4

I have an applet which is used to sign and crypt files. After updating the java to 7u45, my applet receives warning message saying: "This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute"

Then I added the following attributes :

Permissions: all-permissions
Application-Library-Allowable-Codebase: *
Application-Name: Signature-Chiffrement
Caller-Allowable-Codebase: *
Codebase: *

to the main jar and all jar dependencies, After that I re-signed all jars.

However the warning message didn’t disappear because "bcprov-ext-jdk16-140.jar" is not signed by a trusted signer here is the exception:

java.security.NoSuchProviderException: JCE cannot authenticate the provider BC ....
Caused by: java.util.jar.JarException: bcprov-ext-jdk16-140.jar is not signed by a trusted signe…

Apparently the “bcprov-ext-jdk16-140.jar” was signed by bouncy castle. I tried to use another bouncy castle jar but unfortunately all this jar does not contain permission attribute.

  • Is there a way to add permission attribute to "bcprov-ext-jdk16-140.jar" which is signed before by bouncy castle? Or to get a new bcprov-ext JAR having the needed manifest attributs?
  • Is it possible to add permission attribute in one place such as our main jar depends to others jars?

Thanks in advance for your help

Khalilos
  • 721
  • 2
  • 9
  • 17
  • I have the same issue with mssql driver take a [look](http://stackoverflow.com/questions/20431623/java-web-start-manifest-issue) to my workaround – nachokk Jan 08 '14 at 14:37

2 Answers2

3

In order to execute a Bouncy castle jar which contains a crypto provider as an applet, we need to sign this jar twice.

First signature (crypto provider) must be do it with a specific certificate issued by oracle (http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html)

Second signature is for the java plugin security execution requirements and could be do it by certificates issued by any CA recognized vendor (such as verisign and so on...).

Bouncy castle bcprov-ext-jdk16-140.jar is signed by a oracle jce code signing certificate, but when we change manifest for adding some parameters we are broken this signature. In order to avoid this exception we need to sign our jar also with JCE code signing.

Khalilos
  • 721
  • 2
  • 9
  • 17
1

I have had recently this problem. My solution (maybe not the best, I accept suggestions) was:

  • Delete everything except the MANIFEST.MF inside the META-INF directory in all my applet jars, even the 3rd-party ones
  • Sign again my jars with our corporate certificate using a simple ant script

http://ant.apache.org/manual/Tasks/signjar.html

Would it make it for you?

Jorge_B
  • 9,712
  • 2
  • 17
  • 22
  • Thanks for your response I delete all files in META-INF directory expect MANIFEST.INF then i resigned all jars files with our certificate. Unfortunately the error persist only in bouncy castle jar « bcprov-ext-jdk16-140.jar » here is the exception : java.security.NoSuchProviderException: JCE cannot authenticate the provider BC .... Caused by: bcprov-ext-jdk16-140.jar is not signed by a trusted signer. – Khalilos Jan 08 '14 at 14:51
  • You have signed it again with some certificate. Is that certificate trusted by the machine in which you run the code? – Jorge_B Jan 08 '14 at 14:53
  • Please what does mean "certificate trusted by the machine in which you run the code"? In fact I don’t have the source code I have just the jar files. To modify manfiest directory I use winrar program then I sign the jar by our “6NRJ” certificate. Thanks for help – Khalilos Jan 08 '14 at 15:14
  • Ok, what I did was to sign all the jars we used in our applet with the `` ant task that I told you before. This way, jre stopped whining about certificates... Your application trusts every certificate it finds in its cacerts keystore in the jre directory, or you can tell it to use another keystore by code (I have done it in some webservice clients with axis or CXF, but I don't know how to apply it to your particular case :S ) – Jorge_B Jan 08 '14 at 15:19