开发者

How to sign java applet with .pfx file?

开发者 https://www.devze.com 2023-02-24 23:21 出处:网络
I was trying to sign a jar applet archive with our company .pfx certificate using this guide开发者_JS百科

I was trying to sign a jar applet archive with our company .pfx certificate using this guide

开发者_JS百科 (and few others from the internet):

http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf

Everything seems to be fine, but when I try t run apple through the browser I see that

'Publisher' is UNKNOWN (untrusted). And when I go to details I'm able to see proper company

name and certificate vendor (GlobalSign). Why it's not properly displayed as known/trusted?

The one thing which looks suspicious to me is output of command

jarsigner -verify -verbose -certs Applet.jar:

  (...)
  sm      1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class

  X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
  [certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

So looks like 'k = at least one certificate was found in keystore' is missing

(should be smk and it is sm). Is it signed only partially? Or what?

Is it possible that .pfx file given to me by GlobalSign is somehow wrong

on not enough to sign applets? For normal executables it was working just fine...

Any ideas? ;)

EDIT

@Jcs

Looks like you are totally right. I checked my PFX file with keytool and I get:

Your keystore contains 1 entry

Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:

So looks like chain is not complete.

I'm not sure if it matters, but there are also few extensions like for example:

#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
  DigitalSignature
]

#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: (some_numbers_here)
   accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)

Question is: is my PFX file totally wrong, or somehow I need to add globalsign root to it?


According to your post, it seems that there is only one certificate in the signature certificate chain. I verified an applet I signed (this applet works correctly in a browser)

(...)
sm      2419 Thu Mar 31 15:49:14 CEST 2011 org/xml/sax/helpers/XMLReaderFactory.class

      X.509, CN=Company Name, O=Company Name, L=Paris, ST=Ile de France, C=FR
      [certificate is valid from 8/4/10 2:00 AM to 8/4/12 1:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      [KeyUsage extension does not support code signing]

(...)

We can see that there is 2 certificates in the chain since my signing certificate has been issued by the Thawte Code Signing CA.

In your case if there is only one certificate in the jarsigner output it may indicates that the intermediate CA is missing and I hardly doubt that GlobalSign is directly issuing certificates from the root CA (which is in the java trust store). Therefore when the applet is loaded and the signatures are verified the JVM is not able to rebuild a certificate chain between the signing certificate and the GlobalSign root CA, explaining the current behaviour.

Maybe the PKF file does not contains that intermediate CA. With OpenSSL you can check how many certificates are present:

[jcs@home:~/]$ openssl pkcs12 -in myfile.pfx

or with keytool

[jcs@home:~/]$ keytool -list -v -storetype pkcs12 -keystore myfile.pfx
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: Aug 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2     <--  the chain length is here.
Certificate[1]:
(...)


Thanks a lot for all, especially Jcs :)
I finally discovered that .pfx file was just imported improperly.
I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
So if anyone will have similar problem my advice is to try to get/import certificate again
- it's rather problem with certificate itself than with signing method.

0

精彩评论

暂无评论...
验证码 换一张
取 消