Discussion:
Sign “bcprov-ext-jdk16-140.jar” with new permission attribute
Khalil bezzine
2014-01-16 14:05:28 UTC
Permalink
I have an applet which depends with many jars. After I update the java to
7.45 the applet generate message saying “*This application will be blocked
in a future Java security update because the JAR file manifest does not
contain the Permissions attribute*” I added permission attribute “*Permissions:
all-permissions*” to all manifest files after that I resigned all these
jars by our "6NRJ" certificate.

All jars was well signed but unfortunately the applet generate an exception
only in "bcprov-ext-jdk16-140.jar".

Here the exception details:

java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown
Source)
at org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown
Source)
at org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown
Source)
at com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown
Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source) Caused by:
java.util.jar.JarException:
http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar
is not signed by a trusted signer.
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more

I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle.

Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
permission attribute ?

Thanks in advance for help.
--
*Best Regards,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Computer science engineer *
*| Phone : (+216) 52 86 21 07 *
* --------------------------------------**-**-**-**-*
David Hook
2014-01-16 22:39:33 UTC
Permalink
I would *strongly* recommend moving to 1.50. Apart from anything that
will fix the problem.

If you are unable to do this, email me off list and I'll see if I can
organise something for you.

Regards,

David
Post by Khalil bezzine
I have an applet which depends with many jars. After I update the java
to 7.45 the applet generate message saying “*This application will be
blocked in a future Java security update because the JAR file manifest
does not contain the Permissions attribute*” I added permission
attribute “*Permissions: all-permissions*” to all manifest files after
that I resigned all these jars by our "6NRJ" certificate.
All jars was well signed but unfortunately the applet generate an
exception only in "bcprov-ext-jdk16-140.jar".
|java.security.NoSuchProviderException: JCE cannot authenticate the provider BC
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown Source)
at org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown Source)
at org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown Source)
at com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.util.jar.JarException: http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar is not signed by a trusted signer.
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more|
I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle.
Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
permission attribute ?
Thanks in advance for help.
--
*Best Regards,
*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE***
*| Computer science engineer***
*| Phone : (+216) 52 86 21 07 *
* --------------------------------------**-**-**-**-*
Khalil bezzine
2014-01-17 11:24:09 UTC
Permalink
Thank you for your answers...

I did that but unfortunately it didn’t work. The same exception occurred...

Please is there another way ?
Did you try to remove META-INF/BOUNCYCASTLE.MF and
META-INF/BOUNCYCASTLE.RSA (or whatever they are named, do not remove
META-INF/MANIFEST.MF) before re-signing? When you alter the
META-INF/MANIFEST.MF file you might have to re-sign the JAR using the
same certificate you are using for your applet.
Anyway, you should update to the current release.
Cheers,
Michel
Post by Khalil bezzine
I have an applet which depends with many jars. After I update the java to
7.45 the applet generate message saying “*This application will be
blocked
Post by Khalil bezzine
in a future Java security update because the JAR file manifest does not
contain the Permissions attribute*” I added permission attribute
all-permissions*” to all manifest files after that I resigned all these
jars by our "6NRJ" certificate.
All jars was well signed but unfortunately the applet generate an
exception
Post by Khalil bezzine
only in "bcprov-ext-jdk16-140.jar".
java.security.NoSuchProviderException: JCE cannot authenticate the
provider BC
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown
Post by Khalil bezzine
Source)
at
com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
Post by Khalil bezzine
at
com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown
Post by Khalil bezzine
Source)
at
sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown
Post by Khalil bezzine
Source)
http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar
Post by Khalil bezzine
is not signed by a trusted signer.
at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at
javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
Post by Khalil bezzine
at
javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more
I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle.
Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
permission attribute ?
Thanks in advance for help.
--
Dipl.-Inf. Michel Gerdes (CAT-Team), Phone +49 40 808077 655
DFN-CERT Services GmbH, https://www.dfn-cert.de, Fax +49 40 80 80 77 556
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstraße 5, 20097 Hamburg, Germany, CEO: Dr. Klaus-Peter Kossakowski
21. DFN Workshop "Sicherheit in vernetzten Systemen"
am 18./19. Februar 2014 im Grand Elysee Hotel in Hamburg
3. DFN Workshop Datenschutz
am 09./10. Dezember 2014 im Grand Elysee Hotel in Hamburg
--
*Cordialement,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Ingénieur logiciel R&D *
*| Tel: (+216) 52 86 21 07 *
* --------------------------------------**-**-**-**-*
Albert ciff
2014-01-17 11:45:07 UTC
Permalink
Hi Khalil,

In order to execute a jar which contains a crypto provider as an applet,
you need to sign this jar twice.

First signature (crypto provider) must be do it with a specific certificate
issued by oracle (
http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html
)

Second signature is for the java plugin security execution requirements and
could be do it by certificates issued by any CA recognized vendor (such as
verisign and so on...).

Bouncy castle bcprov-ext-jdk16-140.jar is signed by a oracle jce code
signing certificate, but when you change manifest for adding some
parameters you are broken this signature. In order to avoid this exception
you need to sign your jar also with JCE code signing.

Regards,


On Fri, Jan 17, 2014 at 12:24 PM, Khalil bezzine
Post by Khalil bezzine
Thank you for your answers...
I did that but unfortunately it didn’t work. The same exception occurred...
Please is there another way ?
Did you try to remove META-INF/BOUNCYCASTLE.MF and
META-INF/BOUNCYCASTLE.RSA (or whatever they are named, do not remove
META-INF/MANIFEST.MF) before re-signing? When you alter the
META-INF/MANIFEST.MF file you might have to re-sign the JAR using the
same certificate you are using for your applet.
Anyway, you should update to the current release.
Cheers,
Michel
Post by Khalil bezzine
I have an applet which depends with many jars. After I update the java
to
Post by Khalil bezzine
7.45 the applet generate message saying “*This application will be
blocked
Post by Khalil bezzine
in a future Java security update because the JAR file manifest does not
contain the Permissions attribute*” I added permission attribute
all-permissions*” to all manifest files after that I resigned all these
jars by our "6NRJ" certificate.
All jars was well signed but unfortunately the applet generate an
exception
Post by Khalil bezzine
only in "bcprov-ext-jdk16-140.jar".
java.security.NoSuchProviderException: JCE cannot authenticate the
provider BC
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown
Post by Khalil bezzine
Source)
at
com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
Post by Khalil bezzine
at
com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown
Post by Khalil bezzine
Source)
at
sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown
Post by Khalil bezzine
Source)
http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar
Post by Khalil bezzine
is not signed by a trusted signer.
at
javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
Post by Khalil bezzine
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at
javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
Post by Khalil bezzine
at
javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more
I think that bcprov-ext-jdk16-140.jar was signed before by bouncy
castle.
Post by Khalil bezzine
Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
permission attribute ?
Thanks in advance for help.
--
Dipl.-Inf. Michel Gerdes (CAT-Team), Phone +49 40 808077 655
DFN-CERT Services GmbH, https://www.dfn-cert.de, Fax +49 40 80 80 77 556
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstraße 5, 20097 Hamburg, Germany, CEO: Dr. Klaus-Peter Kossakowski
21. DFN Workshop "Sicherheit in vernetzten Systemen"
am 18./19. Februar 2014 im Grand Elysee Hotel in Hamburg
3. DFN Workshop Datenschutz
am 09./10. Dezember 2014 im Grand Elysee Hotel in Hamburg
--
*Cordialement,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Ingénieur logiciel R&D *
*| Tel: (+216) 52 86 21 07 <%28%2B216%29%2052%2086%2021%2007> *
* --------------------------------------**-**-**-**-*
Khalil bezzine
2014-01-17 16:28:23 UTC
Permalink
Thank you very much Albert,

your quick response solve my problem.
Post by Albert ciff
Hi Khalil,
In order to execute a jar which contains a crypto provider as an applet,
you need to sign this jar twice.
First signature (crypto provider) must be do it with a specific
certificate issued by oracle (
http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html
)
Second signature is for the java plugin security execution requirements
and could be do it by certificates issued by any CA recognized vendor (such
as verisign and so on...).
Bouncy castle bcprov-ext-jdk16-140.jar is signed by a oracle jce code
signing certificate, but when you change manifest for adding some
parameters you are broken this signature. In order to avoid this exception
you need to sign your jar also with JCE code signing.
Regards,
Post by Khalil bezzine
Thank you for your answers...
I did that but unfortunately it didn’t work. The same exception occurred...
Please is there another way ?
Did you try to remove META-INF/BOUNCYCASTLE.MF and
META-INF/BOUNCYCASTLE.RSA (or whatever they are named, do not remove
META-INF/MANIFEST.MF) before re-signing? When you alter the
META-INF/MANIFEST.MF file you might have to re-sign the JAR using the
same certificate you are using for your applet.
Anyway, you should update to the current release.
Cheers,
Michel
Post by Khalil bezzine
I have an applet which depends with many jars. After I update the java
to
Post by Khalil bezzine
7.45 the applet generate message saying “*This application will be
blocked
Post by Khalil bezzine
in a future Java security update because the JAR file manifest does not
contain the Permissions attribute*” I added permission attribute
all-permissions*” to all manifest files after that I resigned all these
jars by our "6NRJ" certificate.
All jars was well signed but unfortunately the applet generate an
exception
Post by Khalil bezzine
only in "bcprov-ext-jdk16-140.jar".
java.security.NoSuchProviderException: JCE cannot authenticate the
provider BC
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown
Post by Khalil bezzine
Source)
at
org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown
Post by Khalil bezzine
Source)
at
com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
Post by Khalil bezzine
at
com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown
Post by Khalil bezzine
Source)
at
sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown
Post by Khalil bezzine
Source)
http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar
Post by Khalil bezzine
is not signed by a trusted signer.
at
javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
Post by Khalil bezzine
at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
at
javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
Post by Khalil bezzine
at
javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
Post by Khalil bezzine
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
... 8 more
I think that bcprov-ext-jdk16-140.jar was signed before by bouncy
castle.
Post by Khalil bezzine
Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
permission attribute ?
Thanks in advance for help.
--
Dipl.-Inf. Michel Gerdes (CAT-Team), Phone +49 40 808077 655
DFN-CERT Services GmbH, https://www.dfn-cert.de, Fax +49 40 80 80 77 556
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstraße 5, 20097 Hamburg, Germany, CEO: Dr. Klaus-Peter Kossakowski
21. DFN Workshop "Sicherheit in vernetzten Systemen"
am 18./19. Februar 2014 im Grand Elysee Hotel in Hamburg
3. DFN Workshop Datenschutz
am 09./10. Dezember 2014 im Grand Elysee Hotel in Hamburg
--
*Cordialement,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Ingénieur logiciel R&D *
*| Tel: (+216) 52 86 21 07 <%28%2B216%29%2052%2086%2021%2007> *
* --------------------------------------**-**-**-**-*
--
*Cordialement,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Ingénieur logiciel R&D *
*| Tel: (+216) 52 86 21 07 *
* --------------------------------------**-**-**-**-*
Loading...