I have followed the instructions on the wiki for authorizing a self signed certificate by a trusted third party Certificate Authority but after using my authorized keystore file to sign my jars, I get an error on launching the Smart Client that states:
sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
at sun.security.validator.EndEntityChecker.check(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Am I doing something wrong? The keystore file works fine for SSL. I purchased a Code Signing Certificate from Comodo, but it does not appear to be usable for .jar files.
I am using Servoy 7.1.0 and Java 7 Update 21
Any ideas?
Steve in L.A.
As I stated in the original post, I did purchase a Code Signing certificate from Comodo, but not being all that familiar with how to use it, I mistakenly tried to sign the JAR files using .NET’s signcode.exe, which does not work for JARs. I have since found these instructions on Comodo’s website for using their Code Signing certificates to sign JAR files. I followed the instructions using the Java 7 update 21 JDK and now when I try to launch the solution I get this error:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
… 17 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
… 23 more
I Googled the first line of the traceback and found an Oracle bug case that refers to encountering this error if Online Certificate Validation is turned off (it is off by default). After turning it on in the Java control panel, the error changes to this:
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
… 21 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
… 25 more
Googling that one, I found this Oracle bug case that indicates this is a problem with Comodo certificates. Both cases are marked as fixed for version 7u40. As of today, it seems the most recent version of Java is 7 update 21. Am I stuck until the next release of Java or is something else going on that I am missing?
I found and installed an Early Access Release version of Java 7 update 40 and this issues does seem to be addressed in that release. Now instead of refusing to launch the solution, Java presents me with this:
This is the only warning I get even though I am also using IT2Be plugins and one other third-party plugin. This is the only third-party bean I am using, so maybe there is something different with beans vs. plugins. Besides instructing all my users to check the “Do not show…” checkbox, is there any way to avoid seeing this warning?
As a test, I checked my stored certificates in my Java control panel and found that I had one already for IT2Be. After removing it, I get the same warning when launching my solution. Sigh. Fortunately, I am finnaly ready to start converting the solution most used by our customers to use the web client. None of this nonsense seems to be an issue for the web client, though there are other challenges I am already facing.
SteveInLA:
None of this nonsense seems to be an issue for the web client, though there are other challenges I am already facing.
If you’re going web client, we’ve been at it for over a year now. You may want to start with http://www.data-mosaic.com.
Exclusive web client customizations
Data Sutra implements many of the latest html5 techniques that go beyond what Servoy offers. Customizations include: browser and platform detection, a rockin’ date picker, wrappers for various browsers and platforms, elegant spinner notification for blocking actions, registration and login widgets to include on external websites, “pretty” URLs, unique URLs for each screen and record, browser history buttons enabled, google analytics, scrollbar styling, URL rewrites for SaaS deployments, session tracking, report preview and printing, etc.
Additionally, the performance stuff we’re doing is just as advanced as our UI. So it just doesn’t look good.
If you’re doing anything major, starting from scratch with web client puts you at the bottom of a bigger mountain than most people think.