webstart problem

[Jiri Vanek]

Hi!

I have cheked the issue and I'm afraid it is not in IcedTea-Web but in BounceCastle extension.
IcedTea-Web do not allow broken certificates, but it seems that fio's BounceCastle's is expired.

output from jarsigner is broken  for fio's BounceCastle jar and (little bit for  latest official 
release too ;) ):

[jvanek at jvanek dta]$ jarsigner --verify signer_client.jar
jar verified.
[jvanek at jvanek dta]$ jarsigner --verify bcprov-jdk15on-148.jar
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
[jvanek at jvanek dta]$ jarsigner --verify bcprov-jdk16-146.jar
jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is not validated.


You can see taht fio's one is expired. Thats why IcedTea-Web is rejecting it. And thats also why 
your java command have worked - because it do not verify certificates.


For to-be-sure  I have cc'd bounce castle too, and you should contact fio support again.

I have successfully run your signing app with selfsigned (on my own) bcprov-jdk16-146.jar on my 
local server so I believe my conclusions are correct.
If issues remian, I will cc dev-crypto-request at bouncycastle.org to get some more information from them.


J.
On 03/22/2013 05:04 PM, kapetr at mizera.cz wrote:
> Hello,
>
> it fails launching/running  this:
> https://www.fio.cz/apps/fiosign.php
>
> It is signing app for internet banking.
>
> I use IcedTea-plugin/netx/... ver. 1.2.2 in Ubuntu 12.04 64b.
>
> The stderr log is in attachment.
>
> Running the downloaded app works:
>
> wget -N http://www.fio.cz/apps/signer_client.jar
> wget -N http://www.fio.cz/apps/bcprov-jdk16-146.jar
>
> java -cp bcprov-jdk16-146.jar:signer_client.jar cz.fio.signer.client.gui.Main
>
> The bank support sees problem in icedTea webstart support of Log4J and JAXB.
>
> Could please someone check this ?
> I do not understand Java things at all. I'm just user.
>
> --kapetr