InvocationTargetException when using AccessControler.doPrivileged in a signed applet

Question

I'm having the following method in an applet which is called via JavaScript

public String getAString()
    {
        Object rc = AccessController.doPrivileged(
        new java.security.PrivilegedAction() 
        {
            public Object run()
            {
                try
                {
                    return "OK";
                }
                catch (Throwable t)
                {
                    t.printStackTrace();
                    return "ERROR: " + t.getMessage() + " " + t.getCause();
                }
            }
        });


        // Return value
        return rc.toString();
    }

The applet is signed using a certificate created with keytool

When I call getAString() if throws the InvocationTargetException. If I call other methods which don't use the AccessController class, I'm not having this problem.

Also, each time I open the browser I'm asked to allow the applet to run even the the applet is signed.

How can I fix this?

edit

I added a button and now I'm getting more info:

signer information does not match signer information of other classes in the same package

I'm using a third party archive. In the original form is unsigned, but I signed it using the same cert (although with different commands).

edit 2 Here is how I sign the jars

keytool -genkey -keystore vkeystore -keyalg rsa -dname "CN=XXX, OU=XXX, O=XXX, L=Atlanta, ST=GA,C=NL" -alias printer -validity 3600 -keypass XXX-storepass XXX

jarsigner -keystore vkeystore -storepass XXX -keypass XXX -signedjar JSPrintS.jar JSPrint.jar printer

jarsigner -keystore vkeystore -storepass XXX -keypass XXX -signedjar jPDFPrintS.jar jPDFPrint.jar printer

JSPrint.jar contains the applet

edit 3

the applet definition is (located in JSPrint.jar)

package Eplatforms;

import java.net.URL;
import java.security.AccessController;

import javax.swing.JApplet;
import java.awt.event.*;
import java.awt.*;

import com.XXX.pdfPrint.PDFPrint;

public class JSPrint extends JApplet implements ActionListener
....

jPDFPrint.jar is a third party jar

EDIT 4

I tried to minimize the problem a bit and I found out that when calling AccessControler.doPrivileged from a jar file (even signed one), I get the following exception:

Exception in thread "main" java.lang.NoClassDefFoundError: TestPrivileges$1
        at TestPrivileges.getAString(TestPrivileges.java:14)
        at TestPrivileges.main(TestPrivileges.java:7)
Caused by: java.lang.ClassNotFoundException: TestPrivileges$1
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)

Here is a testing class:

http://pastebin.com/EgmdwuqL

Notice that calling other methods doesn't raise this exception.

Here is how I compile and run it:

javac TestPrivileges.java
java TestPrivileges
jar cvf TestPrivileges.jar TestPrivileges.class
jarsigner -keystore vkeystore -storepass My0Company -keypass My0Company -signedjar TestPrivilegesS.jar TestPrivileges.jar printer
copy TestPrivilegesS.jar x /Y
copy TestPrivileges.jar x /Y
cd x
java -classpath TestPrivilegesS.jar TestPrivileges
java -classpath TestPrivileges.jar TestPrivileges
cd ..

A quick for vkeystore:

keytool -genkey -keystore vkeystore -keyalg rsa -dname "CN=MyCompany, OU=MyCompany, O=MyCompany, L=Atlanta, ST=GA,C=NL" -alias printer -validity 3600 -keypass My0Company -storepass My0Company

The first run works ok (probably because the class file is in the same directory). Then I create to archives, one signed and another unsigned. When I run them, I got those errors. Notice the jars are in a separate folder which contains only those jars and no class file.

Answer 1

I am with Andrew on this.

I've created an app that should help us find the code signing issue.

https://gist.github.com/2596125

(Since we don't want to Spam Andrew I've created this.)

With more information that finally came out it seems that you are not packing the TestPrivileges$1 class with the jar.

To fix this do this for jar packing:

jar cvf TestPrivileges.jar TestPrivileges.class TestPrivileges$1.class

Answer 2

New theory

The 3rd party Jar was already signed when it was signed it with your certificate. Now there are 2 lots of information on digital keys inside the Jar, which is confusing the JRE.

Either use the original Jar, as it was, or remove the digital signatures and sign it again with your own certificate.

Earlier answer

signer information does not match signer information of other classes in the same package

The actual error is because two jars are considered to be signed with different certificates, even I'm using the same certificate.

I suspect that the problem comes down to the part of the error/comment that I made bold.
Classes in the same package must be in the same Jar.