Author Topic: Error: Failed to validate certificate. The application will not be executed  (Read 8349 times)

Offline jesse

  • Newbie
  • *
  • Posts: 2
Hello everyone,

I have a code signed applet and just ran into an issue with a customer running Java 6u18 where they are presented with a dialog box saying: Failed to validate certificate. The application will not be executed.

The associated stack trace under details: http://pastebin.com/y81CzT2M

Looking around the issue seems to be that the DigitalSignature flag is not set in the KeyUsage section of the cert. (https://forums.oracle.com/forums/thread.jspa?threadID=2434846) and that versions of Java prior to 6u35 would not allow the applet to run without this flag.

I was able to reproduce the problem under 6u18 and have also verified that it has been fixed in 6u35. The customer is in a pretty locked down environment and is not able to upgrade the version of Java on the machine. Before I submit a support ticket just wanted to check with the community to see if you guys were aware of any work arounds.

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 664
    • Comodo Technical Support
Hello everyone,

I have a code signed applet and just ran into an issue with a customer running Java 6u18 where they are presented with a dialog box saying: Failed to validate certificate. The application will not be executed.

The associated stack trace under details: http://pastebin.com/y81CzT2M

Looking around the issue seems to be that the DigitalSignature flag is not set in the KeyUsage section of the cert. (https://forums.oracle.com/forums/thread.jspa?threadID=2434846) and that versions of Java prior to 6u35 would not allow the applet to run without this flag.

I was able to reproduce the problem under 6u18 and have also verified that it has been fixed in 6u35. The customer is in a pretty locked down environment and is not able to upgrade the version of Java on the machine. Before I submit a support ticket just wanted to check with the community to see if you guys were aware of any work arounds.

The keyUsage bit for digitalSignatures is on your certificate or else it wouldn't work with any signing application. The problem seems to stem from how Oracle is handling OCSP within the JRE. There is no known workaround at this time for us.

Java should be one of those packages that shouldn't be locked down from updating because of how vulnerable it is and it is probably best to keep that application as up to date as possible. (same goes for Flash)

Offline jesse

  • Newbie
  • *
  • Posts: 2
Thanks for the reply.

I have only learned just enough about code signing so I could sign this jar for a project so there are definitely gaps in my knowledge.

The link to the oracle forum mentioned the digital signature thing which was I brought it up. I did run:
Code: [Select]
keytool -list -v -alias "my alias" -keystore mykeystore.p12 -storetype pkcs12
I only saw the following in the KeyUsage section:
Code: [Select]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

When I respond to the customer I am definitely going to bring up the dangers of having out of date Java, particularly with the recently found exploit. I just wanted to make sure I understood what other options I had to figure this problem out.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek