| Author |
Message |
![[Post New]](/templates/pheox/images/icon_minipost_new.gif) 12/04/2010 19:03:19
|
![[Up]](/templates/pheox/images/icon_up.gif)
#1
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
Since last time we discussed, I have decided to develop a personnalized ClassLoader for my applets.
In fact the new classloader loads all the jars needed for the applets in a subdirectory of the home directory of the user, then as needed it loads classes from this location.
Everything is working well except when i try to initialize the JCAPI with Security.addProvider(new JCAPIProvider()); then I get an error :
java.security.ProviderException: Verification of JCAPI JAR file integrity failed.
Reason: JAR file not signed by Pheox, Sweden.
I think that the problem doesn't come from the JCAPI.jar itself because when i use the jar without the new classloader (ie when i use the Java default classloader) there's no problem with the integrity.
I join to this post the file console.txt that contains the output of the console with the logging of JCAPI activated and the file InterbatLoader.java that contains the new personalized ClassLoader.
I'm sure that something is wrong with the classloader and i hope that you could help me.
Regards,
Igor
| Filename |
console.txt |
![[Disk]](/templates/pheox/images/icon_disk.gif)
Download
|
| Description |
No description given |
| Filesize |
27 Kbytes
|
| Downloaded: |
1324 time(s) |
| Filename |
InterbatLoader.java |
Download
|
| Description |
No description given |
| Filesize |
27 Kbytes
|
| Downloaded: |
911 time(s) |
|
|
|
 |
13/04/2010 21:36:31
|
#2
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
Nice to hear from you again.
The error message you get is actually generated by JCAPI, but I don't know exactly what triggers it yet. I've looked at your test code, but it's quite a lot of code here for me to filter out. Could you please help me out and create a small test applet which triggers this problem? I will try to get a fix for it a.s.a.p when I've gotten your new applet code.
Thanks.
Regards,
Tommy
|
|
|
|
14/04/2010 18:04:25
|
#3
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
I've made a simplier code for you.
I have removed all the parts that managed the download and cache of the jars.
I've joined to this post a zip file (pheox.zip) that contains 3 jars :
- JCAPI.jar signed with my certificate (in addition to yours) because for better deployment all the jars should be signed with the same certificate
- LaunchJCAPI.jar a small applet that contains only the line Security.addProvider(new JCAPIProvider());
- PheoxInterbatLoader.jar that contains the code of the classloader that launch the LaunchJCAPI applet
You can launch the PheoxInterbatLoader applet from any location but you'll have to store the 2 other jars in your C:\ directory. If you can't this can be configured in the Java Code of the PheoxInterbatLoader class.
I've made some research and i think that you use in the init code of the JCAPI the default system classloader (instead of the classloader of the JCAPIProvider class) to access to a ressource of the JCAPI.jar or that you you access a method of the JCAPIProvider classloader that i've forgotten to overload. That is just an idea i've had but perhaps it's something totally different.
Don't hesitate if you have more precisions to ask me.
Thanks.
Regards,
Igor
|
|
|
|
14/04/2010 22:13:55
|
#4
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
Thanks for your revised code.
I've managed to reproduce your problem. I'll start analyzing it immediately.
Regards,
Tommy
|
|
|
|
14/04/2010 23:18:37
|
#5
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
I've made a quick analysis and it seems like there's something wrong with your class loader. I'm not 100% sure that's the problem, but when JCAPI executes the following code to list all certificates stored in the JCAPI.jar file:
...
JarEntry je = (JarEntry)e.nextElement();
Certificate[] certs = je.getCertificates();
Then only 2 certificates are available, and both of them belongs to you:
Num of certs = 2
CERT 0:
[
[
Version: V3
Subject: EMAILADDRESS=technique@interbat.com, CN=Application Web Interbat, OU=Application Web Interbat, O=Interbat, L=Paris, ST=IDF, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 137794968023654729654789467242594964744389341626154165190545895723836858073154731430206825242767818974618019699399409500878261390076649357834576675795591879662431723076678174619371131704548131500588190149306154144697521599147653683846424392865284048700928506293411496325899032471567440472351825117843473823161
public exponent: 65537
Validity: [From: Fri Apr 10 12:30:24 CEST 2009,
To: Mon Apr 08 12:30:24 CEST 2019]
Issuer: EMAILADDRESS=casimir.decas@interbat.com, CN=Interbat CA, O=Interbat, L=Paris, ST=IDF, C=FR
SerialNumber: [ 0d]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 20 16 1E 45 61 73 79 2D 52 53 41 20 47 65 6E . ..Easy-RSA Gen
0010: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated Certifica
0020: 74 65 te
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 F4 9C 11 F7 CF 93 F4 CB 10 8B EC A1 42 53 91 .............BS.
0010: 83 85 D0 EF ....
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FA BD 5B 3A A7 D9 5D D8 86 7E 7E 10 D5 4E 71 73 ..[:..]......Nqs
0010: F0 39 46 A8 .9F.
]
[EMAILADDRESS=casimir.decas@interbat.com, CN=Interbat CA, O=Interbat, L=Paris, ST=IDF, C=FR]
SerialNumber: [ ec16f114 f868ca62]
]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
codeSigning
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 5B 84 57 C0 94 E6 60 D2 46 9F 31 DA 88 36 DD 72 [.W...`.F.1..6.r
0010: 53 04 D7 7C 45 8C 60 80 0A 96 8E C9 05 FF B7 42 S...E.`........B
0020: DA 20 C5 29 1B CE 11 C0 AF 43 0E B6 A2 42 4E 0B . .).....C...BN.
0030: D6 50 C5 35 21 10 DE 37 9B 22 DC 77 6E C1 B9 A3 .P.5!..7.".wn...
0040: 96 F7 79 E2 54 41 2F 8C D3 69 52 FC FB F9 EA 1F ..y.TA/..iR.....
0050: D8 6B D3 43 F8 D0 BB 7F CA 4D A5 9C D3 B4 56 9D .k.C.....M....V.
0060: 83 99 AC B5 E6 9E 2A 8B 5B 66 51 8C CF C6 78 A4 ......*.[fQ...x.
0070: 25 45 DE 8E AE B1 6C 48 F4 6F FA C2 E8 E9 03 9E %E....lH.o......
0080: 2F BA 60 FF 7C 7C 20 F9 1A 3C 39 6C 3E 15 05 E0 /.`... ..<9l>...
0090: 91 25 9F FA 9E BE B4 34 15 C0 B7 E1 CB 21 0F 35 .%.....4.....!.5
00A0: E0 44 65 C5 2B ED 16 3A BA 31 16 85 7A F6 13 8C .De.+..:.1..z...
00B0: 26 A6 F6 42 26 8B 45 1A E2 D3 D8 A6 E2 2E 56 3D &..B&.E.......V=
00C0: 54 04 30 49 37 09 E3 9C 4C 32 48 CE EE 87 3B 07 T.0I7...L2H...;.
00D0: FC CF 07 0F C2 30 8B 2A 23 6A CD 03 68 F9 9A B1 .....0.*#j..h...
00E0: A0 70 FB 0D 03 F1 5C 0F E9 3E F6 04 24 2D 0B 34 .p....\..>..$-.4
00F0: 4A CF B6 EB D5 9E B4 36 9E D1 47 BF BB B5 2A B9 J......6..G...*.
]
CERT 1:
[
[
Version: V3
Subject: EMAILADDRESS=casimir.decas@interbat.com, CN=Interbat CA, O=Interbat, L=Paris, ST=IDF, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 24570560223099051414204543992170098153143649582105705289426611388874102011106661774130245038825936745624863030777819730986290816616934747382375866595103414297055942806030583581459891083326424433096128168394346224841230165855413803095284803730643378113747100319783553432138634828447164503179253857131493950411701360412120600909505374247344391863776184615557429734119320752462998437855543897064456848638037419480717270100521579691476421494868198750470521422545178604885596575531566216587379464061306031714626747665417723221617820999176386791934000309987105699196521894058708727771599447283132509729669110241698133899241
public exponent: 65537
Validity: [From: Thu Jan 08 14:02:41 CET 2009,
To: Sun Jan 06 14:02:41 CET 2019]
Issuer: EMAILADDRESS=casimir.decas@interbat.com, CN=Interbat CA, O=Interbat, L=Paris, ST=IDF, C=FR
SerialNumber: [ ec16f114 f868ca62]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FA BD 5B 3A A7 D9 5D D8 86 7E 7E 10 D5 4E 71 73 ..[:..]......Nqs
0010: F0 39 46 A8 .9F.
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FA BD 5B 3A A7 D9 5D D8 86 7E 7E 10 D5 4E 71 73 ..[:..]......Nqs
0010: F0 39 46 A8 .9F.
]
[EMAILADDRESS=casimir.decas@interbat.com, CN=Interbat CA, O=Interbat, L=Paris, ST=IDF, C=FR]
SerialNumber: [ ec16f114 f868ca62]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 59 98 F6 8E 92 BC 5A 09 84 08 1A 99 32 8C A3 A3 Y.....Z.....2...
0010: AB 19 3B D7 8E 65 4E 56 09 18 82 85 A2 47 75 7B ..;..eNV.....Gu.
0020: 2E 1B 41 CA 12 D2 89 31 47 1E 71 1A 5D 15 3B 48 ..A....1G.q.].;H
0030: 5F 12 82 BF 46 00 05 EC C8 E8 F4 6E B3 B3 B1 C1 _...F......n....
0040: C1 90 06 D4 7E FA 2D C3 44 FD 60 2D F3 FD 9F 5B ......-.D.`-...[
0050: 9B 23 8D CE FD 47 20 C1 56 17 84 0C 5C B9 9B 1F .#...G .V...\...
0060: E2 DD B3 B3 88 B8 C7 43 8E 3F D2 61 08 B4 7E A5 .......C.?.a....
0070: C9 28 B2 31 B6 12 75 F3 51 49 27 E8 63 95 1E A4 .(.1..u.QI'.c...
0080: 2F FA 8B 17 08 B7 90 84 63 16 AA 49 91 32 AC 56 /.......c..I.2.V
0090: 66 C5 EB E5 9D B2 5D E0 15 BD 85 CA DC 1B 9C 9C f.....].........
00A0: 71 0C E6 30 FF 4F 34 8A F3 C7 60 49 CD 71 1E F2 q..0.O4...`I.q..
00B0: 95 CE EC 7A 0E 16 DB 12 73 E0 6F E3 65 D9 5E D5 ...z....s.o.e.^.
00C0: A4 1F CD CA 7D 92 91 AB A5 5F 94 43 6F 9B E5 91 ........._.Co...
00D0: 71 56 10 C2 9D 51 72 46 5E BD 3D D7 B2 64 74 F6 qV...QrF^.=..dt.
00E0: 3A CF 3D 2C E1 CF 03 5E 4B 92 3E 10 5F 64 B4 64 :.=,...^K.>._d.d
00F0: D3 F4 95 61 7F 23 0D 9F A3 01 77 0D 16 CB B5 E2 ...a.#....w.....
I might add that I saw this result on a JCAPI.jar file that was not signed by you i.e. it's not the same as you included in your zip file.
I'll look further into this tomorrow to see if I can find the root cause for it.
Regards
Tommy |
|
|
|
15/04/2010 11:35:09
|
#6
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
Indeed that's strange : when you list the certificates of a JarFile that is not signed by me you get 2 certificates that belongs to me.
I think that when you try to get the JarFile JCAPI.jar then you get another JarFile that is signed by me.
I'm going to look at my code from my side but it will help me if you could tell me which method you use to access to the JCAPI.jar.
Thanks.
Regards,
Igor
|
|
|
|
15/04/2010 23:38:29
|
#7
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
The code I'm using for JAR file self integrity check is quite straight forward. This is how JCAPI gets the JarFile instance from through the class loader:
URL url = (URL)AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
CodeSource cs = JCAPIProvider.class.getProtectionDomain().getCodeSource();
return cs.getLocation();
}
});
url = url.getProtocol().equalsIgnoreCase("jar") ? url : new URL("jar:" + url.toString() + "!/");
JarFile jarFile = (JarFile)AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Object run() throws Exception {
JarURLConnection conn = (JarURLConnection)url.openConnection();
conn.setUseCaches(false);
return conn.getJarFile();
}
});
System.out.println("JAR file name = " + jarFile.getName());
When I run the above code in JCAPI together with your example applet, the wrong JAR file name is returned:
JAR file name = C:\test\PheoxInterbatLoader.jar
I'm not an expert on class loaders, so I'm not really sure how to get the JCAPI.jar file using another approach than the current. Guess I have to read and test more.
Regards,
Tommy |
|
|
|
16/04/2010 13:16:29
|
#8
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
OK I understand the problem : when you use the method getProtectionDomain() you get the ProtectionDomain of the class JCAPIProvider that is an object that represents a domain name associated with a set of permissions that are given to the applet.
Then the getCodeSource() method gives you a Code Source object which is the equivalent to a sort of codebase that encapsulate not only the location (URL) but also the certificate chains that were used to verify signed code originating from that location (PheoxInterbatLoader).
Here i am the signer of the applet and the location associated with the CodeSource object is the location of the class whose certificates are used to make the verification.
Your code will work as soon as you're the only signer of the class JCAPIProvider but because i'm cosigning your jar your signature is not verified by the JVM and the location of your jar is not stored in the CodeSource and the ProtectionDomain object.
Of course if i don't sign your jar the problem will disappear but the user will be asked to accept the signature of all the jars i'm using in my applets (the user will have to click in 7 or 8 dialog boxes).
I'm going to make some tests to see how you can get the location of your jar easily : i have several ideas such as using the getSigners() method (to direrectly get the signer certificate), the getPackage() method or the findResource method (with the name of the jar as an argument) of the Class object.
Regards,
Igor
|
|
|
|
16/04/2010 18:54:20
|
#9
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
I've worked on my side and you can stop searching a solution to my problem. Thanks to the code you wrote on your post i've managed to adapt mine to your implementation.
I've verified the solutions i told you before and the only thing that works was :
System.out.println("Jar file = "+JCAPIProvider.class.getClassLoader().getResource(JCAPIProvider.class.getCanonicalName().replace('.', '/')+".class"));
because the other methods returned null.
But after a good thinking i decided that i had to adapt to you and not the inverse.
So i managed to apply to good ProtectionDomain to the class i defined but another problem has appeared : i couldn't defined the good package for the class. So i made an hybrid code between my classloader and Java's URLClassLoader and i managed to pass the JCAPI initialization.
I've also verified that my classloader was compatible with Bouncycastle (another Provider) and with your plugins.
For your curiosity i've joined to this post the new jars that worked.
Thanks for your help.
Regards,
Igor
| Filename |
LaunchJCAPI.jar |
Download
|
| Description |
No description given |
| Filesize |
5 Kbytes
|
| Downloaded: |
647 time(s) |
| Filename |
PheoxInterbatLoader.jar |
Download
|
| Description |
No description given |
| Filesize |
10 Kbytes
|
| Downloaded: |
630 time(s) |
|
|
|
|
18/04/2010 19:52:21
|
#10
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
Qui quaerit invenit.
Very good. You saved me some time here.
Would it be possible to get the source code for your class loader test applet? You don't have to do it, but it would be nice to have a solution available if some other people would stumble into the same problem. Re-inventing the wheel is a nasty bitch.
Thanks.
Regards,
Tommy
|
|
|
|
19/04/2010 11:43:22
|
#11
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Hi Tommy,
Of course no problem I've also published it on www.codes-sources.com.
What "Qui quaerit invenit" means I'm not used with this language (latin ?).
Regards,
Igor
| Filename |
InterbatLoader.java |
Download
|
| Description |
No description given |
| Filesize |
30 Kbytes
|
| Downloaded: |
685 time(s) |
|
|
|
|
19/04/2010 14:30:22
|
#12
|
tommy
Visitor
Joined: May 30, 2005
Messages: 148
Offline
|
Hi Igor,
Thanks for the code. It's much appreciated.
"Qui quaerit invenit" is latin and means "The one who search, will find". I think it fits rather well into this 
Regards,
Tommy |
|
|
|
19/04/2010 18:26:50
|
#13
|
igor.conti
Visitor
Joined: Sep 25, 2009
Messages: 40
Offline
|
Indeed !!!
That's cool.
See you next problem (I hope not but we all know computers and Murphy's law).
Regards,
Igor
|
|
|
|
|
|
![[Search]](/templates/pheox/images/icon_mini_search.gif){kind=icon}
![[Recent Topics]](/templates/pheox/images/icon_mini_recentTopics.gif){kind=icon}
![[Groups]](/templates/pheox/images/icon_mini_groups.gif){kind=icon}
![[Register]](/templates/pheox/images/icon_mini_register.gif){kind=icon}
![[Login]](/templates/pheox/images/icon_mini_login.gif){kind=icon}
