-
Bug
-
Resolution: Won't Fix
-
P3
-
None
-
6u24
-
x86
-
windows_xp
It looks like JRE6 update 22 and 23 would verify the issuer of code signing
certificate to display the publisher name in the java dialogue.
If the issuer does not exist in the trust store, the publisher
is displayed as not verified (see below).
JRE6U21 and lower versions do not perform any check hence the
publisher name always appears.
<image001.jpg>
JRE6 update 24 and higher versions of JRE do not list the publisher at all
if the issuer of code signing certificate is not trusted(see below).
<image002.jpg>
JRE has the entrust code signing CA cert included in the trust store so we
do not see this problem with truepass applets but the Issuer of the JCE code
signing certificate is missing and hence we see the issue with toolkit jars.
Imported the JCE root CA(attached) in JRE 6 U24 trust store and the publisher
name appears...(see below). We can import the the JCE root CA cert in JRE
trust using java keytool
C:\Program Files\Java\jre6\bin>keytool.exe -importcert -trustcacerts -file "C:\Program Files\Java\jre6\lib\security\JCERootCA.cer" -keystore c:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
<image003.jpg>
This looks like a bug in the JRE(should have JCE code signing certs in
the JRE cacerts file) and do not think there is any workaround except
documenting that when users see dialogue with "unknown publisher"
they should open the certificate and verify the following information
in the certificate and check always trust content from this publisher check box.
Attached 2 screenshots for the information on the certificate details.
certificate to display the publisher name in the java dialogue.
If the issuer does not exist in the trust store, the publisher
is displayed as not verified (see below).
JRE6U21 and lower versions do not perform any check hence the
publisher name always appears.
<image001.jpg>
JRE6 update 24 and higher versions of JRE do not list the publisher at all
if the issuer of code signing certificate is not trusted(see below).
<image002.jpg>
JRE has the entrust code signing CA cert included in the trust store so we
do not see this problem with truepass applets but the Issuer of the JCE code
signing certificate is missing and hence we see the issue with toolkit jars.
Imported the JCE root CA(attached) in JRE 6 U24 trust store and the publisher
name appears...(see below). We can import the the JCE root CA cert in JRE
trust using java keytool
C:\Program Files\Java\jre6\bin>keytool.exe -importcert -trustcacerts -file "C:\Program Files\Java\jre6\lib\security\JCERootCA.cer" -keystore c:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
<image003.jpg>
This looks like a bug in the JRE(should have JCE code signing certs in
the JRE cacerts file) and do not think there is any workaround except
documenting that when users see dialogue with "unknown publisher"
they should open the certificate and verify the following information
in the certificate and check always trust content from this publisher check box.
Attached 2 screenshots for the information on the certificate details.