Hot questions for Using Applets in certificate

Top Java Programmings / Applets / certificate

Question:

The question is, How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error?.

Here are the details:

I have a signed applet that has been working fine, until I updated Java to 8u25 (1.8.0_25-b18). Now, the application shows an alert message "Do you want to continue? The connection to this website is untrusted". There is a note in this message too, "The certificate is not valid and cannot be used to verify the identity of this website".

The applet is loaded without problems. But when the user tries to use a specific function of that application, the warning message is displayed.

I've checked the java console when this happens, and this warning message is displayed right after these lines:

security: Obtain certificate collection in SSL Root CA certificate store
security: Invalid certificate from HTTPS server
network: Cache entry not found [url: https://sub.domain.net:9876, version: null]

The application is downloaded from a different domain, say "https://app.domain.net/.....", so no jars are downloaded from "https://sub.domain.net:9876", but the applet connects to "https://sub.domain.net:9876" to send/receive data.

The applet is signed correctly, and so far, it meets all the security requirements according to Java. This issue seems to happen when the application tries to connect internally with an HTTPS url like https://sub.domain.net:9876. That sites' SSL certificate is valid, issued by GoDaddy and has not expired.

Again, this started to happen after updating my JRE to 8u25. I've tested adding the offending URL to Java security exception list, with no success.

Here are a few screenshot of this problem:

This is the warning message displayed:


Edit 10/18/2014:

Question posted in "Oracle Community" too, to increase answer options: Question in Oracle Community.


Edit 10/21/2014:

I noticed this: When I click the link "More Information" displayed in the "Security Warning" dialog, the reason displayed says:

The application is being downloaded from a site other than the one specified by the security certificate.

  • Downloading from "sub.domain.net"

  • Expecting "*.DOMAIN.NET"

This message says the application is BEING DOWNLOADED FROM "sub.domain.com", and that is false. The application (applet) is already downloaded, and it is only using that domain in an internal HTTPS request, to get/send business data, not to download additional Jars, JNLPs, etc.


Answer:

I found how to solve this issue, and thanks to Steffen Ullrich for a valid proposal.

This is related to the certificate's Common Name (CN) value. In my case, that value was *.DOMAIN.NET, and to change it to *.domain.net, all we had to do was a procedure called "Domain Transfer". This means, to change the CN to *.REKEY.DOMAIN.NET, and then to change it again to *.domain.net. We could not change it to *.domain.net directly because the certificate provider says *.DOMAIN.NET and *.domain.net are the same.

Now, this issue happened only with Java 7.71 and Java 8.25. Previous version of Java 7 and 8 don't have this issue (SSL certificate restrictions for CN in a different casing).

Anyway, this solved the issue, and now we receive a gentle information message about the domain:

Question:

I have a Java Applet (for a browser) signed and timestamped with a valid Code Signing Certificate from GoDaddy. The code signing certificate itself expires in a few weeks. Everything I've read says that the applet will still be valid after the Code Signing Certificate expires:

From here:

If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged

I would like to verify this is actually true though. If I change my computer's clock settings to a later date, past when the certificate expires, I get the following Java Exception in IE, Firefox and Chrome:

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date

Does this mean that the applet will actually fail in a few weeks when the Code Signing Certificate expires, or is this test of changing my computer clock just invalid? Any references either way?


Answer:

The code Signing Certificate has expired several months ago now, and I can confirm everything is still working fine. The Java popup that comes up (the first time visiting the site) says: "The web site's certificate has been verified."

Changing the local timestamp wasn't a valid test of this after all.

Question:

I am developing a Java applet for singing PDF documents in the web browser. The applet needs to be able to work with both Windows and Mac OS. The applet will display a list of installed certificates on user's computer and let the user select one of them for signing.

I have found examples how to read certificates from a Windows keystore using the "Windows-MY" identifier, but I cannot find any example working with certificates in Java for Mac OS. How can a list of certificates be read from keystore on a Mac?

I am new to Java programming (being a .NET web developer primarily), maybe I miss something. Thank you for any help.


Answer:

This is documented here: Java Cryptography Architecture Oracle Providers Documentation for JDK 8

You should read the whole page, but the relevant part for your question is at the bottom:

The Apple provider implements a java.security.KeyStore that provides access to the Mac OS X Keychain. The following algorithms are available in the Apple provider:

Engine: KeyStore Algorithm Name(s): KeychainStore

So, in other words: You obtain a KeyStore object for the Mac OS X keychain by using the name "KeychainStore":

KeyStore ks = KeyStore.getInstance("KeychainStore");

After that it's basically the same as for every other keystore type. For example to list all certificates and their aliases:

ks.load(null, null);
Enumeration<String> en = ks.aliases();
while (en.hasMoreElements()) {
    String aliasKey = en.nextElement();
    X509Certificate c = (X509Certificate) ks.getCertificate(aliasKey);
    System.out.println("alias: " + aliasKey);
    System.out.println("cert:" + c.getSubjectX500Principal().toString());
}

BTW, the browser vendors and Oracle are phasing out the browser plugin for applets. Java Web Start might be an alternative.

Question:

I had a Code signing certificate from GoDaddy which expired back in February, and I used it to sign JAVA jar files, copied it to an ftp server and ran them as applets. Everything worked fine.

In January I made a renewal for one year.

Despite the fact, that I made what was suggested in the GoDaddy guide (downloaded the zip file, extracted it, and imported it in the keystore) it was not working, when signing the jar file it still gave me the warning, that my certificate will expire in six months.

So I decided to re-key my certificate, and followed exactly the steps from GoDaddys website: First, I made a new keystore, to have a fresh start:

keytool -genkey -alias sboda -keyalg RSA -keysize 2048 -keystore keystore.jks

then I entered the needed information, like name, organization, etc. and generated the CSR file

keytool -certreq -alias sboda -file file.csr -keystore keystore.jks

After this, I copy pasted the CSR into the CSR box on the website, and asked for rekey.

Downloaded and extracted ZIP file, imported it to the newly created keystore with

keytool -importcert -file filename.pem -keystore keystore.jks 

I trusted the certificate, and the certificate was imported. I signed the jar with

jarsigner -verbose -keystore ./keystore.jks -tsa http://tsa.starfieldtech.com/ ~/workspace/example.jar sboda

it gave me the warning: Warning: The signer certificate will expire within six months.

I copied the jar file to the server, and gave this error, when I try to launch the applet:

The other applets, that were signed earlier, are working fine... Did I miss anything?

Already contacted GoDaddy support two times, but they were not really helpful, so I thought I also ask here...


Answer:

In the meantime I figured it out, thanks to other vendors documentation. Instead of

keytool -importcert -file filename.pem -keystore keystore.jks 

use

keytool -import -v -trustcacerts -alias alias -file filename.pem -keystore keystore.jks

hopefully other will not stumble into this problem, I lost half a day with it.

Question:

I have a problem with my applet for signing PDF documents using smartcard. It works fine for not qualified certificates but won't for qualified. I'm using SunPKCS11 provider. It's CryptoTech card. Here's part of code, where i'm trying to operate on this provider:

String pkcs11config = "name = " + PROVIDER + "\nlibrary = \"" + value + "\""; 
byte[] pkcs11configBytes = pkcs11config.getBytes();
final ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11configBytes);
pkcs11Provider = new sun.security.pkcs11.SunPKCS11(configStream);
Security.addProvider(pkcs11Provider);

And here is code, when the problem occured:

final KeyStore keyStore = KeyStore.getInstance(TYPE, pkcs11Provider);
        keyStore.load(null, PIN);

And the constants:

public static final String PROVIDER = "CryptoTech";
private static final String TYPE = "PKCS11";

Here's exception stacktrace:

java.io.IOException: load failed
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
    at java.security.KeyStore.load(Unknown Source)
    at pl.emsi.sign.card.CardManager.getKey(CardManager.java:165)
    at pl.emsi.sign.logic.DocumentLogic$1.success(DocumentLogic.java:79)
    at pl.emsi.sign.card.CardManager$1.driverSelected(CardManager.java:92)
    at pl.emsi.sign.card.CardManager$2.driverSelected(CardManager.java:121)
    at pl.emsi.sign.card.CardManager$7.actionPerformed(CardManager.java:414)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
    at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
    at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
    at java.awt.Component.processMouseEvent(Unknown Source)
    at javax.swing.JComponent.processMouseEvent(Unknown Source)
    at java.awt.Component.processEvent(Unknown Source)
    at java.awt.Container.processEvent(Unknown Source)
    at java.awt.Component.dispatchEventImpl(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Window.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
    at java.awt.EventQueue.access$500(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue$4.run(Unknown Source)
    at java.awt.EventQueue$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.WaitDispatchSupport$2.run(Unknown Source)
    at java.awt.event.InvocationEvent.dispatch(Unknown Source)
    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
    at java.awt.EventQueue.access$500(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException
    at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1238)
    at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:849)
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:753)
    ... 54 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_LOCKED
    at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
    at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1222)
    ... 56 more

I've already checked that the PIN isn't locked, because other application (no need to mention the name of this application) signs the PDF document without any problems. The PIN is 100% correct, also.

If there's some information missing, please, let me know.

EDIT1: By: "It works fine for not qualified certificates but won't for qualified" i meant that the not qualified certificates was placed on different smartcards than this qualified certificate.


Answer:

Pass null in place of PIN parameter in keyStore.load method(keyStore.load(null, null)) will result in password prompt from respective token driver. You can validate the PIN this way...

Question:

I currently have a website hosted with Hostgator that has a java upload applet; however, on page visit, the browser blocks the java applet from executing. Reason given is security settings have blocked a SELF-SIGNED application from running.

My question is, how can I get past this, WITHOUT modifying java security levels. I want users to be able to access the applet without getting this error AND without having to modify any of their current browser settings.

(I signed the applet myself using keytool).

Thank you.


Answer:

There are two ways:

  1. You need to buy a SSL certificate from a trusted party like Verisign or Thawte, or any other (cheaper) trusted provider. Then you need to sign your applet with this certificate instead. Since such certificate will be provided by a globally-trusted party, your users' JVM will automatically trust it.

    If you decide to go with the cheaper ssl provider, make sure it's root certificate is in the default list of trusted certificates of the JVM. You can check that, by listing certificates, that come with the installation of Java - like this:

    keytool -list -keystore cacerts -storepass changeit
    

    where changeit is the default cacerts keystore password, and the cacerts file can be found in lib\security folder of jour JRE installation - on Windows this will be something like:

    c:\Program Files (x86)\Java\jre[version]\lib\security\
    
  2. Send the public key to your users, and make them add it to trusted certificates of their JVM (usually that means, importing the certificate you provide to the aforementioned cacerts file. This step however requires using keytool and command line and will most likely be troublesome for most of your users.