Jar signing problem

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Jar signing problem

Postby SteveInLA » Wed Jun 12, 2013 12:26 am

I have followed the instructions on the wiki for authorizing a self signed certificate by a trusted third party Certificate Authority but after using my authorized keystore file to sign my jars, I get an error on launching the Smart Client that states:
sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
at sun.security.validator.EndEntityChecker.check(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Am I doing something wrong? The keystore file works fine for SSL. I purchased a Code Signing Certificate from Comodo, but it does not appear to be usable for .jar files.
I am using Servoy 7.1.0 and Java 7 Update 21
Any ideas?
Steve in L.A.
SteveInLA
 
Posts: 233
Joined: Thu Jul 29, 2004 12:00 am
Location: Southern Oregon, USA

Re: Jar signing problem

Postby Harjo » Thu Jun 13, 2013 8:00 am

For signing jars, you need a codesign certificate!

Thats a total different certificate
Harjo Kompagnie
ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
Harjo
 
Posts: 4321
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Jar signing problem

Postby SteveInLA » Fri Jun 14, 2013 12:24 am

As I stated in the original post, I did purchase a Code Signing certificate from Comodo, but not being all that familiar with how to use it, I mistakenly tried to sign the JAR files using .NET's signcode.exe, which does not work for JARs. I have since found these instructions on Comodo's website for using their Code Signing certificates to sign JAR files. I followed the instructions using the Java 7 update 21 JDK and now when I try to launch the solution I get this error:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 17 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
... 23 more


I Googled the first line of the traceback and found an Oracle bug case that refers to encountering this error if Online Certificate Validation is turned off (it is off by default). After turning it on in the Java control panel, the error changes to this:
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 21 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
... 25 more


Googling that one, I found this Oracle bug case that indicates this is a problem with Comodo certificates. Both cases are marked as fixed for version 7u40. As of today, it seems the most recent version of Java is 7 update 21. Am I stuck until the next release of Java or is something else going on that I am missing?

Steve in L.A.
SteveInLA
 
Posts: 233
Joined: Thu Jul 29, 2004 12:00 am
Location: Southern Oregon, USA

Re: Jar signing problem

Postby SteveInLA » Fri Jun 14, 2013 12:55 am

I found and installed an Early Access Release version of Java 7 update 40 and this issues does seem to be addressed in that release. Now instead of refusing to launch the solution, Java presents me with this:
Image
This is the only warning I get even though I am also using IT2Be plugins and one other third-party plugin. This is the only third-party bean I am using, so maybe there is something different with beans vs. plugins. Besides instructing all my users to check the "Do not show..." checkbox, is there any way to avoid seeing this warning?

Steve in L.A.
SteveInLA
 
Posts: 233
Joined: Thu Jul 29, 2004 12:00 am
Location: Southern Oregon, USA

Re: Jar signing problem

Postby SteveInLA » Fri Jun 14, 2013 1:06 am

As a test, I checked my stored certificates in my Java control panel and found that I had one already for IT2Be. After removing it, I get the same warning when launching my solution. Sigh. Fortunately, I am finnaly ready to start converting the solution most used by our customers to use the web client. None of this nonsense seems to be an issue for the web client, though there are other challenges I am already facing.

Steve in L.A.
SteveInLA
 
Posts: 233
Joined: Thu Jul 29, 2004 12:00 am
Location: Southern Oregon, USA

Re: Jar signing problem

Postby david » Fri Jun 14, 2013 8:23 pm

SteveInLA wrote:None of this nonsense seems to be an issue for the web client, though there are other challenges I am already facing.


If you're going web client, we've been at it for over a year now. You may want to start with http://www.data-mosaic.com.

Exclusive web client customizations
Data Sutra implements many of the latest html5 techniques that go beyond what Servoy offers. Customizations include: browser and platform detection, a rockin' date picker, wrappers for various browsers and platforms, elegant spinner notification for blocking actions, registration and login widgets to include on external websites, "pretty" URLs, unique URLs for each screen and record, browser history buttons enabled, google analytics, scrollbar styling, URL rewrites for SaaS deployments, session tracking, report preview and printing, etc.


Additionally, the performance stuff we're doing is just as advanced as our UI. So it just doesn't look good.

If you're doing anything major, starting from scratch with web client puts you at the bottom of a bigger mountain than most people think.
David Workman, Kabootit

Image
Everything you need to build great apps with Servoy
User avatar
david
 
Posts: 1727
Joined: Thu Apr 24, 2003 4:18 pm
Location: Washington, D.C.


Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 6 guests