除去“UNKNOWN”发布者从applet安全警告 [英] Get rid of the "UNKNOWN" publisher from applet security warning
问题描述
我要尝试签署小程序,以便发布商不会显示为未知:
我在某个组织工作,并且拥有我们自己的认证授权,证书链: ORG Root CA> ORG信任的认证机构> Yann39(我:D)
我请求了一个证书,他们提供了一个链接到浏览器。
然后我导出它(从Firefox),得到我命名为 mystore.p12 的PKCS#12文件。
在签署我的小程序之后执行以下操作:
/ *了解ALIAS * /
c:\testrep> keytool -list -storetype pkcs12 -keystore mystore.p12
输入密钥库密码:********
密钥库类型:pkcs12
密钥库provider:SunJSSE
您的密钥库包含1个条目
id de yann39,2012年10月24日,keyEntry,
证书指纹(MD5):D7:E3:83 :1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47
/ *创建FAKE类文件并构建JAR * /
c :\testrep> echo test> test.class
c:\testrep> C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class
/ *签名JAR * /
c:\testrep> C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jarid de yann39
Enter密钥库的密码:********
更新:META-INF / MANIFEST.MF
添加:META-INF / ID_DE_YA.SF
添加:META-INF / ID_DE_YA。 RSA
signing:test.class
/ * VERIFY THE SIGNATURE * /
c:\testrep> C:\oracle\dev10gr2\jdk\bin\ jarsigner -verify -verbose -certs test_applet.jar
132 Wed Oct 24 17:49:52 CEST 2012 META-INF / MANIFEST.MF
185 Wed Oct 24 17:49:52 CEST 2012 META-INF / ID_DE_YA.SF
4801 Wed Oct 24 17:49:52 CEST 2012 META-INF / ID_DE_YA.RSA
0 Wed Oct 24 17:48:36 CEST 2012 META-INF /
sm 0 Wed Oct 24 17:47:46 CEST 2012 test.class
X.509,CN = Yann39,CN = 794324,CN = myname,OU = Users,OU = ,
DC = myorg,DC = ch
X.509,CN = ORG可信证书颁发机构DC = myorg,DC = ch
X.509,CN = ORG根CA,DC = myorg,DC = ch
s =签名已验证
m =条目列在清单中
k =在密钥库中找到至少一个证书
i = at在身份范围
jar中找到至少一个证书。
c:\testrep>
然后我使用以下命令加载应用程序: p>
< object id =mytestappletwidth =0height =0style =position:absolutetype = application / x-java-applet>
< param name =archivevalue =https://myhost.ch/rep/test_applet.jar>
< param name =codevalue =test>
< param name =scriptablevalue =true>
< param name =mayscriptvalue =no>
< / object>
我读了一些这样的帖子:如何用.pfx文件签名java applet?,看起来我应该得到 smi
当从jar中验证签名文件时,不仅 sm
意味着在密钥库中找不到证书。 >
所以我认为证书链不完整,但是当运行以下命令时,我看到的不是这样:
c:\testrep> keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore密码:********
密钥库类型:pkcs12
密钥库提供程序:SunJSSE
您的密钥库包含1个条目
别名:id de yann39
创建日期:2012年10月24日
条目类型:keyEntry
证书链长度:3
证书[1]:
:CN = YAN39,CN = 794324,CN = myname,OU = Users,OU =有机单位,
DC = myorg,DC = ch
发行方:CN = ORG可信证书颁发机构, DC = ch
序列号:12d21eb200200000a02b
有效期:Mon Jun 25 14:16:00 CEST 2011至:Wed Jun 24 14:16:00 CEST 2013
证书指纹:
MD5:D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
SHA1:24:31:1D: 98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
证书[2]:
所有者:CN = ,DC = myorg,DC = ch
发行人:CN = ORG根CA,DC = myorg,DC = ch
序列号:601fab4c000000000003
有效期:10月02日11:36:53 CEST 2006 until:Mon Oct 02 11:47:53 CEST 2016
证书指纹:
MD5:51:A1:EA:33:21:2C:71:60:A1:6F:F1:22 :92:A8:51:8D
SHA1:66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17: 10:65
证书[3]:
所有者:CN = ORG根CA,DC = myorg,DC = ch
发行者:CN = ORG根CA,DC = myorg,DC = ch
序列号:7dc0d089138d1d804b2e68e21b947412
有效期:Tue Oct 02 10:55:19 CEST 2006 until:Sat Oct 02 11:01:47 CEST 2026
证书指纹:
MD5: A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
SHA1:DA:D8:7F:63:95:90:A2 :E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3
************ *******************************
*************** ****************************
c:\testrep>
这个链似乎不错。
我仍然通过UNKNOWN发布商获取安全警告。 为什么?
EDIT 25-OCT-2012
我忘记说它使用Internet Explorer (Signature已经过验证,发布商为Yann39),而不是使用Chrome或Firefox。
我尝试使用自签名证书:
keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dnamecn = Yann39,ou = UN,o = ORG,st = Geneva,c = CH
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test> test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\\ \\ jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jarmyalias
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar
它不能在IE或Firefox或Chrome中正常工作。
我尝试添加来自我的组织的2个受信任的证书,但它失败了:
keytool -import -aliasmyalias_root-file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -aliasmyalias_auth-file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12
出现错误:
keytool错误:java.security.KeyStoreException:TrustedCertEntry不支持
不理解为什么它在验证签名时在密钥库中找不到证书( sm
)。
EDIT 02-NOV-2012
我终于得到了认证机构的回复。由于代码签名证书仅用于测试(我们组织中未正式支持),他们不提供任何帮助,他们关闭了我的票...
证书 ORG根CA 和 ORG受信任的证书颁发机构在3个浏览器(IE,Firefox,Chrome)中受信任。运行我的applet时,我仍然在IE中得到预期的结果:
- 名称:applettest
- 发布商:Yann39
- 发件人: https://myhost.ch
但在Firefox和Chrome中不可用:
- 姓名:测试
- 发布商:UNKNOWN
- 从: https://myhost.ch
另一个奇怪的事情是,正如你所看到的,IE引用了Name的 ; object>
在HTML( applettest )中使用的标签,而Firefox和Chrome则引用主类的名称( test / p>
我认为这与发布商是一样的,IE正在查看 CN
RDN( Yann39 ),而Firefox和Chrome浏览 O
RDN时找不到一个,因为它在我的证书中没有定义
如果任何人有更多关于浏览器如何检查证书的信息,请分享。
>
如果你有自己的CA,并用该CA颁发的证书签署applet,那么你显然需要将CA的证书添加到列表的可信证书颁发机构。
当在IE中运行时,Java插件似乎能够使用CA的系统列表,所以您只需要添加您的CA证书
在Chrome或Firefox中运行时,Java插件由于某种原因而存在(确保在导入期间手动选择证书目标作为受信任的CA)不使用系统证书存储,而只使用自己单独的证书存储。如果CA证书不存在于Java插件证书存储器中,而不管其是否在受信任的CA系统证书存储器中,则在这些浏览器中运行applet时,您将得到具有UNKNOWN发布器的不安全安全警告。 / p>
要向Java插件存储添加证书:
- 打开Java控制面板
- 选择安全标签
- 点击管理证书...按钮
下次使用Chrome或Firefox运行小程序时,您将有一个正常的安全安全警告,并选择永远信任该小程序。
I'm trying to sign an applet so that the publisher does not appear as "UNKNOWN" :
I work for an organisation and we have our own certification authority, certificate chain is the following : ORG Root CA > ORG Trusted Certification Authority > Yann39 (me :D)
I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.
Then I did the following to sign my applet :
/* TO KNOW THE ALIAS */
c:\testrep>keytool -list -storetype pkcs12 -keystore mystore.p12
Enter keystore password: ********
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
id de yann39, Oct 24, 2012, keyEntry,
Certificate fingerprint (MD5): D7:E3:83:1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47
/* CREATE FAKE CLASS FILE AND BUILD A JAR */
c:\testrep>echo test > test.class
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class
/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
updating: META-INF/MANIFEST.MF
adding: META-INF/ID_DE_YA.SF
adding: META-INF/ID_DE_YA.RSA
signing: test.class
/* VERIFY THE SIGNATURE */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs test_applet.jar
132 Wed Oct 24 17:49:52 CEST 2012 META-INF/MANIFEST.MF
185 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.SF
4801 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.RSA
0 Wed Oct 24 17:48:36 CEST 2012 META-INF/
sm 0 Wed Oct 24 17:47:46 CEST 2012 test.class
X.509, CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
X.509, CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
X.509, CN=ORG Root CA, DC=myorg, DC=ch
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
c:\testrep>
Then I load the appled in my application using the following :
<object id="mytestapplet" width="0" height="0" style="position:absolute" type="application/x-java-applet">
<param name="archive" value="https://myhost.ch/rep/test_applet.jar">
<param name="code" value="test">
<param name="scriptable" value="true">
<param name="mayscript" value="no">
</object>
I read some posts like this one : How to sign java applet with .pfx file? and it seems I should get smi
when verifying signed file from the jar, not only sm
that means the certificate was not found in the keystore.
So I thought the certificate chain was not complete, but when running the following command, I saw that it was not the case :
c:\testrep>keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore password: ********
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: id de yann39
Creation date: Oct 24, 2012
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
Issuer: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Serial number: 12d21eb200200000a02b
Valid from: Mon Jun 25 14:16:00 CEST 2011 until: Wed Jun 24 14:16:00 CEST 2013
Certificate fingerprints:
MD5: D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
SHA1: 24:31:1D:25:02:98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
Certificate[2]:
Owner: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 601fab4c000000000003
Valid from: Tue Oct 02 11:36:53 CEST 2006 until: Mon Oct 02 11:47:53 CEST 2016
Certificate fingerprints:
MD5: 51:A1:EA:33:21:2C:71:60:A1:6F:F1:22:92:A8:51:8D
SHA1: 66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17:BD:85:9D:10:65
Certificate[3]:
Owner: CN=ORG Root CA, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 7dc0d089138d1d804b2e68e21b947412
Valid from: Tue Oct 02 10:55:19 CEST 2006 until: Sat Oct 02 11:01:47 CEST 2026
Certificate fingerprints:
MD5: A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
SHA1: DA:D8:7F:63:95:90:A2:E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3
*******************************************
*******************************************
c:\testrep>
The chain seems good.
But I still get the security warning with an "UNKNOWN" Publisher. Why ?
EDIT 25-OCT-2012
I forgot to say that it works using Internet Explorer ("Signature has been verified" and Publisher is "Yann39"), not using Chrome or Firefox.
I tried using a self-signed certificate :
keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dname "cn=Yann39, ou=UN, o=ORG, st=Geneva, c=CH"
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test > test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jar "myalias"
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar
It does not work neither in IE nor in Firefox or Chrome, normal.
I tried to add the 2 trusted certificates from my organisation but it failed :
keytool -import -alias "myalias_root" -file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -alias "myalias_auth" -file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12
with the error :
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
I still don't understand why it says that the certificate was not found in the keystore (sm
) when verifying the signature.
EDIT 02-NOV-2012
I finally got a reply from my Certification Authority. As code signing certificates are provided for test only (not officially supported in our organisation), they don't provide any help and they closed my ticket...
The 2 certificates ORG Root CA and ORG Trusted Certification Authority are trusted in the 3 browsers (IE, Firefox, Chrome). When running my applet I still get the expected result in IE :
- Name: applettest
- Publisher: Yann39
- From: https://myhost.ch
But not in Firefox and Chrome :
- Name: test
- Publisher: UNKNOWN
- From: https://myhost.ch
Another strange thing is that as you see IE is referencing as "Name" the id of the <object>
tag used in the HTML (applettest), while Firefox and Chrome are referencing the name of the main class (test).
What I think is that it is the same thing about the Publisher, IE is looking at the CN
RDN (Yann39) while Firefox and Chrome are looking at the O
RDN and cannot find one as it is not defined in my certificate.
If anyone has more information about how browsers check the certificates please share.
Thanks.
If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.
When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).
When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.
To add a certificate to Java plugin storage:
- open Java control panel
- select "Security" tab
- click "manage Certificates..." button
- select "Signer CA" option in the "Certificate type" combo-box.
- import your CA's certificate
The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.
这篇关于除去“UNKNOWN”发布者从applet安全警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!