How to sign java applet with .pfx file?

4
votes

I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf

Everything seems to be fine, but when I try t run apple through the browser I see that
'Publisher' is UNKNOWN (untrusted). And when I go to details I'm able to see proper company
name and certificate vendor (GlobalSign). Why it's not properly displayed as known/trusted?

The one thing which looks suspicious to me is output of command
jarsigner -verify -verbose -certs Applet.jar:

  (...)
  sm      1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class

  X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
  [certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

So looks like 'k = at least one certificate was found in keystore' is missing
(should be smk and it is sm). Is it signed only partially? Or what?

Is it possible that .pfx file given to me by GlobalSign is somehow wrong
on not enough to sign applets? For normal executables it was working just fine...

Any ideas? ;)

EDIT

@Jcs

Looks like you are totally right. I checked my PFX file with keytool and I get: 

Your keystore contains 1 entry

Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:

So looks like chain is not complete.
I'm not sure if it matters, but there are also few extensions like for example: 

#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
  DigitalSignature
]

#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: (some_numbers_here)
   accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)

Question is: is my PFX file totally wrong, or somehow I need to add globalsign root to it?

2
javaappletcertificatesigning
Could not be bothered downloading the guide, but did you create the 'pfx' (which I've never heard of) certificate?Andrew Thompson
.pfx is kind of PKCS #12 file, same as for example .p12. This .pfx file I get from out other project (c++) for which it's working properly.Piotr Kukielka
That does not answer my question, which I'll repeat.. "did you create the 'pfx' ... certificate?"Andrew Thompson
No, I didn't created pfx certificate myself. The *.pfx file we get directly from GlobalSign.Piotr Kukielka
Yes you should add 2 certificates into the PFX files: the GlobalSign ObjectSign CA (secure.globalsign.net/cacert/ObjectSign.crt) and the GlobalSign Primary Object Publishing CA (secure.globalsign.net/cacert/PrimObject.crt). The latter is signed by the GlobalSign Root CA (which is not necessary to be included)Jcs

2 Answers

2
votes

According to your post, it seems that there is only one certificate in the signature certificate chain. I verified an applet I signed (this applet works correctly in a browser)

(...)
sm      2419 Thu Mar 31 15:49:14 CEST 2011 org/xml/sax/helpers/XMLReaderFactory.class

      X.509, CN=Company Name, O=Company Name, L=Paris, ST=Ile de France, C=FR
      [certificate is valid from 8/4/10 2:00 AM to 8/4/12 1:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      [KeyUsage extension does not support code signing]

(...)

We can see that there is 2 certificates in the chain since my signing certificate has been issued by the Thawte Code Signing CA.

In your case if there is only one certificate in the jarsigner output it may indicates that the intermediate CA is missing and I hardly doubt that GlobalSign is directly issuing certificates from the root CA (which is in the java trust store). Therefore when the applet is loaded and the signatures are verified the JVM is not able to rebuild a certificate chain between the signing certificate and the GlobalSign root CA, explaining the current behaviour.

Maybe the PKF file does not contains that intermediate CA. With OpenSSL you can check how many certificates are present:

[jcs@home:~/]$ openssl pkcs12 -in myfile.pfx

or with keytool

[jcs@home:~/]$ keytool -list -v -storetype pkcs12 -keystore myfile.pfx
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: Aug 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2     <--  the chain length is here.
Certificate[1]:
(...)
0
votes

Thanks a lot for all, especially Jcs :)
I finally discovered that .pfx file was just imported improperly.
I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
So if anyone will have similar problem my advice is to try to get/import certificate again
- it's rather problem with certificate itself than with signing method.