I am having trouble with getting and applet to work on an HTML page. When I remove the socket connection from the applet class and test the applet on an HTML page the applet displays but when I add the socket connection back in the class file the applet doesn't display and the Java console appears with no stack trace. I'm sure this is a security reason because I'm using socket connections so what I did was create a signed jar file and placed that in the applet tag as so:
<APPLET codebase="classes" archive="captureaudio/AppletTest.jar" code="captureaudio/AppletTest.class" width=350 height=200></APPLET>
But creating this signature has not worked.
Can somebody help me with this?
UPDATED
In response to Andrew Thompson
No im not prompted to accept digital signed code
No the applet im currently testing is locally
Yes the applet is trying to connect back to the server, ther server is running locally
Im not sure the java console isnt showing me any exceptions.
HOW I CREATED THE SIGNED JAR FILE
The namespace of my Applet is captureaudio.AppletTest class
At cmd prompt, where teh class file is located:
You need to use the keytool.exe here is where i found how to create a jar signature for applets www.xinotes.org/notes/note/434/
jar -cf AppletTest.jar AppletTest.class
>jarsigner AppletTest.jar MyCert Warning: This jar contains entries whose signer certificate will expire within six months
4.>jarsigner -verify -verbose -certs AppletTest.jar
s k 153 Thu Oct 13 11:28:38 BST 2011 META-INF/MANIFEST.MF
X.509, CN=xxxxx, OU=None, O=None, L=xxxxx, ST=xxxxx, C=GB (myce
rt)
[certificate will expire on 10/01/12 20:55]
315 Thu Oct 13 11:28:40 BST 2011 META-INF/MYCERT.SF
1352 Thu Oct 13 11:28:40 BST 2011 META-INF/MYCERT.RSA
0 Thu Oct 13 11:28:10 BST 2011 META-INF/
smk 11015 Thu Oct 13 10:49:08 BST 2011 AppletTest.class
X.509, CN=xxxxxx, OU=None, O=None, L=xxxxxxxx, ST=xxxxx, C=GB (myce
rt)
[certificate will expire on 10/01/12 20:55]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
JAVA CONSOLE
Java Plug-in 10.0.0.147
Using JRE version 1.7.0-b147 Java HotSpot(TM) Client VM
User home directory = C:\Users\xxxxxxx
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to
Detected from bootclasspath: C:\PROGRA~1\Java\jre7\lib\deploy.jar
UPDATE
Folder locations
web root>
------AppletTest.jar
------classes>
-----------captureaudio>
---------------------AppletTest.class
Use the Java Network Launching Protocol (JNLP). That is the right way to distribute you applet. And yes, it must be signed, to access the socket functionality.
http://en.wikipedia.org/wiki/Java_Web_Start#Java_Network_Launching_Protocol_.28JNLP.29
http://www.oracle.com/technetwork/articles/javase/jnlp-142088.html
Related
I need to fix the problem of
SecurityException: Can not initialize cryptographic mechanism
Following up on OpenJDK 11 error "Can not initialize cryptographic mechanism", as its answer is unable to solve my problem
inspecting java.security.properties from within running JVM:
System.getProperty("java.security.properties");
It should be present and pointing at a file. Inspect that file and make sure it has the following property crypto.policy=unlimited and the folder called unlimited is available from where the policy file is.
However, I got null output for both java under Windows and Linux.
The above answer said that
it is <jre_home>/conf/security/policy/
and my situation is that I don't have jre however I do have the /conf/security/policy/ directory under java_home, for both java under Windows and Linux.
Directory of C:\Program Files\OpenJDK\jdk-18.0.1.1\conf\security\policy
04/25/2022 04:59 PM <DIR> .
04/25/2022 04:59 PM <DIR> ..
04/25/2022 04:59 PM <DIR> limited
04/25/2022 04:59 PM 2,390 README.txt
04/25/2022 04:59 PM <DIR> unlimited
1 File(s) 2,390 bytes
$ ls -l /home/foo/.sdkman/candidates/java/17.0.3-oracle/conf/security/policy
total 4
-rw-r----- 1 foo foo 2390 2022-03-09 17:40 READfoo.txt
drwxrwx--x 1 foo foo 4096 2022-06-03 12:45 limited
drwxrwx--x 1 foo foo 4096 2022-06-03 12:45 unlimited
See Cryptographic Strength Configuration ...and build the path with $JAVA_HOME.
On Linux the default paths are:
JDK8: $JAVA_HOME/jre/lib/security/java.security
JDK11: $JAVA_HOME/conf/security
JDK14: $JAVA_HOME/conf/security, mostly sym-linked to /etc/java-14-openjdk/security.
"Jurisdiction Policy File" java.security should have crypto.policy = unlimited set from JDK9 onwards; policies can be found $JAVA_HOME/conf/security/unlimited/default_US_export.policy.
After update to Java version7 update 51, I purchased the code signing certificate and signed my applet(s). I have main applet (AppletDemo.jar) and another two applets (commons-codec-1.7.jar and FDxSDKPro.jar) which are used by main applet. I signed them all, with DigiCert certificate.
All of them are signed, and verified with jarsigner tool where i get such message:
*s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.*
When I try to load the applet I get the following message in the java debug console (the real url is replaced with tag):
basic: Plugin2ClassLoader.addURL parent called for <url>/fpApplet/AppletDemo.jar
basic: Plugin2ClassLoader.addURL parent called for <url>/fpApplet/FDxSDKPro.jar
basic: Plugin2ClassLoader.addURL parent called for <url>/fpApplet/commons-codec-1.7.jar
security: Certificate revocation enabled. Disable security validation optimizations.
security: Validate the certificate chain using CertPath API
security: Trust for: <url>fpApplet/FDxSDKPro.jar has ended: Thu Jan 01 01:00:00 CET 1970
security: Validate the certificate chain using CertPath API
security: Trust for: <url>/fpApplet/commons-codec-1.7.jar has ended: Thu Jan 01 01:00:00 CET 1970
security: Validate the certificate chain using CertPath API
network: Cache entry not found [url: <url>/fpApplet/, version: null]
security: Grant socket perm for <url>/fpApplet/ : java.security.Permissions#199a51e (("java.net.SocketPermission" "<url>" "connect,accept,resolve"))
basic: Your security settings have blocked an untrusted application from running
basic: exception: Your security settings have blocked an untrusted application from running.
com.sun.deploy.security.BlockedException: Your security settings have blocked an untrusted application from running
I assume, that Applet is blocked because of this and two following lines (Trust for: fpApplet/FDxSDKPro.jar has ended: Thu Jan 01 01:00:00 CET 1970).
I do not know how this can happen if jars are signed? Has anyone had such problems?
Bydefault the JAVA security in version 7 is high, so change the security to medium from control panel.follow the link http://www.java.com/en/download/help/jcp_security.xml
NB 7.4RC2, Win 7
In Java Control Panel, the "Keep Temporary Internet Files" checkbox is checked.
I am signing my Web Start application with trusted certificates.
However, the 3rd party jars in dist/lib seem to be unsigned.
C:\Program Files (x86)\Java\jdk1.7.0_40\bin\jarsigner" -verify
javafx-dialogs-0.0.3.jar
jar is unsigned. (signatures missing or not parsable)
So when I run my application in the debugger, it refuses to start complaining of unsigned jars
ExitException[ 3]com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar
I get the same error when I run with self signed jars, “Found unsigned entry in resource”. It is as if NetBeans stopped signing the jars.
I deleted all temporary files in the Java cache from Java Control Panel. Now it fails to run clicking both Run and Debug in the IDE, and also copying the dist folder to the desktop and clicking the jnlp file.
ExitException[ 3]com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: file:/C:/Users/me/Desktop/dist/lib/RXTXcomm.jar
while building:
Warning: The signer certificate will expire within six months.
Signing JAR:
C:\Users\me\Documents\NetBeansProjects\MyApp\dist\lib\RXTXcomm.jar to
C:\Users\me\Documents\NetBeansProjects\MyApp\dist\lib\RXTXcomm.jar as
my_key54321
while running:
network: Cache entry found [url: file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar, version: null] prevalidated=false/0
cache: Adding MemoryCache entry: file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar
cache: Resource file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar has expired.
network: ResponseCode for file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar : 200
network: Encoding for file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar : null
CacheEntry[file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar]: updateAvailable=false,lastModified=Wed Feb 04 19:07:10 CST 2009,length=60866
........
security: Trust for:
file:/C:/Users/me/Documents/NetBeansProjects/MyApp/dist/lib/RXTXcomm.jar
has ended: Wed Dec 31 18:00:00 CST 1969
Does anyone know what is causing this?
Update: In NetBeans, I selected Project Properties and under Run, selected Run As “default configuration”. Earlier, Run As “WebStart” was selected. Now it starts normally. Was it a NetBeans bug or a feature?
WebVPN Java Plugins fail to load after upgrade to Java 7 Update 45 with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource:
Conditions: Windows or Mac OSX machines using Java 7 Update 45.
Workaround: 1) Disable the option 'Keep temporary files on my computer' on the Java Control Panel -> General -> Settings. This works for both Mac OSX and Windows.
or
2) Downgrade Java to version 7 Update 40 or below
We have a Java application that uses RxTx to update the firmware of our game console. To avoid security alerts when the users starts the Java application on our website through WebStart we have bought a trusted certificate and signed the application with that. All checks indicate that it is successfully signed and if I launch the application via Safari on my Mac(OS X 10.6.8) with Java 1.6.0_41 it starts without any complains.
But if I launch it using IE9 on a Windows 8 machine I get an alert saying "Do you want to run this application? This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher. This application's digital signature has expired. More Information".
If I click the More Information I get "This application will run with unrestricted access to your personal files and other facilities(webcam, microphone) on your computer.
Although the application has a digital signature, the application's associated file(JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it has not been altered.
The digital signature was generated with a trusted certificate."
I have tried to find a solution how to not get this message and think what I need to do is sign the JNLP file(i.e. copy it into the jar as pointed out here) but what I cannot find is how to get NetBeans to do that! I'm using NetBeans 6.9.1. Anyone know how to do this and if it is enough to sign the JNLP?
To verify that the file was correctly signed I did the following:
jarsigner -verify -certs -verbose OribooDesktopClient.jar
6396 Thu Feb 28 17:14:14 CET 2013 META-INF/MANIFEST.MF
6354 Thu Feb 28 17:14:14 CET 2013 META-INF/MOVINTOF.SF
1843 Thu Feb 28 17:14:14 CET 2013 META-INF/MOVINTOF.RSA
0 Thu Feb 28 17:07:28 CET 2013 META-INF/
0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/
0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/resources/
0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/resources/busyicons/
sm 3912 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/BBDatabase.class
X.509, CN=Movinto fun AB, O=Movinto fun AB, STREET=?rev?gen 138, L=?re, ST=J?mtland, OID.2.5.4.17=83013, C=SE
[certificate is valid from 2/28/13 1:00 AM to 3/1/14 12:59 AM]
sm 2497 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/Binary.class
X.509, CN=Movinto fun AB, O=Movinto fun AB, STREET=?rev?gen 138, L=?re, ST=J?mtland, OID.2.5.4.17=83013, C=SE
[certificate is valid from 2/28/13 1:00 AM to 3/1/14 12:59 AM]
....
The important part is:
This application's digital signature has expired.
See Appearance of Java Security dialog for details, but you should be expecting something like:
To remove the 'expired' message, the answer is to renew the certificate and sign the jars again. The dialog will still display words to the effect:
This application will run with unrestricted access which may put your computer
and personal information at risk. Run this application only if you trust the
publisher.
The differences will however be:
'Always trust' will default to true.
The yellow diamond with exclamation mark will be changed to something more friendly.
The 'digital signature has expired' message, along with the yellow shield image in the lower left, will be absent.
I get the following error on a self-signed jar:
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
Re-run with the -verbose and -certs options for more details.
I signed the jar like this:
"C:\Program Files\Java\jdk1.7.0\bin\jarsigner" -keystore myKeyStore myJar.jar myAlias
My jar has 2 entry points: One for java web start, and one for an applet.
If I run the jar in a java web start way, it has no incidence.
But if I run the jar as an applet. I get a strong security warning at some point when I try to access a bitmap resource embeded in the jar.
Using the -verbose and -certs options shows a lot of lines. And I don't understand anything of this. This is the output: output.txt (part of the 6307 lines reproduced below).
s 157850 Tue Nov 08 12:57:44 CET 2011 META-INF/MANIFEST.MF
X.509, O=keyja.com
[certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
[CertPath not validated: null]
112909 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.SF
1108 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.RSA
sm 180 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/k.class
X.509, O=keyja.com
[certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
[CertPath not validated: null]
sm 252 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/r.class
...
(around 6000 lines of other output along the same lines)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
How to sign the jar file ?
Just one line answers you question I guess. And if you look closer you'll see it. Here it is
[certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
As I may hope, you know that today is not July 24 so you just have to re-sign your app
Thanks Andrew Thompson. I have unsigned my jar file, and found the bug. It's better unsigned you're right about this, because signing makes no point since I don't need to get out of the sandbox.
For the record, the bug was the use of the jnlp.jar library. In order to make it work, I launched the applet using jnlp/applet code instead of a standard tag.
I have exactly the same problem.
There is a change in the validation in the new Java 7 and Java 6 versions.
Bug id is : 6861062 java classes_security Disable MD2 in certificate chain validation.
When signing the Jara file , I had some warning message and when executing the command:
jarsigner MyTools.jar -verify -verbose -certs
I had the message:
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 29.01.96 01:00 to 02.08.28 01:59]
[CertPath not validated: Algorithm constraints check failed: MD2withRSA]
My solution is :
- use another version of the JDK to sign and JRE Plugin.
- Update your certificate security in order not to use this algorithm.
I hope it will help you.
Regards