Solved

Properly signing and verifying jar files

Posted on 2014-02-09
16
9,071 Views
Last Modified: 2014-03-04
I'm beginning to have a big problem now that clients are updating their machines to the new version of java:

java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

Since this has happened, they can no longer run a jnlp application that we've built.  On top of that, the cert that was in place expired two days ago.

I've obtained a new cert which is issued by InCommon Server CA.  For the java jnlp app, I've generated a new keystore from this cert and signed all jar files with this new keystore.

Then I've verified the jar files, e.g.
"jar verified.
Warning:
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2014-05-10) or after any future revocation date. "

After all files have been copied to the server and tomcat has been restarted, I am getting the blocked message: "Application Blocked by Security Settings.  Your security settings have blocked a self-signed application from running."

I can reduce the security slider to medium in the java control panel and it will allow me to run this application.  When I do that, I'll get a popup stating, "Do you want to run this application?  Publisher: UNKNOWN ...  This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute."

Obviously, I do not want the sites to have to reduce the security slider to medium and I also think Oracle will remove that option in the future.

So I'm back to signing the app.  I have a legitimate cert from InCommon CA and this should work.  I'm doing exactly what I've done in the past for creating the keystore and signing the jars.  That seems to not work this time around.  Also, if I recall, in the past, when the app launched it would always show "Unknown Publisher".  So maybe that was not done correctly  before and now with update 51, it's catching up with me.

Can you please provide any helpful information, particularly with verifying that I'm generating the keystore and signing jars correctly?
0
Comment
Question by:mock5c
  • 7
  • 7
  • 2
16 Comments
 
LVL 35

Expert Comment

by:mccarl
Comment Utility
Can you please provide any helpful information, particularly with verifying that I'm generating the keystore and signing jars correctly?
In order to do that can you provide more detail about the procedure that you use to do all this? The following statement of yours is particularly interesting...
I've generated a new keystore from this cert
From everything I know, you should have the keystore created first (with the private/public key pair generated and stored in it) and then from that, you generate the Certificate Signing Request (CSR) that you send to your CA for them to generate a certificate. Then you can import the received cert into the original keystore that contains the key pair and then use that to sign your jars.
0
 

Author Comment

by:mock5c
Comment Utility
Since I know next to nothing about dealing with certs, I'll start with asking:

Is a cert application specific or can it be used for many different applications?

I see new .csr and a .cert files on the server.  My understanding is that a certificate authority sent use the new cert.  I take it that the csr was generated by us and sent to the CA?  I'm told that the certs were imported to tomcats keystore and copied into pgsql data dir.

Now I'm dealing an application.  My process was to take the cert file, drop it in a directory and run some build commands.  But now that I look into it more, I think in prior years the cert file that was dropped into the directory was never used because I see nothing that is referencing that cert by name.  And if I remove the cert from the directory, the keystore is still built.  I was under the impression that when the keystore was built, it pulled in the cert and when I signed, it was signing with the new certification.  I think what really happened was a general keystore was created and that jars were "self-signed".  This may explain why the application always said "UNKNOWN Publisher" and now, with the new java version "51", the application is being blocked because the cert is "self-signed".  Before "51", I guess we got away with this self-signed business.

So long story short, I have a csr and cert file.  Assuming I can use this cert file for any application and sign with it, I would like to know the process for properly generating a keystore (or adding this cert to keystore) so that I can sign the jars with this new cert.
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
I think you should start by clearing the cache of any existing apps. Sounds like you're getting 'old' self-signed ones.

Don't forget to sign all jars with the new cert
0
 

Author Comment

by:mock5c
Comment Utility
I've made sure all jars were "signed".  In the past, when I did not do that, I would receive an error message indicating which  jar was not signed.  Now I just get the blocked message.

I think I must not be signing properly.  The process I had in place for previous years apparently is not referencing the cert in any way so the app must have been self-signed but worked prior to update 51.
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
0
 

Author Comment

by:mock5c
Comment Utility
It turned out that I needed a code signing cert.  After obtaining this and signing my jar files, my application is still blocked.  Below are the steps I've gone through.

I requested a code signing cert.  This was imported into IE (seems to be the only browser that allowed me to obtain this for whatever reason.  I had to re-request this when I first started with Chrome).  Anyway, now that it has been imported to IE, I can export the cert.  To do this (on windows), I go to Internet Options in the control panel and select Content tab and certificates button.  Under the personal tab, I see the cert, which I selected to export.

When exporting, my options are:
Do you want to export the private key with the certificate?
1. Yes, export the private key
2. No, do not export the private key

I chose Yes and clicked Next

Then it says:
Select the format you want to use:
Personal Information Exchange - PKCS #12 (.PFX)
1. Include all certificates in the certification path if possible
2. Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)  [this is default selection]
3. Delete the private key if the export is successful

I checked options 1 and 2 (2 was checked by default)

Then I click Next and prompted to type and confirm a password.  I typed in a strong password.

Then prompted for a file name to export as.  This saves as a .pfx (Persaon Information Exchange) file.

I used keytool to get the alias name:
keytool.exe -list -v -storetype pkcs12 -keystore myfile.pfx

Then I signed my jars.  I use ant and in the build.xml file, I have something like this for each jar:
<signjar
  jar="${build.home}/jar/jarname.jar"
  alias="thisismyalias"
  storepass="thisismypassword"
  storetype="pkcs12"
  tsaurl="http://timestamp.comodoca.com/rfc3161"
  keystore="../myfile.pfx" />

i verified each jar after signing them:
jarsigner.exe -verify -verbose -certs myjar.jar

All of them say "jar verified.".

After deploying the jar files, i'm still getting the blocked message:
Application Blocked by Security Settings
Your security settings have blocked a self-signed application from running

I've cleared out my Java Cache viewer (applications and resources) and still am still blocked.  This shouldn't be a "self-signed" application.  Any suggestions?
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
Try it using javaws at the command line

javaws <the url>

Open in new window


Of course, that app should be in PATH
0
 

Author Comment

by:mock5c
Comment Utility
Same issue when running javaws from command line.  "Application blocked by Security Settings".

The only way I can get it to run is if I reduce my security settings to medium.  Even when doing, it shows publisher as "UNKNOWN" and states "Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk."

It should not be unknown since I've signed with a valid code signing cert and all jars have been verified..
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
If you've cleared your cache as you say, i would guess the most likely explanation is that despite your efforts, it's still the old (self) cert that's been used to sign it
0
 

Author Comment

by:mock5c
Comment Utility
is there some process to get the jars to forget everything?   Some of them are 3rd party jars but my main jars are deleted and rebuilt each time.  3rd party jars might be a problem
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
Are the 3rd party jars signed in their own right?
0
 
LVL 35

Expert Comment

by:mccarl
Comment Utility
i verified each jar after signing them:
jarsigner.exe -verify -verbose -certs myjar.jar

All of them say "jar verified.".
You may have already checked this, but you haven't explicitly stated the result here (just that they were verified) so I am just checking... In the above, it should print WHAT certificate was used to sign the JAR's. Is this the correct code signing cert that you have received from your CA?


Some of them are 3rd party jars but my main jars are deleted and rebuilt each time.  3rd party jars might be a problem
So have you run the jarsigner -verify -verbose -certs over all these 3rd party JAR's too?
0
 

Author Comment

by:mock5c
Comment Utility
I did not look further into the verbose messages about the certs but I will do that and see what I can discover about the 3rd party.  The 3rd party jars would have previously been "signed" with an apparently bogus cert I was using before.  I am not sure if they were signed initially from the vendor.
0
 
LVL 86

Accepted Solution

by:
CEHJ earned 500 total points
Comment Utility
 I am not sure if they were signed initially from the vendor.

You need to look into that. If you find they weren't, i would 'unjar' them, free them of metadata (delete META-INF) and treat them as ones of your own, that you will sign along with the others
0
 

Author Closing Comment

by:mock5c
Comment Utility
The application is now running as expected with clean jar signing.  I think it was the 3rd party jars that were my issue.  The META-INF tip helped.  I can now run the app in java's High security setting and it all looks good.
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
:)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Logs to delete in Windows VCenter server ? 11 156
countPairs challenge 7 57
nestparen challenge 4 55
groovy example issue 10 65
This was posted to the Netbeans forum a Feb, 2010 and I also sent it to Verisign. Who didn't help much in my struggles to get my application signed. ------------------------- Start The idea here is to target your cell phones with the correct…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now