Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / November 2003

Tip: Looking for answers? Try searching our database.

JCE Code Signing CA WebStart

Thread view: 
Enable EMail AlertsStart New Thread
JC - 21 Nov 2003 19:50 GMT
Hello,

I'm trying to load a JCE library signed by Bouncy Castle. This
certificate is in turned signed by "JCE Code Signing CA".

However the problem I'm having is that WebStart's cacert file does not
contain the "JCE Code Signing CA" and so does not enable the lib to
get out of the sandbox. WebStart also does not permit me to sign this
jar. It will complain that it is using a jar that is signed more than
once.

So I would like to do is add this "JCE Code Signing CA" to WebStart's
cacert file but where do I get the certificate for "JCE Code Signing
CA"? Should it not be public and downloadable?

Anyone has a better solution than this?

Thanks,

Jean-Claude Cote
High Performance Computing / Calcul de haute performance
National Research Council Canada / Conseil national de recherches
Canada
www.grid.nrc.ca
Reply to this Message
Michael Amling - 21 Nov 2003 23:53 GMT
> Hello,
>
[quoted text clipped - 4 lines]
> contain the "JCE Code Signing CA" and so does not enable the lib to
> get out of the sandbox.

> WebStart also does not permit me to sign this
> jar. It will complain that it is using a jar that is signed more than
> once.

  If all that's stopping you from signing it yourself is the existing
signature, you could remove the existing signature.

> So I would like to do is add this "JCE Code Signing CA" to WebStart's
> cacert file but where do I get the certificate for "JCE Code Signing
> CA"? Should it not be public and downloadable?
>
> Anyone has a better solution than this?

--Mike Amling
Reply to this Message
Jean-Claude Cote - 24 Nov 2003 18:01 GMT
Correct me if I'm wrong but providers that provide implementations for JCE
services must be digitally signed and should be signed with a certificate
issued by "trusted" Certification Authorities. Currently, the following two
Certification Authorities are considered "trusted"
 a.. Sun Microsystems' JCE Code Signing CA, and
 b.. IBM JCE Code Signing CA.
Is this something you've done and works?

> > Hello,
> >
[quoted text clipped - 19 lines]
>
> --Mike Amling
Reply to this Message
Jean-Claude Cote - 24 Nov 2003 18:26 GMT
Well since it simple enough to try it I did. Here is the exception I got
when I tried using the Bouncy Castle:

ava.lang.SecurityException: The provider BC may not be signed by a trusted
party
at javax.crypto.SunJCE_b.a(DashoA6275)
at javax.crypto.Cipher.a(DashoA6275)
at javax.crypto.Cipher.getInstance(DashoA6275)
at ca.gc.nrc.gip.tools.OpenSSLKey.getCipher(OpenSSLKey.java:339)
at ca.gc.nrc.gip.tools.OpenSSLKey.encrypt(OpenSSLKey.java:247)
at ca.gc.nrc.gip.tools.OpenSSLKey.encrypt(OpenSSLKey.java:225)
at
ca.gc.nrc.gip.tools.GridCertRequest.genCertificateRequest(GridCertRequest.ja
va:376)
at
ca.gc.nrc.gip.applets.CertReqApplet.actionPerformed(CertReqApplet.java:267)
at java.awt.Button.processActionEvent(Unknown Source)
at java.awt.Button.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)

> Correct me if I'm wrong but providers that provide implementations for JCE
> services must be digitally signed and should be signed with a certificate
[quoted text clipped - 27 lines]
> >
> > --Mike Amling
Reply to this Message
Jean-Claude Cote - 24 Nov 2003 18:27 GMT
Ok I found it!

Now in order for JWS to accept the BC's JCE jar it needs to trust the CA
that gave BC it's signing certificate. That is it needs to trust Sun's "JCE
Code Siging CA" certificate.
Ok so I imported this certificate in JWS but no success. I even verified
that the certificate used to sign the jar matches the CA cert in my JWS
keystore like so:

jarsigner -verbose -certs -verify -keystore "JWS\cacerts"
"tomcat\webapps\wsapp\jce-jdk13-117.jar"

When jarsigner is invoke this way it will tell display any match between
certificates used to sign the jar and certificates found in the keystore.

Any ideas what else I could do to find out why JWS does not grant full
permissions to jce-jdk13-117.jar?

Thanks

> Hello,
>
[quoted text clipped - 20 lines]
> Canada
> www.grid.nrc.ca
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.