Java 1.1 Plug-In, Signed Jars, and No Worky

Topher ZiCornell (zicornell@optivision.com)
Fri, 15 May 1998 00:33:00 -0700

From: Topher ZiCornell <zicornell@optivision.com>
To: "'java-security@java.sun.com'" <java-security@web1.javasoft.com>
Subject: Java 1.1 Plug-In, Signed Jars, and No Worky
Date: Fri, 15 May 1998 00:33:00 -0700

Hi there,

I am having trouble getting the Security Manager to trust me. I (believe
I) have followed all the tutorials, scoured all the documents I can find,
and it still throws a security exception in my face.

I have a simple model applet that spews a message (via a swing JLabel) and
presents a button (JButton). When the user presses the button, the applet
checks to see if win.ini exists. It uses File.exists() to check
(instantiating a File object with "C:\WinNT\win.ini").

I created the JAR using "zip -r0" of the compiled class files (2 files)
I created a trusted signing entity using: javakey -cs "Topher" true
(the javakey is from JDK 1.1.6)
I built a key pair using: javakey -gk "Topher" DSA 512 TopherPub TopherPriv
I generated a certificate using: javakey -gc TopherCert.dir
(the output was to Topher.x509 - I can send you the directive file if you
want)
I signed the jar file using: javakey -gs
/jdk1.1.6/lib/security/TopherSign.dir testhead.jar
(again, the dir file is available)
I copied my identitydb.obj with my signing identity to a safe place and
created a new identity in a new file: javakey -c "Topher" true
I imported my public key: javakey -ik "Topher" TopherPub
I imported my certification: javakey -ic "Topher" Topher.x509
I copied my new identitydb.obj file to C:\WinNT\profiles\Topher
I moved my testhead.jar.sig file to my http server and renamed it to
testhead.jar.

I went to the Java Plugged-In test web page with a Java Plugged-In browser
(NN or IE, doesn't matter) and when I pressed the button, the java console
spewed...
sun.applet.AppletSecurityException: checkread
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.SecurityException.<init>(Compiled Code)
at sun.applet.AppletSecurityException.<init>(Compiled Code)
at sun.applet.AppletSecurityException.<init>(Compiled Code)
at sun.applet.AppletSecurity.checkRead(Compiled Code)
at sun.applet.AppletSecurity.checkRead(Compiled Code)
at java.io.File.exists(Compiled Code)
at testhead.TestActor.checkSecurity(TestActor.java:49)
at testhead.TestActor.actionPerformed(TestActor.java:34)
at com.sun.java.swing.AbstractButton.fireActionPerformed(Compiled Code)
at
com.sun.java.swing.AbstractButton$ForwardActionEvents.actionPerformed(Ab
stractButton.java:896)
at com.sun.java.swing.DefaultButtonModel.fireActionPerformed(Compiled
Code)
at com.sun.java.swing.DefaultButtonModel.setPressed(Compiled Code)
at
com.sun.java.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicBut
tonListener.java:159)
at java.awt.Component.processMouseEvent(Compiled Code)
at java.awt.Component.processEvent(Compiled Code)
at java.awt.Container.processEvent(Compiled Code)
at java.awt.Component.dispatchEventImpl(Compiled Code)
at java.awt.Container.dispatchEventImpl(Compiled Code)
at java.awt.LightweightDispatcher.retargetMouseEvent(Compiled Code)
at java.awt.LightweightDispatcher.processMouseEvent(Compiled Code)
at java.awt.LightweightDispatcher.dispatchEvent(Compiled Code)
at java.awt.Container.dispatchEventImpl(Compiled Code)
at java.awt.EventDispatchThread.run(Compiled Code)

Where did I go wrong? If you would like to see the code, the directive
files, the batch file I use, my iddb.obj files, or anything else (well -
not _anything_ else...) I can send it ALL. (maniacal laughter)

Thank you for any tips or help you can give,
Topher

PS: When I gander the signed JAR file (using WinZip), I don't see any
META-INF directory - only my class files - but when I do a file compare on
the signed and unsigned jars, they are different.
[-T-]