Java Web Start error when running signed jar with trusted certificates imported into cacerts keystore

Question

I used Netbeans IDE to sign my jars.

I signed my jar using a trusted certificate and in the Netbeans UI dialog, entered the keystore details and key alias.

Product Version: NetBeans IDE Dev (Build nbms-and-javadoc-482-on-20130914) Java: 1.7.0_25; Java HotSpot(TM) Client VM 23.25-b01 Runtime: Java(TM) SE Runtime Environment 1.7.0_25-b16

---

Running by clicking the jnlp file, I got a Keystore exception. I wondered if the user should manually import the certificates into the Java cacerts keystore as described here http://docs.oracle.com/javase/tutorial/security/sigcert/index.html#GenCSR

I did so and got "Certificate was added to keystore". password set by Oracle is: changeit. However when I double click on the JNLP file, I get a popup "runtime error. click for details". I do not get any stack trace. The Java console does not show any error as far as I can see, only several lines of 'CacheEntry'.

Why doesn't Web Start/JNLP do something like this so poor user doesn't have to mess around with keytool?

1) jar file contains the certificates in the chain.

2) have entries for the certificates in the JNLP file.

3) when user clicks on jnlp file, Java extracts the certificates and imports them into Java keystore and then runs program.

But more importantly, why isn't my program running? It used to run fine pre-Java 7.21 before they rejected self-signed jars.

UPDATE:

In Java Control Panel, I went to Advanced, and enabled traces for debugging and logging. In the Java console, I see

java.lang.SecurityException: invalid SHA1 signature file digest for org/bouncycastle/cert/jcajce/JcaX509CRLHolder.class
    at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source)    
    at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source)
    at sun.security.util.SignatureFileVerifier.process(Unknown Source)
    at java.util.jar.JarVerifier.processEntry(Unknown Source)
    at java.util.jar.JarVerifier.update(Unknown Source) 
    at java.util.jar.JarFile.initializeVerifier(Unknown Source)

I also see

ExitException[ 3]com.sun.deploy.net.FailedDownloadException: Unable to load resource: file:/C:/Users/me/Desktop/dist/lib/bcpkix-jdk15on-149.jar
    at sun.plugin2.applet.JNLP2Manager.downloadResources(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

I do see the bcpkix-jdk15on-149.jar in that location.

Answer 1

I am doing my build in NetBeans 7.4 which does not seem to allow extra flags to send to jarsigner. I found this What prevents Java from verifying signed jars with multiple signature algorithms

Using the tips in the newsgroup item, I unjarred each of the three BC jars: "C:\Program Files (x86)\Java\jdk1.7.0_40\bin\jar" xvf *.jar

Then I deleted the signature files in the META-INF folder, and rejarred them back up thus: "C:\Program Files (x86)\Java\jdk1.7.0_40\bin\jar" cmf META-INF\MANIFEST.MF bcpkix-jdk15on-149-mot.jar org

It runs but I was surprised to see this in the Java console:

Missing Codebase manifest attribute for: file:/C:/Users/me/Desktop/dist/lib/bcprov-ext-debug-jdk15on-149-mot.jar security: Validate the certificate chain using CertPath API basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms security: JAVAWS AppPolicy Permission requested for: file:/C:/Users/ me /Desktop/dist/lib/bcprov-ext-debug-jdk15on-149-mot.jar basic: JNLP2ClassLoader.getPermissions()

Based on http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html#permissions

I added attribute Permissions: all-permissions to the jars

"C:\Program Files (x86)\Java\jdk1.7.0_40\bin\jar" umf manifest.txt bcprov-ext-debug-jdk15on-149-mot.jar

Answer 2

WebVPN Java Plugins fail to load after upgrade to Java 7 Update 45 with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource:

Conditions: Windows or Mac OSX machines using Java 7 Update 45.

Workaround: 1) Disable the option 'Keep temporary files on my computer' on the Java Control Panel -> General -> Settings. This works for both Mac OSX and Windows.

2) Downgrade Java to version 7 Update 40 or below.

https://blogs.oracle.com/java-platform-group/entry/updated_security_baseline_7u45_impacts