I am trying to create a deployment rule set as described here: link
I created a simple rule, to allow everything from localhost like
<rule>
<id location="http://localhost" />
<action permission="run" />
</rule>
After I self-signed the jar file and deployed it in Windows when I try to run a self-signed app(jnlp) from localhost it is still blocked.
Application Blocked by Deployment Rule Set.
Can not verify self-signed Deployment Rule Set jar
Q: Can anyone tell me why is not working? Do I have to sign the deployment jar with a verified certificate? I tried to use the deployment rules to avoid the block for my application. I don't want to lower the security or add my site to the trusted list.
Looks like the rule set jar has to be signed with a verified cert:
The rule set defined in the ruleset.xml file must be packaged in a signed JAR file named DeploymentRuleSet.jar. The JAR file must be signed with a valid certificate from a trusted certificate authority.
(from http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html#package)
This article seems to offer an alternative, which involves importing the self-signed cert on all target machines:
https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a
HTH
I just have been throught this process and I was successfull. I followed this blog post to make my own ruleset and it worked like a charm. But with only one trick the command to sign the jar the NA must be replaced by the certificate password or you must omit the storepass parameter so it will ask the password interactively.
I think you should check:
You imported your cert as a signing CA so the jar signature can be verified (see the blog post).
Your ruleset follows the specification strictly. I had to remove some comments I added to the ruleset as it failed.
Remove the http:// from the location
Related
In java 8 to setup a security provider I just needed to add the provider to the java.security file and add the provider external library to lib/ext. Since external libraries are not allowed in further versions how can I add a provider on jdk11?
Until now I tried to add the provider to the java.security file in conf/security folder.
security.provider.1=nCipherKM
I inserted the new provider on top of the list but when I try to .getInstance("providerExample") I still get a NoSuchProviderException.
java.security.NoSuchProvidIrException: no such provider: nCipherKM
The lib jar itself, I do not know where do I have to put or how can I include it to be recognized. If I create a lib/ext folder he says to use -classpath instead but also have no clue on that.
Thank you
EDIT: To complete my question I forgot to mention that im using thorntail and maven 3.6.1 to build the project. The error I get is related to this line:
KeyStore.getInstance("ncipher.sworld", "nCipherKM");
As I said before, when I had java 8 I only had to add the security.provider to the java.security and the nCipherKM.jar to $JAVA_HOME/lib/ext folder.
Background
I am trying to use bouncy castle library to decrypt private keys in my war. Now I tested the code first in a standalone app and it worked fine. Now when I am testing it as a webapp in Wildfly8.0 am facing some issues with Bouncy castle.
The Wildfly 8.0 am using has bouncy castle provider module installed. The BC version being used in v1.46.
The code that I have developed uses v1.51.
I have followed the steps mentioned here:
https://developer.jboss.org/thread/175395
bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC - Specifically followed instructions provided in For a specific deployment (preferred)
Already tried
Installing the JCE policy files.
Adding to the provider list.
Problem
The error I am getting is :
unable to read encrypted data: JCE cannot authenticate the provider BC
And the code which triggers the above error, in as follows :
PKCS8EncryptedPrivateKeyInfo kp = (PKCS8EncryptedPrivateKeyInfo) keyPair;
InputDecryptorProvider pkcs8dec = new JceOpenSSLPKCS8DecryptorProviderBuilder()
.setProvider(new BouncyCastleProvider())
.build("somepass".toCharArray());
PrivateKeyInfo pko = kp.decryptPrivateKeyInfo(pkcs8dec);<-- ##Error here
Also to add the details,in my pom.xml I have added the jar with compile scope, so the libs are copied into the war and get installed in WEB-INF/lib.
Any tips to fix the above problem?
I. Combining the idea of Peter (#comment) and https://developer.jboss.org/thread/175395, create "your own bc version" with a custom name:
Create an 'my.bouncycastle' module in the following manner:
Under $JBOSS_HOME/modules, create directory 'my/bouncycastle/main'. Directory 'my' might not be there. ;)
Copy bcprov-[your-version].jar into my/bouncycastle/main
Create file 'bcprov-[your-version].jar.index' in my/bouncycastle/main, which is basically the output of a jar -tf command without the ".class" lines. (pipe&edit...)
I put a blank line at the top because these .index files always seem to have one. I have attached this file as "bcprov-jdk16-1.46.jar.index".
Create a file called "module.xml", also in my/bouncycastle/main, which will point to the jar file and reference module "javax.api" as a dependency.
I have attached this file as 'module.xml'.
The module is complete.
Since I am deploying in an EAR file, I had to add a module dependency entry to my EAR's META-INF/jboss-deployment-structure.xml file, under the section, like so:
(the statement also applies to WAR files, when deployed on top-level, use the custom name as module reference)
<deployment><dependencies><module name="my.bouncycastle" slot="main" export="true"/>
Make certain that the ear's /lib directory does NOT contain bcprov-[your-version].jar. (actually II.)
Notes:
The 'slot="main" and 'export="true" parameters are very important in the jboss-dependency-structure.xml file...
II. Adjust your maven dependency(ies) to:
<scope>provided</scope>
Note: Don't change the maven dependecy(ies group artifacts) to "my.bouncycastle", only the scope, this will ensure you a nice compile-time-behavior by the most IDE's AND will prevent your (maven-)war/jar/ear-plugin from packaging it into libs! (And which would be anyway the correct scope for a dependency like this.)
I know there's a guide on how to create a libGDX applet, but I feel it's highly outdated and somewhat confusing. Here's what I've already done:
Created applet class in my desktop project:
public class DesktopApplet extends LwjglApplet {
private final static LwjglApplicationConfiguration DEFAULT_CONFIG =
new LwjglApplicationConfiguration() {
{
width = 512;
height = 512;
}
};
public DesktopApplet() {
super(new Core(),DEFAULT_CONFIG);
}
private static final long serialVersionUID = -1916205038641068252L;
}
Exported desktop project as a regular jar. Added the project's jar (along with gdx and all lwjgl jars in "applet/basic" folder).
Created a html file, based on basic lwjgl applet and the tutorial:
<applet code="org.lwjgl.util.applet.AppletLoader" archive="lwjgl_util_applet.jar" codebase="." width="512" height="512">
<!-- Name of Applet, will be used as name of directory it is saved in, and will uniquely identify it in cache -->
<param name="al_title" value="mygametitle">
<!-- Main Applet Class -->
<param name="al_main" value="my.packages.desktop.DesktopApplet">
<!-- List of Jars to add to classpath -->
<param name="al_jars" value="mygamejar.jar, gdx.jar, gdx-backend-lwjgl.jar, lwjgl_applet.jar, lwjgl.jar, jinput.jar, lwjgl_util.jar">
<!-- signed windows natives jar in a jar -->
<param name="al_windows" value="gdx-natives.jar, gdx-backend-lwjgl-natives.jar, windows_natives.jar">
<!-- signed linux natives jar in a jar -->
<param name="al_linux" value="gdx-natives.jar, gdx-backend-lwjgl-natives.jar, linux_natives.jar">
<!-- signed mac osx natives jar in a jar -->
<param name="al_mac" value="gdx-natives.jar, gdx-backend-lwjgl-natives.jar, macosx_natives.jar">
<!-- signed solaris natives jar in a jar -->
<param name="al_solaris" value="gdx-natives.jar, gdx-backend-lwjgl-natives.jar, solaris_natives.jar">
Created a keystore file. Deleted default lwjgl signing (META-INF folders), added timestamps to the signing command, created a bash script for jar signing and - finally - signed all jars. While signing produces no errors, jarsigner -verify returns one warning "This jar contains entries whose certificate chain is not validated." and I'm not sure how to get rid of it. Here's my signing command: jarsigner -keystore .keystore -digestalg SHA1 -tsa http://timestamp.comodoca.com/rfc3161 -storepass mypass $jar gdxkey.
Changed Java security level to medium. It allowed me to - finally - run the applet without security errors (thanks kabb!).
The applet... doesn't work. It stays that an error occurred when "Switching applet". I'm not sure if I exported the right projects - should I include a jar with desktop project or just the core and manually add all assets and libraries?
The issue is that the applet is self signed. As of JDK7u51, self signed and unsigned applications are blocked if your java security settings are set to high or above. You can read more about this here.
To be able to test your applet, you can simply go to the java control panel, go to the security tab, and set the security level to medium.
However, if you wish for other people to be able to run your applet without having to go through the hassle of changing their security settings, you'll have to get a certificate by a Certificate Authority, and sign your applet using that. Unfortunately, this costs money, and there is no workaround to it that I know of.
If you want to run your game in a browser, you could consider using GWT instead. LibGDX has some tutorials on it's wiki on how to setup a project with GWT. However, it could be a hassle, especially if you're using libraries not supported by GWT.
I'd like to bundle some jar files built with Gradle 1.6 as part of a Java webstart application.
I can currently sign the jars correctly with a certificate and specify the codebase and permissions attributes for the produced artifacts by using the standard jar task like so:
jar {
manifest.attributes provider: 'tribe7.net'
manifest.attributes permissions: 'all-permissions'
manifest.attributes codebase: '*'
}
This is because the latest Java webstart version in Oracle's JDK/JRE makes these attributes mandatory or else it complains to the user about the application's security.
Preventing RIAs from Being Repurposed
However, my artifact jars have third party dependencies (for example, slf4j) and I have yet to find an intuitive way to include these atributes in such third party jars. With this in mind, my final webstart application structure looks sort of like this:
./build/webstart/my.jnlp
./build/webstart/lib/myartifactA-1.00.jar
./build/webstart/lib/myartifactB-1.00.jar
./build/webstart/lib/myartifactC-1.00.jar
./build/webstart/lib/slf4j-api-1.7.5.jar
The result is that at runtime, webstart doesn't complain about my artifacts but does so for the third party jars because they obviously don't have the attributes in their manifest file:
Missing Codebase manifest attribute for: file:/C:/build/webstart/lib/slf4j-api-1.7.5.jar
Missing Permissions manifest attribute for: file:/C:/build/webstart/lib/slf4j-api-1.7.5.jar
Missing Codebase manifest attribute for: file:/C:/build/webstart/lib/slf4j-simple-1.7.5.jar
Missing Permissions manifest attribute for: file:/C:/build/webstart/lib/slf4j-simple-1.7.5.jar
Since I don't directly control the manifest generation for the third party jars I have to somehow modify the manifest files present inside the build/webstart/lib directory to explicitly include those attributes in order to make webstart happy.
Is there a way to add attributes to a jar file's manifest with Gradle? In case anyone's interested, this is my Gradle build script:
build.gradle
Thanks for your time and help!
UPDATE
Peter's answer worked! This is the updated code:
ant.jar(destfile: it, update: true) {
delegate.manifest {
attribute(name: 'permissions', value: 'all-permissions')
attribute(name: 'codebase', value: '*')
}
}
ant.signjar(
destDir: webstartSignedLibPath,
alias: project.getProperty('jarsign.keystore.alias'),
jar: it,
keystore: project.getProperty('jarsign.keystore.path'),
storepass: project.getProperty('jarsign.keystore.password'),
preservelastmodified: 'true'
)
Thanks!
To set these attributes, you'll have to unpack the Jars, edit the manifests (using Groovy), and repack the Jars. Alternatively, you could try to overwrite the manifests with ant.jar(update = true), although overwriting a file (without adding a duplicate) doesn't seem to be supported (see duplicate attribute in the Ant docs). Merging the Jars (in one way or another) might be another option.
I need a HTTPS Maven repository URL for spring source to configure in my pom.xml:
Right now I use the following http urls:
http://repository.springsource.com/maven/bundles/release
http://repository.springsource.com/maven/bundles/external
Another option to improve security is that you always verify the SHA-1 checksum after you have downloaded a dependency. Maven Central provides Spring artifacts for all released versions, as well as their corresponding SHA-1 checksums, e.g. spring-core:
spring-core-3.2.3.RELEASE.pom 230116bb23132569443ac0479c8ac7e33e9662e7
spring-core-3.2.3.RELEASE.jar accdd65db57e79e49f2af037bb76f5a55a580f00
On Ubuntu, you can use the sha1sum command:
sha1sum spring-core-3.2.3.RELEASE.jar
On Mac you can use the openssl sha1 command:
openssl sha1 spring-core-3.2.3.RELEASE.jar
Same links like you used just use HTTPS:
https://repository.springsource.com/
https://repository.springsource.com/maven/bundles/release
https://repository.springsource.com/maven/bundles/external
Added after the comment
You should import the following 3 certificates in the trust store and to configure Java to use it: