Hola Javier, Sólo debes eliminar los ficheros "META-INF/UJI.SF" y "META-INF/UJI.RSA" del JAR ya generado y firmado.
2011/11/28 ABINZANO MURILLO JOSE JAVIER <[email protected]>: > Creo que has dado en el clavo con lo de la firma del jar... > > Al añadir mi ujiCrypto.conf a uji-config-2.1.1-signed.jar es cuando falla la > firma, porque el applet se da cuenta de que ese jar ha sido modificado. Creo > que es eso exactamente lo que pasa, porque usando vuestro jar original pero > con un ujiCrypto.conf externo, en el servidor, sí que consigue firmar. > > Puedo seguir adelante con esta configuración de ahora, pero si quitar la > firma de ese jar concreto es sencillo (¿tal vez dejando vacío el MANIFEST.MF > y borrando los demás ficheros que hay en META-INF?) preferiría meter el > ujiCrypto.conf dentro del jar. Además esto podría solucionar tambien el > problema que inició esta hilo, ya que al meter dentro del jar la keystore > del cliente me pasaba seguramente lo mismo: que la firma del applet > detectaba el cambio. Si consigo quitar la firma podré usar la keystore en > lugar de copiar los certificados directamente... > > Saludos y gracias de nuevo: Javier > > -----Mensaje original----- > De: "Ricardo Borillo Doménech" <[email protected]> > Enviado el 25/11/2011 14:58:10 > Para: "Llista de correu per al CryptoApplet" <[email protected]> > Asunto: Re: [CryptoApplet] Una consulta sobre rutas de configu ración > > Si se modifica el JAR y este estaba firmado, es posible que no te vaya. > En principio el uji-config no es necesario que vaya confirmado, con lo > que se puede borrar la firma del JAR. > > 2011/11/25 ABINZANO MURILLO JOSE JAVIER <[email protected]>: >> Hola de nuevo >> >> Muchas gracias por la pista. He conseguido el keystore del cliente, y >> con... >> >> keytool -list -v -keystore cas.keystore >> >> he podido comprobar que contiene los mismos certificados que yo tenía en >> ficheros aparte, y descubrir sus alias para poder utilizarlos desde >> ujiCrypto.conf >> >> Luego he cambiado las referencias en ujiCrypto.conf, para que apuntaran al >> keystore, y CASI lo consigue. Al final de este correo os paso la salida de >> la consola de java (desde el onInitOK), por si se os ocurre algo al verla, >> pero para mí que ese keystore tiene algún defecto. Tampoco quiero haceros >> perder más tiempo cuando con los certificados por separado consigo firmar >> sin problemas... >> >> Saludos: Javier Abínzano >> >> ----------------------- >> >> DEBUG thread applet-es.uji.security.ui.applet.SignatureApplet-1 >> es.uji.security.ui.applet.SignatureApplet [11:54:09,096] - Call JavaScript >> method: onInitOk >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.AppHandler [11:54:19,578] - Setting >> signOutputFormat to >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.AppHandler [11:54:19,593] - Setting >> inputDataEncoding to PLAIN >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.SignatureApplet [11:54:19,609] - Init window >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,718] - >> Building >> certificate tree >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,718] - Loading >> user >> certificates from keystore MSCAPI >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,718] - Loading >> aliases from keystore >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - 4 aliases >> loaded >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Found >> certificate whith alias OU=FNMT Clase 2 CA, O=FNMT, C=ES Serial=1018756298 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Loading >> certificate with alias OU=FNMT Clase 2 CA, O=FNMT, C=ES Serial=1018756298 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Found >> certificate whith alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=24479927294867302867012332203021340343 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Loading >> certificate with alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=24479927294867302867012332203021340343 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Found >> certificate whith alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=96645770944666008273160649392354122771 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Loading >> certificate with alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=96645770944666008273160649392354122771 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Found >> certificate whith alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=23354082312485453175376988941333319377 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.keystore.mscapi.MsCapiKeyStore [11:54:19,734] - Loading >> certificate with alias CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=23354082312485453175376988941333319377 >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> CA FNMT >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> certificate NOMBRE RODRIGUEZ PEREZ JUAN MANUEL - NIF 51669070 >> (digitalSignature, keyEncipherment) >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> CA SESCAM (NIF Q-4500146H) >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> certificate A LUMNO4 CSJ - DNI 11444555P, GIVENN (nonRepudiation) >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> certificate A LUMNO4 CSJ - DNI 11444555P, GIVENN (digitalSignature) >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.JTreeCertificateBuilder [11:54:19,750] - Added >> new >> certificate A LUMNO4 CSJ - DNI 11444555P, GIVENN (keyEncipherment, >> dataEncipherment) >> DEBUG Applet 1 LiveConnect Worker Thread >> es.uji.security.ui.applet.SignatureApplet [11:54:19,890] - Call JavaScript >> method: onWindowShow >> STORE: MSCAPI >> START: 1SIGNATURECOUNT: 1 >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Getting selected certificate >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Selected certificate:CN=A LUMNO4 CSJ - DNI 11444555P, GIVENNAME=A, >> SURNAME=LUMNO4 CSJ, SERIALNUMBER=11444555P, T=INFORMATICO, OU=aali11, >> OU=certificado electrónico de empleado público, O=SESCAM, C=ES >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Validating certificate >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - The certificate is valid >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Loading certificate store >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Certificate store loaded >> Certificate Alias: CN=SESCAM CA Entidades Finales, O=SESCAM (NIF >> Q-4500146H), O=JCCM, C=ES Serial=24479927294867302867012332203021340343 >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,921] >> - Loading signature format: >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,952] >> - Signer Role: citizen >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,952] >> - File Name: UNSET >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,952] >> - Content Type:application/binary >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,952] >> - Selected a digital signature certificate >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,952] >> - Encoding: PLAIN >> DEBUG thread-sig-0 es.uji.security.keystore.mscapi.MsCapiKeyStore >> [11:54:23,952] - Loading aliases from keystore >> DEBUG thread-sig-0 es.uji.security.keystore.mscapi.MsCapiKeyStore >> [11:54:23,968] - 4 aliases loaded >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,968] >> - [OU=FNMT Clase 2 CA, O=FNMT, C=ES Serial=1018756298, CN=SESCAM CA >> Entidades Finales, O=SESCAM (NIF Q-4500146H), O=JCCM, C=ES >> Serial=24479927294867302867012332203021340343, CN=SESCAM CA Entidades >> Finales, O=SESCAM (NIF Q-4500146H), O=JCCM, C=ES >> Serial=96645770944666008273160649392354122771, CN=SESCAM CA Entidades >> Finales, O=SESCAM (NIF Q-4500146H), O=JCCM, C=ES >> Serial=23354082312485453175376988941333319377] >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,968] >> - Private key format: null >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,968] >> - Private key algorithm: RSA >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,968] >> - Provider: UJI-MSCAPI >> DEBUG thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:23,968] >> - Signing data >> DEBUG thread-sig-0 >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory [11:54:23,968] >> - >> Using XAdESSignatureFactory >> DEBUG thread-sig-0 >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory [11:54:23,968] >> - >> UJI-MSCAPI provider found >> [Fatal Error] :1:1: Content is not allowed in prolog. >> DEBUG thread-sig-0 es.uji.security.crypto.openxades.digidoc.DataFile >> [11:54:24,061] - calculateFileSizeAndDigest(D0) >> DEBUG thread-sig-0 es.uji.security.crypto.openxades.digidoc.DataFile >> [11:54:24,155] - DataFile: 'D0' length: 31 digest: >> 8e42MOeIyQy7r9p4iL6L/UG+9yI= >> DEBUG thread-sig-0 >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory [11:54:30,123] >> - >> Signing XAdES info. XAdES signature length 256 >> ERROR thread-sig-0 es.uji.security.ui.applet.SignatureThread >> [11:54:30,373] >> - <html><font color='red'>No se ha podido calcular la firma</font></html> >> es.uji.security.crypto.timestamp.TokenVerifyException: Unable to decipher >> pkcs#9 encoded attributes >> at >> >> es.uji.security.crypto.timestamp.TSResponseToken.verify(TSResponseToken.java:215) >> at >> >> es.uji.security.crypto.timestamp.TSResponseToken.verify(TSResponseToken.java:187) >> at >> >> es.uji.security.crypto.openxades.OpenXAdESSignatureFactory.formatSignature(OpenXAdESSignatureFactory.java:213) >> at >> es.uji.security.ui.applet.SignatureThread.run(SignatureThread.java:452) >> DEBUG thread-sig-0 es.uji.security.ui.applet.AppHandler [11:54:30,373] - >> Call JavaScript method: onSignError >> es.uji.security.ui.applet.SignatureAppletException >> at >> es.uji.security.ui.applet.SignatureThread.run(SignatureThread.java:460) >> >> >> >> >> _______________________________________________ >> CryptoApplet mailing list >> [email protected] >> http://llistes.uji.es/mailman/listinfo/cryptoapplet >> >> > > > > -- > Salut, > ==================================== > Ricardo Borillo Domenech > http://xml-utils.com / http://twitter.com/borillo > _______________________________________________ > CryptoApplet mailing list > [email protected] > http://llistes.uji.es/mailman/listinfo/cryptoapplet > > _______________________________________________ > CryptoApplet mailing list > [email protected] > http://llistes.uji.es/mailman/listinfo/cryptoapplet > > -- Salut, ==================================== Ricardo Borillo Domenech http://xml-utils.com / http://twitter.com/borillo _______________________________________________ CryptoApplet mailing list [email protected] http://llistes.uji.es/mailman/listinfo/cryptoapplet
