摆脱“未知"来自小程序安全警告的发布者 [英] Get rid of the "UNKNOWN" publisher from applet security warning

问题描述

我正在尝试签署小程序，以便发布者不会显示为未知":

I'm trying to sign an applet so that the publisher does not appear as "UNKNOWN" :

我为一个组织工作，我们有我们自己的证书颁发机构，证书链如下:ORG Root CA > ORG Trusted Certification Authority > Yann39 (我 :D)

I work for an organisation and we have our own certification authority, certificate chain is the following : ORG Root CA > ORG Trusted Certification Authority > Yann39 (me :D)

我申请了证书，他们为我提供了一个链接，可以将其导入浏览器.然后我将它(从 Firefox)导出以获取我命名为 mystore.p12 的 PKCS#12 文件.

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

然后我执行以下操作来签署我的小程序:

Then I did the following to sign my applet :

/* TO KNOW THE ALIAS */
c:\testrep>keytool -list -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

id de yann39, Oct 24, 2012, keyEntry,
Certificate fingerprint (MD5): D7:E3:83:1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47

/* CREATE FAKE CLASS FILE AND BUILD A JAR */
c:\testrep>echo test > test.class
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class

/* VERIFY THE SIGNATURE */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs test_applet.jar

         132 Wed Oct 24 17:49:52 CEST 2012 META-INF/MANIFEST.MF
         185 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.SF
        4801 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.RSA
           0 Wed Oct 24 17:48:36 CEST 2012 META-INF/
sm         0 Wed Oct 24 17:47:46 CEST 2012 test.class

      X.509, CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
      X.509, CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
      X.509, CN=ORG Root CA, DC=myorg, DC=ch


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

c:\testrep>

然后我在我的应用程序中使用以下加载苹果:

Then I load the appled in my application using the following :

<object id="mytestapplet" width="0" height="0" style="position:absolute" type="application/x-java-applet">
<param name="archive" value="https://myhost.ch/rep/test_applet.jar">
<param name="code" value="test">
<param name="scriptable" value="true">
<param name="mayscript" value="no">
</object>

我读了一些这样的帖子:如何签署 java 小程序使用 .pfx 文件? 并且在从 jar 验证签名文件时，似乎我应该得到 smi，而不仅仅是 sm 这意味着在密钥库中未找到证书.

I read some posts like this one : How to sign java applet with .pfx file? and it seems I should get smi when verifying signed file from the jar, not only sm that means the certificate was not found in the keystore.

所以我认为证书链不完整，但是当运行以下命令时，我看到事实并非如此:

So I thought the certificate chain was not complete, but when running the following command, I saw that it was not the case :

c:\testrep>keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: id  de yann39
Creation date: Oct 24, 2012
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
    DC=myorg, DC=ch
Issuer: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Serial number: 12d21eb200200000a02b
Valid from: Mon Jun 25 14:16:00 CEST 2011 until: Wed Jun 24 14:16:00 CEST 2013
Certificate fingerprints:
         MD5:  D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
         SHA1: 24:31:1D:25:02:98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
Certificate[2]:
Owner: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 601fab4c000000000003
Valid from: Tue Oct 02 11:36:53 CEST 2006 until: Mon Oct 02 11:47:53 CEST 2016
Certificate fingerprints:
         MD5:  51:A1:EA:33:21:2C:71:60:A1:6F:F1:22:92:A8:51:8D
         SHA1: 66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17:BD:85:9D:10:65
Certificate[3]:
Owner: CN=ORG Root CA, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 7dc0d089138d1d804b2e68e21b947412
Valid from: Tue Oct 02 10:55:19 CEST 2006 until: Sat Oct 02 11:01:47 CEST 2026
Certificate fingerprints:
         MD5:  A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
         SHA1: DA:D8:7F:63:95:90:A2:E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3


*******************************************
*******************************************



c:\testrep>

链条看起来不错.

但我仍然收到未知"发布者的安全警告.为什么?

我忘了说它可以使用 Internet Explorer 工作(签名已经过验证"并且发布者是Yann39")，而不是使用 Chrome 或 Firefox.

I forgot to say that it works using Internet Explorer ("Signature has been verified" and Publisher is "Yann39"), not using Chrome or Firefox.

我尝试使用自签名证书:

keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dname "cn=Yann39, ou=UN, o=ORG, st=Geneva, c=CH"
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test > test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jar "myalias"
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar

它在 IE、Firefox 或 Chrome 中都不起作用，正常.

It does not work neither in IE nor in Firefox or Chrome, normal.

我尝试从我的组织中添加 2 个受信任的证书，但失败:

I tried to add the 2 trusted certificates from my organisation but it failed :

keytool -import -alias "myalias_root" -file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -alias "myalias_auth" -file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12

出现错误:

keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

我还是不明白为什么在验证签名时它说在密钥库(sm)中找不到证书.

I still don't understand why it says that the certificate was not found in the keystore (sm) when verifying the signature.

我终于收到了我的证书颁发机构的回复.由于代码签名证书仅用于测试(我们组织未正式支持)，因此他们不提供任何帮助并且关闭了我的票...

I finally got a reply from my Certification Authority. As code signing certificates are provided for test only (not officially supported in our organisation), they don't provide any help and they closed my ticket...

这 2 个证书 ORG 根 CA 和 ORG 可信证书颁发机构 在 3 个浏览器(IE、Firefox、Chrome)中受信任.运行我的小程序时，我仍然在 IE 中得到预期的结果:

The 2 certificates ORG Root CA and ORG Trusted Certification Authority are trusted in the 3 browsers (IE, Firefox, Chrome). When running my applet I still get the expected result in IE :

• 名称:applettest
• 出版商:Yann39
• 来自:https://myhost.ch

• Name: applettest
• Publisher: Yann39
• From: https://myhost.ch

但不是在 Firefox 和 Chrome 中:

But not in Firefox and Chrome :

• 名称:测试
• 出版商:未知
• 来自:https://myhost.ch

• Name: test
• Publisher: UNKNOWN
• From: https://myhost.ch

另一个奇怪的事情是，正如您所看到的，IE 将 HTML (applettest) 中使用的 <object> 标记的 ID 引用为名称"，而Firefox 和 Chrome 正在引用主类的名称 (test).

Another strange thing is that as you see IE is referencing as "Name" the id of the <object> tag used in the HTML (applettest), while Firefox and Chrome are referencing the name of the main class (test).

我认为 Publisher 也是一样，IE 正在查看 CN RDN (Yann39) 而 Firefox和 Chrome 正在查看 O RDN 并且找不到，因为它没有在我的证书中定义.

What I think is that it is the same thing about the Publisher, IE is looking at the CN RDN (Yann39) while Firefox and Chrome are looking at the O RDN and cannot find one as it is not defined in my certificate.

如果有人有更多关于浏览器如何检查证书的信息，请分享.

If anyone has more information about how browsers check the certificates please share.

谢谢.

推荐答案

如果您有自己的 CA 并使用该 CA 颁发的证书签署小程序，那么您显然需要将该 CA 的证书添加到受信任的证书颁发机构列表中.

If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.

在IE里面运行的时候，Java插件好像可以使用CA的系统列表，所以你只需要将你的CA证书添加到系统证书存储中即可(一定要手动选择证书目的地作为可信CA导入过程中).

When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).

在 Chrome 或 Firefox 中运行时，Java 插件出于某种原因不使用系统证书存储，而仅使用其自己单独的证书存储.如果 Java 插件证书存储中不存在 CA 的证书，无论它是否在受信任的 CA"系统证书存储中，在这些浏览器中运行小程序时，您都会收到带有未知"发布者的不安全"安全警告.

When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.

要将证书添加到 Java 插件存储:

To add a certificate to Java plugin storage:

• 打开 Java 控制面板
• 选择安全"标签
• 点击管理证书..."按钮
• 在证书类型"组合框中选择签名者 CA"选项.
• 导入您的 CA 证书

下次您使用 Chrome 或 Firefox 运行您的小程序时，您将收到一个正常的安全"安全警告，并可选择永远信任该小程序.

The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.

这篇关于摆脱“未知"来自小程序安全警告的发布者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！