20131118 (Monday, 18 November 2013)

(Checkin changes from Saturday)

Does Lino need a new name?

My wife and I were thinking about a logo for Lino (docs/tickets/94), and I noticed that I feel certain problems:

  • Resemblance with “Linux” (e.g. my non-programmer friends usually mix them up)
  • It is used by certain specialized products in printing technology (Linotronic, Linoprint)
  • Americans don’t know how to pronounce it
  • It is not easy to change a name, but I’d rather do it now than in 5 years.

… and oops: while surfing around I discovered that “Lino” is registered trademark of a German software company (http://www.lino.de).

Does that mean that Lino needs a new name? AFAICS this means only that they might ask us to change our name if they feel disturbed by the fact that we use the same name. As long as they don’t feel disturbed, there is no problem at all. And I can’t imagine that they would. And even if they would (who knows), then they would have to leave us a reasonable lapse of time to change our name.

Currently I think it is better to not change our name for the moment because

  • a few dozen people know and love Lino the framework, and many of them would be disappointed if we would change the name
  • there is no serious replacement candidate so far
  • it would cause quite some of work, and there are more important things to do

Started a new page /about/name. Comments are welcome.

The EIDReader applet fails on Sun Java

When trying to run The EIDReader applet applet on a Windows XP with Sun Java, I get the following exception:

java.lang.ExceptionInInitializerError
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at java.lang.Class.newInstance(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
    at sun.security.jca.ProviderList.getProvider(Unknown Source)
    at sun.security.jca.ProviderList.getService(Unknown Source)
    at sun.security.jca.GetInstance.getInstance(Unknown Source)
    at java.security.Security.getImpl(Unknown Source)
    at java.security.AlgorithmParameters.getInstance(Unknown Source)
    at sun.security.x509.AlgorithmId.decodeParams(Unknown Source)
    at sun.security.x509.AlgorithmId.<init>(Unknown Source)
    at sun.security.x509.AlgorithmId.parse(Unknown Source)
    at sun.security.x509.X509Key.parse(Unknown Source)
    at sun.security.x509.CertificateX509Key.<init>(Unknown Source)
    at sun.security.x509.X509CertInfo.parse(Unknown Source)
    at sun.security.x509.X509CertInfo.<init>(Unknown Source)
    at sun.security.x509.X509CertImpl.parse(Unknown Source)
    at sun.security.x509.X509CertImpl.<init>(Unknown Source)
    at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
    at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
    at java.security.KeyStore.load(Unknown Source)
    at com.sun.deploy.security.RootCertStore$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.RootCertStore.loadCertStore(Unknown Source)
    at com.sun.deploy.security.RootCertStore.load(Unknown Source)
    at com.sun.deploy.security.RootCertStore.load(Unknown Source)
    at com.sun.deploy.security.ImmutableCertStore.load(Unknown Source)
    at com.sun.deploy.security.LazyRootStore.loadJREStore(Unknown Source)
    at com.sun.deploy.security.LazyRootStore.getTrustAnchors(Unknown Source)
    at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
    at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "loadLibrary.sunec")
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkLink(Unknown Source)
    at java.lang.Runtime.loadLibrary0(Unknown Source)
    at java.lang.System.loadLibrary(Unknown Source)
    at sun.security.ec.SunEC$1.run(SunEC.java:60)
    at sun.security.ec.SunEC$1.run(SunEC.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ec.SunEC.<clinit>(SunEC.java:58)
    ... 69 more

I guess that it comes when the applet tries to load one of the third-party .jar files. Are they signed?

Trying to reproduce this problem locally on a Windows XP in a VirtualBox.

One problem was that the virtual machine doesn’t see any USB device at all. I solved that thanks to How To Use Host USB Device From Guest In VirtualBox Need to connect the read before starting the VM and add a USB filter in the VirtualBox settings.

Another problem was that Windows then didn’t find a suitable driver for this device. I googled for “windows omnikey smart card driver” and found the page http://www.hidglobal.com/drivers/16251 where I downloaded the first PCSC driver they suggested.

Uff, after over 2 hours of fiddling: now I can reproduce the problem! And its far beyond feierabend. The problem itself remains for tomorrow. Again, Java is causing me hours of frustrating work.

Confirmation : when in an applet i call a method which requires a client-side permission in the policy file, then it is not enough to ask my users to give that permission. That works only on OpenJDK (icedtea). But on Sun Java I must additionally wrap every such call into a construct like these:

AccessController.doPrivileged(new PrivilegedAction() {
  public Object run() { my code ... }
});

return (String) AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() { my code ... return X; }

Updated EIDREader.java accordingly. Now it reads already my Estonian eid card.

But trying to read my Belgian card gives a new error:

java.lang.SecurityException: trusted loader attempted to
load sandboxed resource from file:/t:/applets/eid-applet-service.jar

I added Trusted-Library: true to my Manifest.txt and re-signed. Now there’s neither an error message nor a result, nor any output to the Java console! The applet just exits and that’s all. This happens as soon as it calls TlvParser.parse() (which has been imported from be.fedict.eid.applet.service.impl.tlv.TlvParser.