与 Java 7u40 上的小程序一起使用的 BouncyCastle 加密提供程序库 [英] BouncyCastle Cryptography provider library used with applet on Java 7u40
问题描述
案例:我正在维护一个 Java 小程序,它使用 BouncyCastle 库 bcpkix-jdk15on-149.jar 和 bcprov-jdk15on-149.jar..>
问题是在支持 JRE 7_u40 的浏览器上运行小程序时.
从版本 7_u25 开始,行为发生了变化,它总是提示一个模式窗口,例如使用自签名证书的应用程序的安全提示"(不能再永久隐藏),只是为了信任 bcprov.
https://www.java.com/en/download/help/appsecuritydialogs.xml
据我所知,这是因为 BC 库是使用 BouncyCastle 证书签名的,该证书由JCE 代码签名 CA"颁发.因此,该库可以执行并充当密码学提供者.
但是:JRE 无法建立信任签名的证书链.它显示提供者:未知"
我知道我可以删除该签名并自己签名(我拥有 Thawte 代码签名证书):
- 它适用于 bcpkix 库
- 它不适用于 bcprov,因为它不会被视为有效的加密提供程序(JRE 不会信任它).
我说得对吗?我能做什么?
PS:我在谷歌上搜索了很多找到 JCA 根证书(将其放入 JRE 信任库),但没有成功......有没有办法获取该根 CA?
经过大量搜索和 BC 邮件列表中的一些帖子......:
解决办法基本上是用自己的证书对BC库进行二次签名.
JAR 需要 JCA 签名才能被信任为密码学提供者,所以不要删除它.
JAR 还需要(另外)一个代码签名,以便能够在 JVM 中运行(受 JRE 信任).
最后一件事,签名技术发生了一些不兼容:
- BC 库使用 SHA1 摘要算法进行签名
- jarsigner(在我的电脑上)默认使用 SHA256 摘要算法进行签名,这导致验证失败.
- 所以我不得不请 jarsigner 以 SHA1 方式进行操作.(出于某种原因,从这个角度来看,两个签名必须一致)
这是 jarsigner 命令的魔法参数,用于添加和实现:-digestalg SHA1
示例命令:
jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias...你就完成了!
以下帖子给了我提示:是什么阻止了 Java 使用多种签名算法验证签名的 jar
The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.
Problem is when the applet is run on a JRE version 7_u40 enabled browser.
The behavior has changed from version 7_u25 in a way that it always prompts a modal window like "Security prompt for an app using a self-signed certificate" (which cannot be permanently hidden anymore), just to trust bcprov.
https://www.java.com/en/download/help/appsecuritydialogs.xml
As far as I know, this is because BC libraries are signed with the BouncyCastle certificate, issued by the "JCE Code Signing CA". Because of that, the lib can perform and act as a cryptography provider.
BUT: the JRE can not build the certificate chain to trust the signature. It shows "provider : UNKNOWN"
I know i can remove that signature and sign by myself (I own a Thawte code sign certificate):
- it works with bcpkix lib
- it does not work with bcprov because it won't be considered as a valid cryptography provider (it won't be trusted by the JRE).
Am I right?
What can I do?
PS: I googled a lot to find the JCA root cert (to put it into the JRE truststore), without success... Is there a way to grab that root CA?
After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:
The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).
One last thing, some incompatibility happened on the signature technology:
- BC lib is signed using SHA1 digest algorythm
- jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
- So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)
Here is the magic parameter of jarsigner command to add and make it happen: -digestalg SHA1
Sample command:
jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias
... and you're done!
The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms
这篇关于与 Java 7u40 上的小程序一起使用的 BouncyCastle 加密提供程序库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
