摆脱＆QUOT的;未知＆QUOT;从applet的安全警告出版商 [英] Get rid of the "UNKNOWN" publisher from applet security warning

问题描述

我试图登录一个applet 这样的出版商不显示为未知

我为组织工作，我们的我们自己的权威认证 证书链如下： ORG根CA> ORG信任的证书颁发机构> Yann39（我：D）的

I work for an organisation and we have our own certification authority, certificate chain is the following : ORG Root CA > ORG Trusted Certification Authority > Yann39 (me :D)

我要求的证书，他们为我提供了一个链接，让它进入浏览器。
然后我出口它（从Firefox），以获得PKCS＃12文件我命名为 mystore.p12

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

然后我做了以下内容以登录我的小程序

Then I did the following to sign my applet :

/* TO KNOW THE ALIAS */
c:\testrep>keytool -list -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

id de yann39, Oct 24, 2012, keyEntry,
Certificate fingerprint (MD5): D7:E3:83:1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47

/* CREATE FAKE CLASS FILE AND BUILD A JAR */
c:\testrep>echo test > test.class
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class

/* VERIFY THE SIGNATURE */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs test_applet.jar

         132 Wed Oct 24 17:49:52 CEST 2012 META-INF/MANIFEST.MF
         185 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.SF
        4801 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.RSA
           0 Wed Oct 24 17:48:36 CEST 2012 META-INF/
sm         0 Wed Oct 24 17:47:46 CEST 2012 test.class

      X.509, CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
      X.509, CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
      X.509, CN=ORG Root CA, DC=myorg, DC=ch


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

c:\testrep>

然后我的加载appled 使用以下我的应用程序：

Then I load the appled in my application using the following :

<object id="mytestapplet" width="0" height="0" style="position:absolute" type="application/x-java-applet">
<param name="archive" value="https://myhost.ch/rep/test_applet.jar">
<param name="code" value="test">
<param name="scriptable" value="true">
<param name="mayscript" value="no">
</object>

我看了一些帖子像这样的：如何注册Java小程序与.pfx文件？，它似乎我应该得到 SMI 从罐子验证签名的文件时，不仅 SM ，表示证书不是密钥库中找到。

I read some posts like this one : How to sign java applet with .pfx file? and it seems I should get smi when verifying signed file from the jar, not only sm that means the certificate was not found in the keystore.

所以我以为证书链不完整，但运行以下命令时，我看到这是不是这样

So I thought the certificate chain was not complete, but when running the following command, I saw that it was not the case :

c:\testrep>keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: id  de yann39
Creation date: Oct 24, 2012
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
    DC=myorg, DC=ch
Issuer: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Serial number: 12d21eb200200000a02b
Valid from: Mon Jun 25 14:16:00 CEST 2011 until: Wed Jun 24 14:16:00 CEST 2013
Certificate fingerprints:
         MD5:  D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
         SHA1: 24:31:1D:25:02:98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
Certificate[2]:
Owner: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 601fab4c000000000003
Valid from: Tue Oct 02 11:36:53 CEST 2006 until: Mon Oct 02 11:47:53 CEST 2016
Certificate fingerprints:
         MD5:  51:A1:EA:33:21:2C:71:60:A1:6F:F1:22:92:A8:51:8D
         SHA1: 66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17:BD:85:9D:10:65
Certificate[3]:
Owner: CN=ORG Root CA, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 7dc0d089138d1d804b2e68e21b947412
Valid from: Tue Oct 02 10:55:19 CEST 2006 until: Sat Oct 02 11:01:47 CEST 2026
Certificate fingerprints:
         MD5:  A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
         SHA1: DA:D8:7F:63:95:90:A2:E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3


*******************************************
*******************************************



c:\testrep>

链似乎不错。

但我的仍然获得安全警告与未知的出版商。 为什么

我忘了说，它的工作原理使用Internet Explorer （签名已被证实的发布者是Yann39），不使用Chrome或Firefox浏览器。

I forgot to say that it works using Internet Explorer ("Signature has been verified" and Publisher is "Yann39"), not using Chrome or Firefox.

我试图用一个自签署证书：

keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dname "cn=Yann39, ou=UN, o=ORG, st=Geneva, c=CH"
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test > test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jar "myalias"
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar

这并不无论是在IE还是在Firefox或Chrome工作，正常的。

It does not work neither in IE nor in Firefox or Chrome, normal.

我想从我的组织中添加2信任的证书，但失败

I tried to add the 2 trusted certificates from my organisation but it failed :

keytool -import -alias "myalias_root" -file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -alias "myalias_auth" -file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12

与错误：

keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

我还是不明白，为什么它说，该证书不在密钥库中（ SM ）验证签名的时候。

我终于从我的证书颁发机构的答复。当提供仅用于测试（没有正式在我们的组织支持）code签名证书，他们没有提供任何帮助，他们关闭了票...

I finally got a reply from my Certification Authority. As code signing certificates are provided for test only (not officially supported in our organisation), they don't provide any help and they closed my ticket...

2.证书的 ORG根CA 和 ORG可信认证中心将在3浏览器（IE，火狐，Chrome）的信任。当运行小程序我我仍然得到预期的结果在IE中：

The 2 certificates ORG Root CA and ORG Trusted Certification Authority are trusted in the 3 browsers (IE, Firefox, Chrome). When running my applet I still get the expected result in IE :

• 命名：applettest


• 发布：Yann39


• 发件人： https://myhost.ch

• Name: applettest
• Publisher: Yann39
• From: https://myhost.ch

但不是在Firefox和Chrome：

But not in Firefox and Chrome :

• 命名：测试


• 发布：UNKNOWN


• 发件人： https://myhost.ch

• Name: test
• Publisher: UNKNOWN
• From: https://myhost.ch

另一个奇怪的事情是，当你看到IE被引用为名的＆LT中的id;对象＆gt; 在HTML中使用（标签的 applettest 的），而Firefox和Chrome所引用的主类的名称（测试的）。

Another strange thing is that as you see IE is referencing as "Name" the id of the <object> tag used in the HTML (applettest), while Firefox and Chrome are referencing the name of the main class (test).

我想的是，它是关于在发布后，IE浏览器在看同样的事情CN RDN（ Yann39 的），而Firefox和Chrome都在看 0 RDN并不能找到，因为它是不是在我的证书中定义的。

What I think is that it is the same thing about the Publisher, IE is looking at the CN RDN (Yann39) while Firefox and Chrome are looking at the O RDN and cannot find one as it is not defined in my certificate.

如果任何人有关于浏览器如何检查证书，请分享更多的信息。

If anyone has more information about how browsers check the certificates please share.

感谢。

推荐答案

如果你有自己的CA，并签署由CA颁发的证书的小程序，那么你显然需要添加CA的证书到受信任的证书颁发机构的列表。

If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.

在IE里面运行时，Java插件似乎能够使用CA的系统列表，所以你只需要您的CA证书添加到系统证书存储（一定要手动选择证书目的地为可信CA在导入过程中）。

When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).

在里面Chrome或Firefox，Java的插件，因为某些原因不使用系统证书存储上运行，但只有它自己单独的证书存储。在这些浏览器运行小程序时，您将得到未知出版的不安全的安全警告，如果CA的证书是不是在Java插件证书存储present，无论它是受信任的CA系统证书中存储。

When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.

要将证书添加到Java插件存储：

To add a certificate to Java plugin storage:

• 开启Java控制面板


• 选择安全标签


• 单击管理证书...按钮


• 选择在证书类型组合框中选择签名者CA选项。


• 导入CA的证书

您使用Chrome或Firefox运行小程序下一次，你将不得不使用该选件正常的安全的安全警告永远相信小程序。

The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.

这篇关于摆脱＆QUOT的;未知＆QUOT;从applet的安全警告出版商的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！