get slapped with a lawsuit because you broke the usage terms of a particular commercially oriented third party jar that you failed to notice.

• JAD / JAR attributes questions.

  From what I can tell there are 18 attributes (16 MIDlet- and 2 MicroEdition-) that are mentioned in JSR 118. Excluding for now the Runtime-Execution-Environment.
  The JAD has five mandatory attributes (Name, Version, Vendor, Jar-URL and Jar-Size). The JAR has five (MIDlet-Name, Version and Vendor and MicroEdition-Profile and Configuration). I know that Name, Version, Vendor must always match (signed or unsigned).
  My questions are about the other optional attributes and how they should be validated and the rules around if an attribute(s) is included in the JAD does it need to be in the JAR as well and must it always be identical.
  Example1 (assuming mandatory atts are present and valid)
  Jad = MIDlet-Icon: icon.png
  JAR = MIDlet-Icon is not present
  App is signed. Should this cause an error or is it allowed? What if the app is unsigned?
  Example2:
  Jad = MIDlet-Icon: icon.png
  JAR = MIDlet-Icon: stars.png
  App is signed. I think this would result in a 905. What if unsigned?
  I've seen some docs that refer to four attributes that the JAD should ignore: MIDlet-Jar-Size, MIDlet-Jar-URL, MIDlet-Install-Notify and MIDlet-Delete-Notify. Are there others?

  Can you find the specifications for your device. Nokia, Motos, SEs all list the specs for their devices. Try visiting the web site for your device. There are also some sites that index the specs for phones

• WebUtil Jar signing error

  Can anyone help me with this error:
  keytool error: java.lang.Exception: Key pair not generated, alias <####> already exists

  Check whether there is a file named ".keystore". If yes, delete this file and again try to sign the jar file.
  Hope it helps u...

• Classpath and jar file question

  my application need to use few jar files i downloaded from the internet
  so i need to set the classpath so that i can import the packages in the jar file rite?
  let say set classpath=.;c:\somedir\bin;
  the ".;" after the "=" means that i search the current directory first then search the directory i have specified after that rite?
  if so, can i put all the needed jar files in the current directory so that my application can use them??
  Another question is if all the jar files in located in the same directory how can i set the class path to refer to them without sepecifying each of the jar file name??can i just put the directory path and will it locate them automatically when my application start??
  can anyone tell me about it??thanks

  No, you need to include each and every jar file in your classpath.
  Or put them all in your <jdk_installation_dir>\jre\lib\ext directory, so that they will get included in your classpath automatically.
  Sudha