Unsigned JARs - MD5 Disabled

Get help with installation and configuration of OWS. Please post specific bug reports, pull requests, or source code extensions on github.
c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Unsigned JARs - MD5 Disabled

Post by c.sottile »

Hi all,

We have the following error message, an application jar library is marked as UNSIGNED:

Code: Select all

[ITW-CORE][2022-02-07 12:12:53.239 CET][ERROR][net.sourceforge.jnlp.AbstractLaunchHandler]
netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:587)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:372)
	at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:70)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:654)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
	at net.sourceforge.jnlp.runtime.classloader.SecurityDelegateImpl.getClassLoaderSecurity(SecurityDelegateImpl.java:102)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.setSecurity(JNLPClassLoader.java:387)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:773)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:350)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:423)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:579)
	... 3 more
[ITW-CORE][2022-02-07 12:12:53.240 CET][ERROR][net.sourceforge.jnlp.Launcher]
Launch exception
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:587)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:372)
	at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:70)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:654)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
	at net.sourceforge.jnlp.runtime.classloader.SecurityDelegateImpl.getClassLoaderSecurity(SecurityDelegateImpl.java:102)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.setSecurity(JNLPClassLoader.java:387)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:773)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:350)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:423)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:579)
	... 3 more
The problem is due to the following jar:

Code: Select all

[ITW-CORE][2022-02-07 12:07:21.915 CET][DEBUG][net.sourceforge.jnlp.tools.JarCertVerifier] Jar found at C:\Users\{user}\.cache\icedtea-web\cache\0\5\gwt.jar has been verified as UNSIGNED
Manifest:

Code: Select all

Manifest-Version: 1.0
Permissions: all-permissions
Codebase: *
Created-By: yGuard Bytecode Obfuscator 2.5.2

Name: COM/legato/gwt/framework/LCommonActions$CascadeAction.class
MD5-Digest: YQ3YnucZeKEVB00dRgOZRA==
Digest-Algorithms: SHA-1, MD5
SHA-1-Digest: wQ4iee7crmm8Qnv3q9pVsvSPstE=
SHA-512-Digest: a6KU+gwPnX1VPP6VHV/UPIeV2oDVX9Vavn0Fe7ez4f+Lsau4XVmzQswc
 PZ77Sj3bUBC26Eqg0RlxsiwfYsoHnw==
...
The problem would seem to arise from the integrity checks. The algorithm used is MD5.

To make the application work we had to re-activate the MD5 algorithm in the java.security of our java distribution (zulu-8-u302-jre-fx).

From:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
      DSA keySize < 1024, include jdk.disabled.namedCurves
To:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, \
      DSA keySize < 1024, include jdk.disabled.namedCurves
In order not to lower our java distribution security level, is it possible "in some way" act on OWS configuration? Are there any other alternatives?

Looking forward to your reply, thank you

Carmelo

Janak Mulani
Posts: 725
Joined: 24 Mar 2020, 13:37

Re: Unsigned JARs - MD5 Disabled

Post by Janak Mulani »

n order not to lower our java distribution security level, is it possible "in some way" act on OWS configuration? Are there any other alternatives?
So you don't want to touch the security of your JRE but you still want to run the Jnlp app with MD5 signed jars with OWS using the same JRE?

Isn't it an option to sign the jar with something other than MD5?

If signing the jar is not an option for you then is running that Jnlp app with OWS without any security checks an option for you>

c.sottile
Posts: 14
Joined: 21 Jun 2021, 15:40

Re: Unsigned JARs - MD5 Disabled

Post by c.sottile »

That's right, we can't replace/upgrade the jar signature. The software is from third parties.

So, without lowering the jre security level, I would like to understand if it is possible to derogate starting from OWS configuration.

Thx

Janak Mulani
Posts: 725
Joined: 24 Mar 2020, 13:37

Re: Unsigned JARs - MD5 Disabled

Post by Janak Mulani »

If you cannot sign with non-MD5 certificate and you do not want to touch JVM security then the only option is to run this particular jnlp app with OWS such that OWS ignores certificate issues. This can be done by specifying the deployment property deployment.security.itw.ignorecertissues =true and running javaws with -nosecurity argument, i.e., javaws -nosecurity <jnlp file>

Post Reply