Fernando Karnagi’s Weblog

Extended Key Usage Issue – Applet JAR Signer

Posted in Java, Portal by fernandokarnagi on January 29, 2009

Hi Folks,

Last time I found a problem when trying to access my applet from a web site. The problem is that “The publisher cannot be verified by a trusted source. Code will be treated as unsigned”, with the Exception “sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing”

After troubleshooting and doing to analysis, finally I found the root cause of it.

Cause:

http://www.docjar.com/html/api/sun/security/validator/EndEntityChecker.java.html

This site shows the actual Java code that throws this Exception

applet

This means that the Certificate Extended Key that is used to sign this Applet JAR cannot be used for code signing.

References:

http://tools.ietf.org/html/rfc2459#section-4.2.1.13

This site (section 4.2.1.13 Extended key usage field) explains the extended key usage.

This extension may, at the option of the certificate issuer, be either critical or non-critical. If the extension is flagged critical, then the certificate MUST be used only for one of the purposes indicated. If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application.

If a certificate contains both a critical key usage field and a critical extended key usage field, then both fields MUST be processed independently and the certificate MUST only be used for a purpose consistent with both fields.  If there is no purpose consistent with both fields, then the certificate MUST NOT be used for any purpose.

The following key usage purposes are defined by this profile:

id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }

id-kp-serverAuth              OBJECT IDENTIFIER ::=   {id-kp 1}
– TLS Web server authentication
– Key usage bits that may be consistent: digitalSignature,
–                         keyEncipherment or keyAgreement

id-kp-clientAuth              OBJECT IDENTIFIER ::=   {id-kp 2}
– TLS Web client authentication
– Key usage bits that may be consistent: digitalSignature and/or
–                            keyAgreement

id-kp-codeSigning             OBJECT IDENTIFIER ::=   {id-kp 3}
– Signing of downloadable executable code
– Key usage bits that may be consistent: digitalSignature

id-kp-emailProtection         OBJECT IDENTIFIER ::=   {id-kp 4}
– E-mail protection
– Key usage bits that may be consistent: digitalSignature,
–                         nonRepudiation, and/or (keyEncipherment
–                         or keyAgreement)

id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
– Binding the hash of an object to a time from an agreed-upon time
– source. Key usage bits that may be consistent: digitalSignature,
–       nonRepudiation

Solutions:

Re-create certificate with Extended Key Usage for Code Signing.

leave a comment

Leave a Reply

You must be logged in to post a comment.