java version "1.3.0_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_02)
Java HotSpot(TM) Client VM (build 1.3.0_02, mixed mode)

I am opening this bug report to address an unresolved problem
that is reported in two other bug reports (4407689 and 4398868)
which are both now closed.

The problem was introduced in SDK version 1.3.01 and is specific
to the Plug-in.  Previous versions of the Plug-in used Internet
Explorer's certificate database in verifying signed jar files.
Beginning in 1.3.01, the Plug-in no longer uses IE's certificate
database but instead references the internal certificate database
maintained by the keytool.  This change effectively breaks any
existing applets that rely on the 1.3 Plug-in and certificates.

  Bug 4407689 is now Closed as "Will not be fixed" status with
the comment that "this is a feature change".  There is also
a comment that "it is possible to import cert into cacerts
for testing purpose" but there is no description of how this
is done.  I tried to use the keytool's "import" option but
this did not resolve the problem.

  Bug 4398868 is now Closed as "Fixed".  The explanation is:
"We have added a new error handling code in plug-in, so users
will have the option to continue the verification even if we
fail to verify the root CA."  I have no idea what this means.
Is it a flag of some sort than we must look at programmatically?
Is it a dialog that the plug-in automatically pops up when
the user downloads the signed applet?  Neither are acceptable
solutions.  What public release is this "fix" in?

Look, you guys broke a lot of deployed applets with a
point-release version of the SDK that is not backwardly compatible.
This problem is not resolved.  What do you plan to do about it?

Perhaps you could implement a parameter that is configurable from
the Plug-in control panel to force the Plug-in to look at the
IE certificates database.
(Review ID: 118503) 
======================================================================

Uninstall 1.3.0x and install 1.3.0 (if you can find it).
======================================================================

The issue is as stated: the signature verification has been changed in 1.3.0_01 to use the cert CA store comes with the JDK instead of IE because using the cert store in IE doesn't work for applets running in NS. The additional error handling code has been introduced in 1.3.1 to handle the unverifiable signature. This bug will not be fixed.

NULL 2001-04-19

Yes, hundreds of deployed applets are broken because of the 
way the new plugin verifies signatures.  This is 
unacceptable.  As well, the process for deploying a signed 
applet is now much more complex for the end user because 
they must manually import the certificate into the local 
keystore.  How is the end user supposed to accomplish 
that?  This is a terrible step backwards from 1.3.0-C.

I must agree that the current situation, and it's solution 
are unacceptable. End users should not be expected to 
perform direct security file manipulations. Furthermore, 
for our corporate intranet apps, we should not be expected 
to pay some other signing authority for the ability to run 
our own apps. I have just spent several days trying to 
track this problem down, and am aghast that there is no 
apparent documentation on the subject. 

Already we are getting support calls asking why our applets 
are crashing with security exceptions. What did you expect 
anyone using certificates to do when you implemented this 
non backwards compatible so called feature? Anyone who 
installs netscape 6 gets the 1.3.0_01 JVM by default now we 
have to tell them to uninstall and go back to their OLD 
browser.

so where can I find out how this new way works and can I 
make my own certificates?

In my opinion, this situation is a great drawback for 
professional software development.
The question is: If my applets are conform to 1.3.1, what 
changes will be introduced in JDK 1.4?
The back-compatibility was always a great advantage of Java.
Why weren't the users and developers warned or informed 
that there is a major change in signature verification?
Why wasn't a solution found analog to the "deprecated" flag 
in the API, so that the developer were informed that the 
current behaviour might change in a current version?

Many questions, but unfortunately too few answers.

I DON'T CARE ABOUT NETSCAPE COMPATIBILITY!

My user's use IE and I need to use IE's certificates.  This 
is stupid.  This is done without any warning, and you 
expect everyone to just accept it?  

Your as bad as Microsoft!

We have just run into the very same problem. I just cannot 
believe it.

YOU GUYS BREAK EXISTING CODE IN A MINOR-DOT VERSION WITHOUT 
ANY ADVANCE NOTICE AND WITHOUT ANY LEGITIMATE REASON!!!!

Why should a plug-in which is an IE ActiveX control care 
about NS? This is wrong argueing to the point where I start 
to believe that you made a deal with Verisign to sell 
signatures.

And then you close bugs so noone can vote...

AT this point our company must start considering using 
ActiveX (aka .NET) technology.

Just shaking head.

Hi all,

I feel this is a bit troublesome as the problem happens with certificates which are in the cacerts store 
already, I have a Thawte cert which behaves in the same manner, so clearly there is something amiss here.
What type of workaround is there for users of trusted certificates (whose applets should be verified by the 
default, as the correct roots are in the cacerts store)?

If anyone reads this and has experienced similar problems with Trusted certs, I would love to hear from you.

jasonb@thawte.com

Thanks

This should not be closed when it affects so many people 
without a decent solution. 

Hi Again,

This really needs to be resolved...

A new report(4447912) has been opened on this issue. Let's 
vote, before it is closed again.

It is actually documented in Release notes:
  http://java.sun.com/j2se/1.3/relnotes.html#plugin

I noticed this myself quite early, as I deploy an custom enterprise-CA issued
cert, and had to import the root CA cert into cacerts file, as described at:
    http://home.iSTAR.ca/~neutron/ImportCA/  and link:
    http://home.iSTAR.ca/~neutron/ImportCA/jre1.3/index.html

It is more awkward then importing root CA certs to either IE or Netscape
root CA databases, but can be done (awkwardly).

Also, with J2SE v1.4 beta, the Plugin documentation STILL seems to be
incorrect wrt resolution of the root CA certificate (indicates that the *browsers*
own sec-manager and associated root CA store is queried):
   http://www.javasoft.com/j2se/1.4/docs/guide/plugin/developer_guide/rsa_how.html#trust

 - Mitch Gallant
   http://home.istar.ca/~neutron/java.html

Yet another unhappy customer.  Waiting for a reasonable 
resolution ...

Help me solve this problem as I dont know what to do.
Is this the help we get from the new Super Giants???
Thank

When will you add a GUI certificate administration tool to 
your plug-in that allows uses to import certificates?

Telling a user to use keytool is unacceptable!

When will you add a GUI certificate administration tool to 
your plug-in that allows uses to import certificates?

Telling a user to use keytool is unacceptable!

This bug has to be re-opened and fixed immdly.  We cannot 
educate all end users on how to add the certificate to the 
cacerts file using keytool.

OK, I understand the reasons for wanting to make Java's 
security independant of the browsers, but you have to allow 
the Plug-In to install new certificates instead of using 
the command line.  Would it really be that difficult to 
have the Plug-In ask the user if they want to install the 
new certificate?  I think you guys should work really hard 
to have this feature in the very next version of the plug-
in, otherwise Java isn't going to be an options for many 
developers, and you'll lose to Microsoft's products.