Get rid of the "UNKNOWN" publisher from applet security warning

13
votes

I'm trying to sign an applet so that the publisher does not appear as "UNKNOWN" :

Applet security warning showing an "UNKNOWN" publisher

I work for an organisation and we have our own certification authority, certificate chain is the following : ORG Root CA > ORG Trusted Certification Authority > Yann39 (me :D)

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

Then I did the following to sign my applet :

/* TO KNOW THE ALIAS */
c:\testrep>keytool -list -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

id de yann39, Oct 24, 2012, keyEntry,
Certificate fingerprint (MD5): D7:E3:83:1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47

/* CREATE FAKE CLASS FILE AND BUILD A JAR */
c:\testrep>echo test > test.class
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class

/* VERIFY THE SIGNATURE */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs test_applet.jar

         132 Wed Oct 24 17:49:52 CEST 2012 META-INF/MANIFEST.MF
         185 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.SF
        4801 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.RSA
           0 Wed Oct 24 17:48:36 CEST 2012 META-INF/
sm         0 Wed Oct 24 17:47:46 CEST 2012 test.class

      X.509, CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
      X.509, CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
      X.509, CN=ORG Root CA, DC=myorg, DC=ch


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

c:\testrep>

Then I load the appled in my application using the following :

<object id="mytestapplet" width="0" height="0" style="position:absolute" type="application/x-java-applet">
<param name="archive" value="https://myhost.ch/rep/test_applet.jar">
<param name="code" value="test">
<param name="scriptable" value="true">
<param name="mayscript" value="no">
</object>

I read some posts like this one : How to sign java applet with .pfx file? and it seems I should get smi when verifying signed file from the jar, not only sm that means the certificate was not found in the keystore.

So I thought the certificate chain was not complete, but when running the following command, I saw that it was not the case :

c:\testrep>keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore password:  ********

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: id  de yann39
Creation date: Oct 24, 2012
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
    DC=myorg, DC=ch
Issuer: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Serial number: 12d21eb200200000a02b
Valid from: Mon Jun 25 14:16:00 CEST 2011 until: Wed Jun 24 14:16:00 CEST 2013
Certificate fingerprints:
         MD5:  D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
         SHA1: 24:31:1D:25:02:98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
Certificate[2]:
Owner: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 601fab4c000000000003
Valid from: Tue Oct 02 11:36:53 CEST 2006 until: Mon Oct 02 11:47:53 CEST 2016
Certificate fingerprints:
         MD5:  51:A1:EA:33:21:2C:71:60:A1:6F:F1:22:92:A8:51:8D
         SHA1: 66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17:BD:85:9D:10:65
Certificate[3]:
Owner: CN=ORG Root CA, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 7dc0d089138d1d804b2e68e21b947412
Valid from: Tue Oct 02 10:55:19 CEST 2006 until: Sat Oct 02 11:01:47 CEST 2026
Certificate fingerprints:
         MD5:  A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
         SHA1: DA:D8:7F:63:95:90:A2:E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3


*******************************************
*******************************************



c:\testrep>

The chain seems good.

But I still get the security warning with an "UNKNOWN" Publisher. Why ?

EDIT 25-OCT-2012

I forgot to say that it works using Internet Explorer ("Signature has been verified" and Publisher is "Yann39"), not using Chrome or Firefox.

I tried using a self-signed certificate :

keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dname "cn=Yann39, ou=UN, o=ORG, st=Geneva, c=CH"
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test > test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jar "myalias"
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar

It does not work neither in IE nor in Firefox or Chrome, normal.

I tried to add the 2 trusted certificates from my organisation but it failed :

keytool -import -alias "myalias_root" -file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -alias "myalias_auth" -file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12

with the error :

keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

I still don't understand why it says that the certificate was not found in the keystore (sm) when verifying the signature.

EDIT 02-NOV-2012

I finally got a reply from my Certification Authority. As code signing certificates are provided for test only (not officially supported in our organisation), they don't provide any help and they closed my ticket...

The 2 certificates ORG Root CA and ORG Trusted Certification Authority are trusted in the 3 browsers (IE, Firefox, Chrome). When running my applet I still get the expected result in IE :

But not in Firefox and Chrome :

Another strange thing is that as you see IE is referencing as “Name” the id of the <object> tag used in the HTML (applettest), while Firefox and Chrome are referencing the name of the main class (test).

What I think is that it is the same thing about the Publisher, IE is looking at the CN RDN (Yann39) while Firefox and Chrome are looking at the O RDN and cannot find one as it is not defined in my certificate.

If anyone has more information about how browsers check the certificates please share.

Thanks.

4
javasslappletcertificatesigning
Just a guess, but it's possible that the applet dialog uses the O= RDN of the certificate to display who the publisher is (that's what browsers do). If you control that CA, you could try to add O=Something to your Subject DN to see if it makes a difference.Bruno
Unfortunately I have no control over the CA, they simply provided me the PKCS12 file. As it works only using Internet Explorer maybe other browsers are looking for O= while IE doesn't care about it (as usual...) ? I added some information to my post.Yann39
jar verified. Oops! Missed that.Andrew Thompson
How is it going? Have you succeeded to verify the publisher?user592704
I have contacted my CA to get any help and to know if there could be any problem with the certificate they issued to me (as Bruno suggested, it seems strange that it does not contains the O= RDN.). I'm still waiting for a reply, I will update my post as soon as I get more information.Yann39

4 Answers

10
votes

If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.

When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).

When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.

To add a certificate to Java plugin storage:

  • open Java control panel
  • select "Security" tab
  • click "manage Certificates..." button
  • select "Signer CA" option in the "Certificate type" combo-box.
  • import your CA's certificate

The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.

2
votes

You need to add CA certificates (up to the root CA) to your p12 file before signing.

2
votes

The same strange "UNKNOWN" Message appeared when I changed my signing certificate. I imported the certificate of my signing keystore into cacerts (so that my self signed jar would be accepted), but the java cache held the old jarfile. Then when starting the "old" applet with the "new" certificate, a message similar to the one above appeared.

Solution: clear the java cache (via java control panel or javaws -uninstall).

This just in case someone (like myself) stumbles upon this Thread while searching for this Error Message.

1
votes

I tried to add the 2 trusted certificates from my organisation but it failed :

Emm... all seems quite unclear because you demo the signing process since certs import only...

I tried using a self-signed certificate It does not work neither in IE nor in Firefox or Chrome, normal. I tried to add the 2 trusted certificates from my organisation but it failed :

Of course, it failed. Because you cannot import certs to get chain for non-original keys. And coming back to your test case...

All I can see in your test case things like:

  • A) You gen maybe myalias or maybe myalias_root and myalias_auth key(s) - give more details here
  • B) You try to import ORGRooTCA and ORGTrustedCertificationAuthority
  • C) You try to sign a test jar

In step B You try to import 2 certs. So I must ask

  • Were the two certs generated by using myalias_root and
    myalias_auth CSR(s)?

If they weren't so I suppose you just skipped some steps as follows:

  • A) Gen myalias_root and myalias_auth key(s)
  • B) Gen CSR of myalias_root_root and myalias_auth
  • C) Gen certs ORGRooTCA and ORGTrustedCertificationAuthority by using myalias_root and
    myalias_auth CSR(s)
  • D) import the certs as ORGRooTCA and ORGTrustedCertificationAuthority to get chain
  • E) Try to sign a test jar

And once again...

I tried to add the 2 trusted certificates from my organisation but it failed :

As a result, I can advice you

  • A) Get not only certs from your organization but also its keystore keys the certs were generated of
  • B) Or gen your own keys and your own certs by following the previously mentioned ABCDE steps :)

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

You manually imported it and then you exported it as described here ?

OK... it is quite interesting. If you still sure all things in your pfx right :S still I re-play the your jarsigner using demo. So you sign the test_applet.jar as

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class

... it's pretty standard signing way but I want to point a little detail... I cannot see where jarsigner demands you to enter the "id de yann39" private key password :S ? All I can see you enter keystore password only ... Is the step skipped in your copy-paste version or jarsigner is really doesn't demand you to enter key password?

As a trial, I do recommend you to try sign your jar using -keypass arg as (see example)

jarsigner -keystore C:\working\mystore -storepass myspass
      -keypass dukekeypasswd MyJarFile.jar duke

For more details see how to use jarsigner docs...

I don't made any changes to the certificate, so yes I guess it is the original private key ? About your edit: yes I exported it as described in your link, but I used "backup all", not "backup" only, else I don't get the whole certificate chain in my .p12 file. About signing the .jar file, I don't skipped anything, jarsigner only ask me for the keystore password. I think keystore password and private key password are the same,

If you generated keys in your keystore with keytool you must know that keystore has its password and newly generated private key(s) should have its own password; So I suppose maybe something is missing here :S It would be interesting you A) import your pfx to IE and export it with IE as described here : since the "Yes export the private key" instructions + "Include all certificates in the certification path if possible"

P.S. Please comment if that was helpful