Steps to reproduce: run the signed applet on this page in Netscape 7
using Sun JRE 1.5 beta 1 (build 1.5.0-beta-b32c). The JAR file was created
and signed using Netscape signtool. The certificate used was a Netscape
Object Signing certificate a Thawte multipurpose certificate, as detailed at:
http://www.thawte.com/support/code/tech.html
Expected result: Signing should be accepted and the applet should report the user.home property.
Actual result: Signing is not accepted and the security exception is reported if the browser is Netscape 7 and the JRE is Sun 1.5 beta 1.
Error message: A dialog labeled "Warning - Security" appears with
the following message:
Certificate Not Verified
Code will be treated as unsigned.
The detailed report:
java.security.cert.CertificateException: Check signer key usage failed in
certificate
at
com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
at
com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
at
com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at
com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at
sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
at
java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown
Source)
(... etc...)
A similar report of this problem on a Sun Forum:
http://forum.java.sun.com/thread.jsp?forum=63&thread=521509&start=0&range=15
has an error message that shares the same first 6 lines:
java.security.cert.CertificateException: Check signer key usage failed in
certificate
at
com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
at
com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
at
com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at
com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at
sun.plugin.extension.ExtensionInstallationImpl.verifyJar(Unknown Source)
at
sun.plugin.extension.ExtensionInstallationImpl.access$100(Unknown Source)
at
sun.plugin.extension.ExtensionInstallationImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
(... etc...)
Workaround: The signing may be accepted by JRE 1.5 beta 1 if Microsoft Internet Explorer
for Windows XP is used instead of Netscape (however one person using IE6
(6.0.2800.1106) on Windows2000 SP4 (5.00.2195) reports the signing problem in
that environment; it is not clear whether having accepted the certificate before
installing 1.5 beta 1 is relevant). The signing is accepted by JRE 1.4.x using
either Netscape of Internet Explorer. The problem is reported to occur with VeriSign
certificates as well as Thawte certificates:
http://forum.java.sun.com/thread.jsp?forum=63&thread=521509&start=0&range=15.
The problem is fixed as of the release version of JRE 1.5.
If you have any comments please
contact Mickey Segal. A listing of many Java resources is at this link.
import java.awt.*;
import java.applet.*;
public class SigningTest2 extends Applet {
public void init() {}
public void paint(Graphics g)
{
try
{
String userHome =
System.getProperty("user.home");
g.drawString("Signing worked. The
user.home property is: " + userHome, 10, 30);
}
catch (SecurityException e)
{
g.drawString("Signing didn't work.
The SecurityException is: " + e.getMessage(), 10, 10);
}
}
} // END OF Class SigningTest2