'[dev-crypto] =?windows-1252?Q?Re=3A_=5Bdev=2Dcrypto=5D_Re=3A_=5Bdev=2Dcrypto=5D_Sign_=93bcprov=2Dext'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    [dev-crypto] =?windows-1252?Q?Re=3A_=5Bdev=2Dcrypto=5D_Re=3A_=5Bdev=2Dcrypto=5D_Sign_=93bcprov=2Dext
From:       Khalil bezzine <bezzine.khalil () gmail ! com>
Date:       2014-01-17 16:28:23
Message-ID: CAHXVWdOXDJrgxBgzTsTNw7c-kcw-3Gw_QZ-Wusx6ENZOM5pdLQ () mail ! gmail ! com
[Download RAW message or body]

Thank you very much Albert,

your quick response solve my problem.


2014/1/17 Albert ciff <albert.ciffone@gmail.com>

> Hi Khalil,
>
> In order to execute a jar which contains a crypto provider as an applet,
> you need to sign this jar twice.
>
> First signature (crypto provider) must be do it with a specific
> certificate issued by oracle (
> http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html
> )
>
> Second signature is for the java plugin security execution requirements
> and could be do it by certificates issued by any CA recognized vendor (such
> as verisign and so on...).
>
> Bouncy castle bcprov-ext-jdk16-140.jar is signed by a oracle jce code
> signing certificate, but when you change manifest for adding some
> parameters you are broken this signature. In order to avoid this exception
> you need to sign your jar also with JCE code signing.
>
> Regards,
>
>
> On Fri, Jan 17, 2014 at 12:24 PM, Khalil bezzine <bezzine.khalil@gmail.com
> > wrote:
>
>> Thank you for your answers...
>>
>> I did that but unfortunately it didn’t work. The same exception
>> occurred...
>>
>> Please is there another way ?
>>
>>
>> 2014/1/17 Michel Gerdes <gerdes@dfn-cert.de>
>>
>>> Did you try to remove META-INF/BOUNCYCASTLE.MF and
>>> META-INF/BOUNCYCASTLE.RSA (or whatever they are named, do not remove
>>> META-INF/MANIFEST.MF) before re-signing? When you alter the
>>> META-INF/MANIFEST.MF file you might have to re-sign the JAR using the
>>> same certificate you are using for your applet.
>>>
>>> Anyway, you should update to the current release.
>>>
>>> Cheers,
>>> Michel
>>>
>>>
>>> Am 16.01.2014 15:05, schrieb Khalil bezzine:
>>>
>>> > I have an applet which depends with many jars. After I update the java
>>> to
>>> > 7.45 the applet generate message saying “*This application will be
>>> blocked
>>>
>>> > in a future Java security update because the JAR file manifest does not
>>> > contain the Permissions attribute*” I added permission attribute
>>> “*Permissions:
>>> > all-permissions*” to all manifest files after that I resigned all these
>>>
>>> > jars by our "6NRJ" certificate.
>>> >
>>> > All jars was well signed but unfortunately the applet generate an
>>> exception
>>> > only in "bcprov-ext-jdk16-140.jar".
>>> >
>>> > Here the exception details:
>>> >
>>> > java.security.NoSuchProviderException: JCE cannot authenticate the
>>> provider BC
>>> >         at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)
>>> >         at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)
>>> >         at
>>> org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown
>>> > Source)
>>> >         at
>>> org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown
>>> > Source)
>>> >         at
>>> org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown
>>> > Source)
>>> >         at
>>> com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)
>>> >         at
>>> com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown
>>> > Source)
>>> >         at
>>> sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown
>>> > Source)
>>> >         at java.lang.Thread.run(Unknown Source) Caused by:
>>> > java.util.jar.JarException:
>>> >
>>> http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar
>>> > is not signed by a trusted signer.
>>> >         at
>>> javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)
>>> >         at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
>>> >         at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
>>> >         at
>>> javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
>>> >         at
>>> javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
>>> >         at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)
>>> >         ... 8 more
>>> >
>>> > I think that bcprov-ext-jdk16-140.jar was signed before by bouncy
>>> castle.
>>> >
>>> > Is there a way to re-sign "bcprov-ext-jdk16-140.jar" after adding the
>>> > permission attribute ?
>>> >
>>> > Thanks in advance for help.
>>> >
>>>
>>>
>>> --
>>> Dipl.-Inf. Michel Gerdes              (CAT-Team), Phone +49 40 808077
>>> 655
>>>
>>> DFN-CERT Services GmbH, https://www.dfn-cert.de, Fax  +49 40 80 80 77
>>> 556
>>> Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.: DE 232129737
>>> Sachsenstraße 5, 20097 Hamburg, Germany, CEO: Dr. Klaus-Peter Kossakowski
>>>
>>> 21. DFN Workshop "Sicherheit in vernetzten Systemen"
>>> am 18./19. Februar 2014 im Grand Elysee Hotel in Hamburg
>>>
>>> 3. DFN Workshop Datenschutz
>>> am 09./10. Dezember 2014 im Grand Elysee Hotel in Hamburg
>>>
>>>
>>
>>
>> --
>>
>> *Cordialement,*
>> * --------------------------------------**-**-**-**-*
>> *| Mohamed Khalil BEZZINE*
>> *| Ingénieur logiciel R&D     *
>> *| Tel: (+216) 52 86 21 07 <%28%2B216%29%2052%2086%2021%2007>     *
>> * --------------------------------------**-**-**-**-*
>>
>
>


-- 

*Cordialement,*
* --------------------------------------**-**-**-**-*
*| Mohamed Khalil BEZZINE*
*| Ingénieur logiciel R&D     *
*| Tel: (+216) 52 86 21 07     *
* --------------------------------------**-**-**-**-*

[Attachment #3 (text/html)]

<div dir="ltr">Thank you very much Albert,<div><br></div><div>your quick response \
solve my problem.<br></div></div><div class="gmail_extra"><br><br><div \
class="gmail_quote">2014/1/17 Albert ciff <span dir="ltr">&lt;<a \
href="mailto:albert.ciffone@gmail.com" \
target="_blank">albert.ciffone@gmail.com</a>&gt;</span><br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi Khalil,<div><br></div><div>In order to \
execute a jar which contains a crypto provider as an applet, you need to sign this \
jar twice.</div> <div><br></div><div>First signature (crypto provider) must be do it \
with a specific certificate issued by oracle (<a \
href="http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html" \
target="_blank">http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html</a>)</div>


<div><br></div><div>Second signature is for the java plugin security execution \
requirements and could be do it by certificates issued by any CA recognized vendor \
(such as verisign and so on...).</div><div><br></div><div> Bouncy castle <span \
style="color:rgb(80,0,80)">bcprov-ext-jdk16-140.jar </span>is signed by a oracle jce \
code signing certificate, but when you change manifest for adding some parameters you \
are broken this signature. In order to avoid this exception you need to sign your jar \
also with JCE code signing.</div>

<div><br></div><div>Regards,</div></div><div class="HOEnZb"><div class="h5"><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 17, 2014 at 12:24 \
PM, Khalil bezzine <span dir="ltr">&lt;<a href="mailto:bezzine.khalil@gmail.com" \
target="_blank">bezzine.khalil@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><span \
style="font-family:arial,sans-serif;font-size:13px">Thank you for your \
answers...</span><br style="font-family:arial,sans-serif;font-size:13px">

<div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px"><span \
style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:15px">I did that \
but unfortunately it didn’t work. The same exception occurred...</span></div>


<div style="font-family:arial,sans-serif;font-size:13px"><span \
style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:15px"><br></span></div><div \
style="font-family:arial,sans-serif;font-size:13px"><span \
style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:15px">Please is \
there another way ?</span></div>


</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014/1/17 Michel \
Gerdes <span dir="ltr">&lt;<a href="mailto:gerdes@dfn-cert.de" \
target="_blank">gerdes@dfn-cert.de</a>&gt;</span><br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Did you try to remove META-INF/BOUNCYCASTLE.MF and<br>
META-INF/BOUNCYCASTLE.RSA (or whatever they are named, do not remove<br>
META-INF/MANIFEST.MF) before re-signing? When you alter the<br>
META-INF/MANIFEST.MF file you might have to re-sign the JAR using the<br>
same certificate you are using for your applet.<br>
<br>
Anyway, you should update to the current release.<br>
<br>
Cheers,<br>
Michel<br>
<br>
<br>
Am 16.01.2014 15:05, schrieb Khalil bezzine:<div><br>
<div>&gt; I have an applet which depends with many jars. After I update the java \
to<br> </div></div>&gt; 7.45 the applet generate message saying “*This application \
will be blocked<div><br> <div>&gt; in a future Java security update because the JAR \
file manifest does not<br> </div></div>&gt; contain the Permissions attribute*” I \
added permission attribute “*Permissions:<br> &gt; all-permissions*” to all manifest \
files after that I resigned all these<div><div><br> <div><div>&gt; jars by our \
&quot;6NRJ&quot; certificate.<br> &gt;<br>
&gt; All jars was well signed but unfortunately the applet generate an exception<br>
&gt; only in &quot;bcprov-ext-jdk16-140.jar&quot;.<br>
&gt;<br>
&gt; Here the exception details:<br>
&gt;<br>
&gt; java.security.NoSuchProviderException: JCE cannot authenticate the provider \
BC<br> &gt;         at javax.crypto.JceSecurity.getInstance(JceSecurity.java:101)<br>
&gt;         at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:249)<br>
&gt;         at org.bouncycastle.cms.CMSEnvelopedHelper.createKeyGenerator(Unknown<br>
 &gt; Source)<br>
&gt;         at org.bouncycastle.cms.CMSEnvelopedHelper.createSymmetricKeyGenerator(Unknown<br>
 &gt; Source)<br>
&gt;         at org.bouncycastle.cms.CMSEnvelopedDataGenerator.generate(Unknown<br>
&gt; Source)<br>
&gt;         at com.atexo.mpe.applet.AppletDiagnostic.init(AppletDiagnostic.java:142)<br>
 &gt;         at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown<br>
&gt; Source)<br>
&gt;         at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown<br>
 &gt; Source)<br>
&gt;         at java.lang.Thread.run(Unknown Source) Caused by:<br>
&gt; java.util.jar.JarException:<br>
&gt; <a href="http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar" \
target="_blank">http://wma-migration.whitecapetech.local/ressources/applet/bcprov-ext-jdk16-140.jar</a><br>
 &gt; is not signed by a trusted signer.<br>
&gt;         at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:503)<br>
&gt;         at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)<br>
&gt;         at javax.crypto.JarVerifier.verify(JarVerifier.java:250)<br>
&gt;         at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)<br>
&gt;         at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)<br>
 &gt;         at javax.crypto.JceSecurity.getInstance(JceSecurity.java:98)<br>
&gt;         ... 8 more<br>
&gt;<br>
&gt; I think that bcprov-ext-jdk16-140.jar was signed before by bouncy castle.<br>
&gt;<br>
&gt; Is there a way to re-sign &quot;bcprov-ext-jdk16-140.jar&quot; after adding \
the<br> &gt; permission attribute ?<br>
&gt;<br>
&gt; Thanks in advance for help.<br>
&gt;<br>
<br>
<br>
--<br>
</div></div></div></div>Dipl.-Inf. Michel Gerdes              (CAT-Team), Phone <a \
href="tel:%2B49%2040%20808077%20655" value="+4940808077655" target="_blank">+49 40 \
808077 655</a><br> <br>
DFN-CERT Services GmbH, <a href="https://www.dfn-cert.de" \
target="_blank">https://www.dfn-cert.de</a>, Fax  <a \
href="tel:%2B49%2040%2080%2080%2077%20556" value="+4940808077556" target="_blank">+49 \
40 80 80 77 556</a><br>


Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.: DE 232129737<br>
Sachsenstraße 5, 20097 Hamburg, Germany, CEO: Dr. Klaus-Peter Kossakowski<br>
<br>
21. DFN Workshop &quot;Sicherheit in vernetzten Systemen&quot;<br>
am 18./19. Februar 2014 im Grand Elysee Hotel in Hamburg<br>
<br>
3. DFN Workshop Datenschutz<br>
am 09./10. Dezember 2014 im Grand Elysee Hotel in Hamburg<br>
<br><span><font color="#888888">
</font></span></blockquote></div><span><font color="#888888"><br><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div><b><font \
color="#666666">Cordialement,<br></font></b></div><div style="text-align:left"> \
<b><font color="#666666"> --------------------------------------</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><br>


<b><font color="#666666">| Mohamed Khalil BEZZIN</font><font \
color="#666666">E</font></b><b><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> </font></span></b><div>


<b><font color="#666666">| Ingénieur</font><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> logiciel R&amp;D     </font></span></b><b><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> </font></span></b></div>



<div style="text-align:left"><b><font color="#666666">| Tel: <a \
href="tel:%28%2B216%29%2052%2086%2021%2007" value="+21652862107" \
target="_blank">(+216) 52 86 21 07</a>     </font></b><br></div><b><font \
color="#666666"> --------------------------------------</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><br>


</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
dir="ltr"><div><b><font color="#666666">Cordialement,<br></font></b></div><div \
style="text-align:left"><b><font color="#666666"> \
--------------------------------------</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><br> <b><font \
color="#666666">| Mohamed Khalil BEZZIN</font><font \
color="#666666">E</font></b><b><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> </font></span></b><div> <b><font color="#666666">| \
Ingénieur</font><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> logiciel R&amp;D     </font></span></b><b><span \
style="font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:15px"><font \
color="#666666"> </font></span></b></div>

<div style="text-align:left"><b><font color="#666666">| Tel: (+216) 52 86 21 07     \
</font></b><br></div><b><font color="#666666"> \
--------------------------------------</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><b><font \
color="#666666">-</font></b><b><font color="#666666">-</font></b><br> </div></div>
</div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic