问题描述
案例:我是保持它使用BouncyCastle的库 bcpkix-jdk15on-149.jar Java小程序,和 bcprov-jdk15on-149.jar 。 p>
在该小程序在JRE版本7_u40启用浏览器中运行的问题是。结果
该行为已经从7_u25版本的方式,它总是提示,如安全提示使用自签名证书的应用程序(这不能永久隐藏了)一个模式窗口改变,只是信任的 bcprov 。
https://www.java.com/en/download/help/appsecuritydialogs.xml
据我所知,这是因为BC库与BouncyCastle的证书签名,由JCE code签名CA颁发的。
正因为如此,的lib可以执行,并作为加密提供商。
但是:在JRE不能建立证书链信任的签名。它显示供应商:未知
我知道我可以删除由自己,签名和符号(我自己的Thawte的code标志证书):
- 它bcpkix LIB 工作
- 它不工作的 bcprov ,因为它不会被视为一个有效的加密提供商(它不会被JRE的信任)。
我说得对不对?
我该怎么办?结果
PS:我用Google搜索了很多,找到JCA根证书(把它放入JRE信任),没有成功...有没有办法抓住这根CA
很多搜索和一些岗位在公元前邮件列表之后....我找到了解决办法,所以我在这里砸别人谁可能面临的问题
该解决方案基本上签署BC库第二次与我自己的证书。结果
该JAR需要JCA签署后才能被信任作为加密供应商,所以不要删除它。结果
该JAR也需要(除),以一个code签名可以在JVM(由JRE信任)来运行。
最后一件事,有的发生了不兼容的签名技术:
- BC lib中使用SHA1摘要algorythm签署
- 的jarsigner(我的电脑),在做与SHA256签名消化默认algorythm,这导致验证失败。
- 所以我不得不问的jarsigner做了SHA1方式。 (由于某种原因,这两个签名都必须从这个角度一致)
下面是命令的jarsigner的魔力参数来添加,并使其发生:
-digestalg SHA1
样的命令:
的jarsigner -keystore ./mykeystore.jks -storepass为mypass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias
...你就大功告成了!
以下职位给我的提示:<一href=\"http://stackoverflow.com/questions/12614139/what-$p$pvents-java-from-verifying-signed-jars-with-multiple-signature-algorithms\">What从具有多个签名算法验证签名的罐子prevents的Java
The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.
Problem is when the applet is run on a JRE version 7_u40 enabled browser.
The behavior has changed from version 7_u25 in a way that it always prompts a modal window like "Security prompt for an app using a self-signed certificate" (which cannot be permanently hidden anymore), just to trust bcprov.
https://www.java.com/en/download/help/appsecuritydialogs.xml
As far as I know, this is because BC libraries are signed with the BouncyCastle certificate, issued by the "JCE Code Signing CA".Because of that, the lib can perform and act as a cryptography provider.
BUT: the JRE can not build the certificate chain to trust the signature. It shows "provider : UNKNOWN"
I know i can remove that signature and sign by myself (I own a Thawte code sign certificate):
- it works with bcpkix lib
- it does not work with bcprov because it won't be considered as a valid cryptography provider (it won't be trusted by the JRE).
Am I right?What can I do?
PS: I googled a lot to find the JCA root cert (to put it into the JRE truststore), without success... Is there a way to grab that root CA?
After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:
The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).
One last thing, some incompatibility happened on the signature technology:
- BC lib is signed using SHA1 digest algorythm
- jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
- So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)
Here is the magic parameter of jarsigner command to add and make it happen: -digestalg SHA1
Sample command:
jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias
... and you're done!
The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms
这篇关于与小程序基于Java 7u40使用BouncyCastle的加密提供程序库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!