20131230 (Monday, 30 December 2013)

More tests with The EIDReader applet

Since there are chances that signing or not wasn’t the reason of our problem, I tried whether it is possible to get it running using non signed applets.

The public test page didn’t work until now because I didn’t dare to include third-party .jar files to the github repository.

  • Updated Makefile to no longer sign anything.

  • Fixed some bugs in get_jars.sh and used that script for the first time on a public server.

  • Added the following lines to my .java.policy file:

    grant codeBase "http://test-eidreader.lino-framework.org/-" {
      permission java.security.AllPermission;
    };
    

Observations on Ubuntu & IcedTea

  • the application starts and gets permission to initialize

  • the application is very slow

  • it says the expected error messages when there is no card reader, or a card reader with no card inserted,

  • Acturally reading a card does not work

  • Reading an Estonian card gives:

    It's an Estonian card
    WebConsolePanel open failed. timeout: Connection timeout. Check the Error Console on both ends for potential error messages. Reopen the Web Console to try again.
    java.lang.RuntimeException: Error code: 27013
            at src.eidreader.EstEIDUtil.sendCommand(EIDReader.java:90)
            at src.eidreader.PersonalFile.extractField(EIDReader.java:147)
            at src.eidreader.PersonalFile.init(EIDReader.java:142)
            at src.eidreader.PersonalFile.<init>(EIDReader.java:124)
            at src.eidreader.EIDReader$2.run(EIDReader.java:462)
            at src.eidreader.EIDReader$2.run(EIDReader.java:431)
            at java.security.AccessController.doPrivileged(Native Method)
            at src.eidreader.EIDReader.readCard(EIDReader.java:431)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.lang.reflect.Method.invoke(Method.java:606)
            at sun.applet.PluginAppletSecurityContext$4.run(PluginAppletSecurityContext.java:670)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.applet.PluginAppletSecurityContext.handleMessage(PluginAppletSecurityContext.java:667)
            at sun.applet.AppletSecurityContextManager.handleMessage(AppletSecurityContextManager.java:70)
            at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:235)
            at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:79)
    
  • Reading a Belgian card gives:

    java version "1.7.0_25"
    OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.12.10.2)
    OpenJDK Server VM (build 23.7-b01, mixed mode)
    EIDReader initialized
    EIDReader.readCard()
    Protocol: T=0
    It's a Belgian card
    BelgianReader() constructor started
    identityData has been read
    

Observationson a Windows XP client and Oracle JRE

Even with the least secure configuration the applet didn’t get permission to initialize:

security: Found unsigned entry: src/eidreader/EIDReader$1.class
basic: exception: Found unsigned entry in resource: http://test-eidreader.lino-framework.org/EIDReader.jar.
ExitException[ 3]com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: http://test-eidreader.lino-framework.org/EIDReader.jar
        at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
        at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
        at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)

Conclusion

It seems that in practice it is no longer possible to deploy applets without having purchased a code signing certificate. Congratulations to the corporation who successfully use their leading market position to earn more money.

Public test page

I installed signed .jar files on the public test page (manually, without putting them to the GitHub repository) so that I can invite other people to test whether the applet works on their client.