20131230 (Monday, 30 December 2013)¶
More tests with eidreader¶
Since there are chances that signing or not wasn’t the reason of our problem, I tried whether it is possible to get it running using non signed applets.
The public test page didn’t work until now because I didn’t dare to include third-party .jar files to the github repository.
Updated Makefile to no longer sign anything.
Fixed some bugs in get_jars.sh and used that script for the first time on a public server.
Added the following lines to my .java.policy file:
grant codeBase "http://test-eidreader.lino-framework.org/-" { permission java.security.AllPermission; };
Observations on Ubuntu & IcedTea¶
the application starts and gets permission to initialize
the application is very slow
it says the expected error messages when there is no card reader, or a card reader with no card inserted,
Acturally reading a card does not work
Reading an Estonian card gives:
It's an Estonian card WebConsolePanel open failed. timeout: Connection timeout. Check the Error Console on both ends for potential error messages. Reopen the Web Console to try again. java.lang.RuntimeException: Error code: 27013 at src.eidreader.EstEIDUtil.sendCommand(EIDReader.java:90) at src.eidreader.PersonalFile.extractField(EIDReader.java:147) at src.eidreader.PersonalFile.init(EIDReader.java:142) at src.eidreader.PersonalFile.<init>(EIDReader.java:124) at src.eidreader.EIDReader$2.run(EIDReader.java:462) at src.eidreader.EIDReader$2.run(EIDReader.java:431) at java.security.AccessController.doPrivileged(Native Method) at src.eidreader.EIDReader.readCard(EIDReader.java:431) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at sun.applet.PluginAppletSecurityContext$4.run(PluginAppletSecurityContext.java:670) at java.security.AccessController.doPrivileged(Native Method) at sun.applet.PluginAppletSecurityContext.handleMessage(PluginAppletSecurityContext.java:667) at sun.applet.AppletSecurityContextManager.handleMessage(AppletSecurityContextManager.java:70) at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:235) at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:79)Reading a Belgian card gives:
java version "1.7.0_25" OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.12.10.2) OpenJDK Server VM (build 23.7-b01, mixed mode) EIDReader initialized EIDReader.readCard() Protocol: T=0 It's a Belgian card BelgianReader() constructor started identityData has been read
Observationson a Windows XP client and Oracle JRE¶
Even with the least secure configuration the applet didn’t get permission to initialize:
security: Found unsigned entry: src/eidreader/EIDReader$1.class
basic: exception: Found unsigned entry in resource: http://test-eidreader.lino-framework.org/EIDReader.jar.
ExitException[ 3]com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: http://test-eidreader.lino-framework.org/EIDReader.jar
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Conclusion¶
It seems that in practice it is no longer possible to deploy applets without having purchased a code signing certificate. Congratulations to the corporation who successfully use their leading market position to earn more money.
Public test page¶
I installed signed .jar files on the public test page (manually, without putting them to the GitHub repository) so that I can invite other people to test whether the applet works on their client.