I have an applet which depends with many jars. After I update the java to 7.45 the applet generate message saying “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute”
I added permission attribute “Permissions: all-permissions” to all manifest files after that I resigned all these jars by our "6NRJ" certificate.
All jars was well signed but unfortunately the applet generate an exception only in "bcprov-ext-jdk16-140.jar".
Here the exception details:
java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown Source)
at org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown Source)
at org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown Source)
at com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.util.jar.JarException: http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar is not signed by a trusted signer.
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more
I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle.
Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the permission attribute ?
Thanks in advance for help
"I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle."
No, you can verify this opening the jar. You Will find no signature in it.
"Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the permission attribute ? "
yes. Open the bcprov jar. Add the permission attribuite using a text editor. Sign using jarsigner.
Related
I was trying to deploy Signal Server according to the guidelines here.
Link
Everything was success in the build part. But when i run the service using this command
java -jar service/target/TextSecureServer-3.21.jar server service/config/config.yml
I am getting below errors.
INFO [2020-09-10 04:52:48,319] io.dropwizard.server.DefaultServerFactory: Registering jersey handler with root path prefix: /
INFO [2020-09-10 04:52:48,320] io.dropwizard.server.DefaultServerFactory: Registering admin handler with root path prefix: /
org.bouncycastle.openssl.PEMException: problem parsing cert: java.security.cert.CertificateException: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.openssl.PEMReader$X509CertificateParser.parseObject(Unknown Source)
at org.bouncycastle.openssl.PEMReader.readObject(Unknown Source)
at org.whispersystems.textsecuregcm.push.RetryingApnsClient.initializeCertificate(RetryingApnsClient.java:76)
at org.whispersystems.textsecuregcm.push.RetryingApnsClient.<init>(RetryingApnsClient.java:49)
at org.whispersystems.textsecuregcm.push.APNSender.<init>(APNSender.java:70)
at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:246)
at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:151)
at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
at io.dropwizard.cli.Cli.run(Cli.java:78)
at io.dropwizard.Application.run(Application.java:94)
at org.whispersystems.textsecuregcm.WhisperServerService.main(WhisperServerService.java:406)
Caused by: java.security.cert.CertificateException: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.jce.provider.JDKX509CertificateFactory.engineGenerateCertificate(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
... 12 more
Caused by: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.asn1.x509.AlgorithmIdentifier.getInstance(Unknown Source)
at org.bouncycastle.asn1.x509.TBSCertificateStructure.<init>(Unknown Source)
at org.bouncycastle.asn1.x509.TBSCertificateStructure.getInstance(Unknown Source)
at org.bouncycastle.asn1.x509.X509CertificateStructure.<init>(Unknown Source)
at org.bouncycastle.asn1.x509.X509CertificateStructure.getInstance(Unknown Source)
at org.bouncycastle.jce.provider.JDKX509CertificateFactory.readDERCertificate(Unknown Source)
... 14 more
Anyone know the exact issue here ?
Also i didnt change serverSecret & serverPublic under zkConfig. (I dont know how to get these). What it does mean by * # zkgroup config, run using your build jar * as in the documentation ?
Problem solved. This exception came due to improper PEM format of reading cerKey file. Anyhow current crtKey form is PEM only, but it need a extended form of PEM.
i used below command to generate it.
openssl rsa -in cert.key -outform PEM -out cert.key
Then all above errors were disappeared.
I did enter the above command but i got this error
Can't open cert.key for reading, No such file or directory
140021811573184:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('cert.key','r')
140021811573184:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load Private Key
and I did everything I could I generated all kind of certificate I could find on Internet but no change in result. could you please tell me what to do it's so important to me. thanks alot
In my job I have a requirement to sign XML file with certfifcate from SmartCard. Everything works fine but on 32bit Windows 7 VM.
The problems occur when I try to use the same code on 64bit Windows 10. I get error that "PKCS#11 not found" and "no such algorithm".
I use xades4j package. I've tried probably all solutions found in the web i.e.
Used different .dll libraries (pkcs11.dll, opensc-spy.dll, CPPkiP.dll, esp2003csp11.dll) in both 32 and 64 bits versions.
Placed .dll in both System32 and SysWOW64 directories.
Updated drivers for my reader (IDBridge CT30).
Changed jre to 32bit.
Used solutions from PKCS11 Reference Guide (without xades4j) - it also worked only on 32 bit.
Nothing helps and always the same exceptions occur. If someone have any ideas what else I could do, I will be really thankful for tips.
Best regards.
Caused by: java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(Unknown Source)
at java.security.KeyStore$Builder$2$1.run(Unknown Source)
at java.security.KeyStore$Builder$2$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 7 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-SmartCard
at sun.security.jca.GetInstance.getService(Unknown Source)
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at java.security.Security.getImpl(Unknown Source)
... 11 more
I found library which solved my problem. It's https://github.com/esig/dss. I used JavaSE11(jdk-11.0.2), pkcs11.dll placed in C:/Windows/System32 directory.
Before run application it is necessary to add VM argument -Djava.security.debug=sunpkcs11,pkcs11
I have a Java servlet application developed and on my develpment PC everything works as expected including using SFTP programmatically to copy over a PDF using HTTPS on port 8443 etc and with SSL certificates in place too.
However, when I attempt to run the application on the Live server I receive the error;
java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.SunJCE_b
On investigation, some are suggesting check the jce.jar. But I have ensured the jce.jar is present and also created a "lib" folder in my project and copied the jar there and placed the jar on my build path but still the problem exists.
How do I resolve this please? Thanks in advance. Here is the console output from right after Tomcat has started the application;
#
08-Jan-2014 10:45:44 org.apache.catalina.startup.Catalina start
INFO: Server startup in 12715 ms
08-Jan-2014 10:47:42 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.SunJCE_b
at javax.crypto.Cipher.getInstance(DashoA13*..)
at com.sun.net.ssl.internal.ssl.JsseJce.getCipher(Unknown Source)
at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap
(SecureNioChannel.java:343)
at org.apache.tomcat.util.net.SecureNioChannel.handshake
(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run
(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
The jce.jar must be inside the folder WEB-INF/lib of the deployed web application.
I've seen this problem pop up very often and there seems to be a lot of confusion around it. The actual reason this is happening is because the JRE you are using to run your application has been set up with the unrestricted JCE policy jars inside its jre/lib folder (inside your jdk install folder).
If your current project does not need these, then you can move then out of this folder temporarily. This will remove the requirement on the jce libraries and you will no longer see this error.
Hope this helps.
i have the following JNLP file:
<jnlp spec="1.0+" codebase="http://****:****" href="tcm2012.jnlp">
<information>
<title>TCM 2012</title>
<vendor>Drift og Performance, *** Servicecenter</vendor>
<homepage href="http://******"/>
<description/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.6+"/>
<jar href="tcm2012.jar"/>
</resources>
<application-desc main-class="com.****.kundeservice.TCMApplication"/>
</jnlp>
Now when i try to run in from the web i get the following error:
Found unsigned entry in resource
With the following exepction
com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: http://*****:****/tcm2012.jar
at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown Source)
at com.sun.javaws.security.SigningInfo.check(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Does anyone know how to fix this problem?
This worked for me:
Go the Control Panel/Java.
Then click on “Settings” button and activate the option “Keep temporary files on my computer.”
It’s weird, but it worked!
The problem can also occur with older Java Versions if you sign with a newer Java versions.
Sign with 1.8u74 and older works with all versions
Sign with 1.8u101 and newer works with 1.7u80 and newer but not with older versions on the client.
There seems a incompatible change in the sign algorithm.
I had a similar problem with my applications.
I' ve a java swing application deployed with javaws:
when I run the application using JRE 1.6 I get the exception
when I run the application using JRE 1.7 and JRE 1.8 it works
I checked all the jar, MANIFEST.MF etc. and all was fine.
Finally I discovered that I've used a new TSA endpoint to sign my jars.
when I use this TSA http://tsa.starfieldtech.com the application run fine with JRE6,8
when I use this TSA http://services.globaltrustfinder.com/adss/tsa the application runs only with JRE8
From this resource http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html I read
To generate the time stamp, jarsigner communicates with the TSA with the Time-Stamp Protocol (TSP) defined in RFC 3161. When successful, the time stamp token returned by the TSA is stored with the signature in the signature block file.
Someone can give more insight about this problem? In particular I don't want to be forced to use a particular TSA.
Why there are this differences between TSA?
Thanks
I my case the applet really had unsigned entry in META-INF folder. )
One way to fix that would be to re-sign it.
But in java 8 self-signed applets were demoted to almost the same level as unsigned ones. And the applet didn't required any additional privileges.
So it was sufficient to just un-sign it and add to trusted sites list.
I had the same problem when compiling on my linux maschine (with JDK 6 U45).
But I got this error only when I also tried to start the signed application with Java 6 U45.
When I try to start the application with a newer Java-Version (e.g Java 8) it was OK all the time, with no error message.
When I used a windows maschine to compile the project (also with 6 Update 45), it strangely works also when I use Java 6 U45 to start.
Just my 2 cents....
Cheers!
I get the ff. error in Java Console occassionally:
Exception in thread "thread applet-my.package.MyApplet-10" java.lang.NoClassDefFoundError: another/package/SomeClass
at my.package.MyApplet.init(MyApplet.java:95)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: another.package.SomeClass
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
... 3 more
Caused by: java.io.IOException: open HTTP connection failed:https://myserver/mycontext/applets/another/package/SomeClass.class
at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 7 more
My applet tag is as follows:
<applet codebase="../../applets" code="my.package.MyApplet" class="invisible" id="myApplet">
<param value="value0" name="param0"/>
...
<param value="valueN" name="paramN" />
<param value="folder/myApplet__0.0.1177.jar,folder/commons-io-1.3.2__0.0.1177.jar,..." name="cache_archive"/>
<param value="0.0.1177.0,0.0.1177.0,...," name="cache_version"/>
</applet>
It is important I stress the word "occasionally". Sometimes the applet is initialized without a hitch. This also means that, often, when the browser is restarted, the problem goes away.
I am aware of applet fails to load class from jar and Applet class loader cannot find a class in the applet's jar but I think they are not applicable to my case. SomeClass and MyApplet are in the same jar and the page is being accessed locally.
Caused by: java.io.IOException: open HTTP connection failed:https://myserver/mycontext/applets/another/package/SomeClass.class
This looks like there is a connection issue with retrieving the jar file from the HTTPS server.
I don't know exactly what version of Java are you running, but you can check the reason of the defect pertaining to your problem here.
If this is not the problem, then make sure that there's enough caching for your JAR file when downloaded else it fails to launch. It's not code issue unfortunately.
UPDATE Is your class SomeClass accessing any remote server or database by any chance?
The exception clearly shows that there is an AccessControl privilege that has been denied.
at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
Bear in mind, that applets are like Flash Objects:
They are both downloaded and run from the client side.
Only difference is that Applets were designed with lots of access control rules such as, it must not connect to servers hidden behind company DMZ (De-Militarized Zone), etc.
If that's the case, I suggest you find a way to retrieve your data outside applets (try servlet?)
UPDATE 2 It seems the JVM can't find the trusted certificate to match with your signed jar.
Since your jar file is signed make sure that the jar file can point your trusted certificate (remember, it must be trusted).
More information, check: http://faq.javaranch.com/java/HowCanAnAppletReadFilesOnTheLocalFileSystem AND http://www.developer.com/article.php/3303561
Probably has something to do with http://download.oracle.com/javase/6/docs/api/java/util/ServiceLoader.html. I.e., one or more of the jars defines/expects a provider. Investigate when there is time.