如何使用 .pfx 文件签署 Java 小程序?
我试图使用本指南使用我们公司的 .pfx 证书签署 jar 小程序存档
(以及来自互联网的其他一些):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf一切
似乎都很好,但是当我尝试通过浏览器运行苹果时,我看到
“发布者”未知(不受信任)。当我查看详细信息时,我能够看到合适的公司
名称和证书供应商 (GlobalSign)。为什么它没有正确显示为已知/可信?
我觉得可疑的一件事是命令的输出
jarsigner -verify -verbose -certs Applet.jar:
(...)
sm 1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class
X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
[certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
所以看起来缺少“k = 在密钥库中找到至少一个证书”
(应该是smk,它是sm)。是只签署了部分吗?或者什么?
GlobalSign 给我的 .pfx 文件是否有可能是错误的
不足以签署小程序?对于普通的可执行文件,它工作得很好......
有什么想法吗? ;)
编辑
@Jcs
看起来你是完全正确的。我用 keytool 检查了我的 PFX 文件,得到:
Your keystore contains 1 entry
Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
所以看起来链不完整。
我不确定这是否重要,但也有一些扩展,例如:
#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
DigitalSignature
]
#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
[
accessMethod: (some_numbers_here)
accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)
问题是:我的 PFX 文件是否完全错误,或者以某种方式我需要向其中添加 globalsign root?
I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf
Everything seems to be fine, but when I try t run apple through the browser I see that
'Publisher' is UNKNOWN (untrusted). And when I go to details I'm able to see proper company
name and certificate vendor (GlobalSign). Why it's not properly displayed as known/trusted?
The one thing which looks suspicious to me is output of command
jarsigner -verify -verbose -certs Applet.jar:
(...)
sm 1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class
X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
[certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
So looks like 'k = at least one certificate was found in keystore' is missing
(should be smk and it is sm). Is it signed only partially? Or what?
Is it possible that .pfx file given to me by GlobalSign is somehow wrong
on not enough to sign applets? For normal executables it was working just fine...
Any ideas? ;)
EDIT
@Jcs
Looks like you are totally right. I checked my PFX file with keytool and I get:
Your keystore contains 1 entry
Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
So looks like chain is not complete.
I'm not sure if it matters, but there are also few extensions like for example:
#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
DigitalSignature
]
#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
[
accessMethod: (some_numbers_here)
accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)
Question is: is my PFX file totally wrong, or somehow I need to add globalsign root to it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据您的帖子,签名证书链中似乎只有一个证书。我验证了我签名的小程序(该小程序在浏览器中正常工作)
我们可以看到链中有 2 个证书,因为我的签名证书是由 Thawte 代码签名 CA 颁发的。
在您的情况下,如果
jarsigner输出中只有一个证书,则可能表明中间 CA 丢失,我几乎不怀疑 GlobalSign 直接从根 CA 颁发证书(位于 java trust 中)店铺)。因此,当加载小程序并验证签名时,JVM 无法重建签名证书和 GlobalSign 根 CA 之间的证书链,这解释了当前的行为。也许 PKF 文件不包含该中间 CA。使用
OpenSSL,您可以检查有多少证书:或使用
keytoolAccording to your post, it seems that there is only one certificate in the signature certificate chain. I verified an applet I signed (this applet works correctly in a browser)
We can see that there is 2 certificates in the chain since my signing certificate has been issued by the Thawte Code Signing CA.
In your case if there is only one certificate in the
jarsigneroutput it may indicates that the intermediate CA is missing and I hardly doubt that GlobalSign is directly issuing certificates from the root CA (which is in the java trust store). Therefore when the applet is loaded and the signatures are verified the JVM is not able to rebuild a certificate chain between the signing certificate and the GlobalSign root CA, explaining the current behaviour.Maybe the PKF file does not contains that intermediate CA. With
OpenSSLyou can check how many certificates are present:or with
keytool非常感谢大家,特别是 Jcs :)
我终于发现 .pfx 文件只是导入不正确。
我要求我的老板从头开始为我导入它,其中包含所有可能的路径/链/证书,现在它可以工作了:)
因此,如果有人遇到类似的问题,我的建议是尝试再次获取/导入证书
- 这是证书本身的问题而不是签名方法的问题。
Thanks a lot for all, especially Jcs :)
I finally discovered that .pfx file was just imported improperly.
I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
So if anyone will have similar problem my advice is to try to get/import certificate again
- it's rather problem with certificate itself than with signing method.