FULL PRODUCT VERSION :
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0-01-b06)
Java HotSpot(TM) Client VM (build 1.6.0-01-b06, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.0.6000]
A DESCRIPTION OF THE PROBLEM :
On Windows Vista with UAC on, incorrect message "verification failed" is displayed
when starting a signed applet on IE7 under its protected-mode on.
On Windows Vista with UAC on, correct message "verification succeeded" is displayed
when starting a signed applet on IE7 under its protected-mode off.
Since the use of signed applets is critical to our application, the "verification failure" message
would force our users do some unwilling insecure operation as setting its protected mode off.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
0.We get the certificate(PKCS#12 file, HelloWorld.p12)
for putting digital signature on java applets.
1.On Windows Vista,
we import its certificate's root certificate to IE7's ROOT certificate store.
2.We compile the java applet source(HelloWorld.java,which is attached).
Then, applet class file(HelloWorld.class) is maked.
3.We convert the applet class file(HelloWorld.class) into jar file(HelloWorld.jar)
using the following command.
[command]
jar cf HelloWorld.jar HelloWorld.class
4.We type the following command, and sign to the jar file(HelloWorld.jar).
When we type the command, we use the certificate which we get "step0".
[command]
jarsigner -storetype pkcs12 -keystore HelloWorld.p12 -storepass password HelloWorld.jar "MPHPT(Soumu-sho) - Japanese Government"
In this example, HelloWorld.p12 is the certificate which we get "step0".
"MPHPT(Soumu-sho) - Japanese Government" is its certificate's alias name.
It has no infuluence on this problem.
5.We make a HTML source(HelloWorld.html, which is attached).
Then, we transmit a HTML source(HelloWorld.html) and the jar file(HelloWorld.jar)
to the Web Server we can access.
6.We access the web site(ex. http://xxx.xxx/Helloworld.html)
and download the signed applet with IE7 on Vista.
7.On Windows Vista with UAC on, incorrect message "verification failed" is displayed
when starting a signed applet on IE7 under its protected-mode on.
8.On Windows Vista with UAC on, correct message "verification succeeded" is displayed
when starting a signed applet on IE7 under its protected-mode off.
When we confirm this problem, Our PC is not changed except for protected-mode.
The following web site provide us the result of carrying out these steps(1-5).
So, We can confirm this problem on the following URL.
http://www.geocities.jp/shiyu_hoppe/HelloWorld.html
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Regardless of IE7's protected-mode on or off,
on Windows Vista with UAC on,
correct message "verification succeeded" should be displayed
when starting a signed applet on IE7.
ACTUAL -
On Windows Vista with UAC on, incorrect message "verification failed" is displayed
when starting a signed applet on IE7 under its protected-mode on.
On Windows Vista with UAC on, correct message "verification succeeded" is displayed
when starting a signed applet on IE7 under its protected-mode off.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
[HelloWorld.java]
import java.applet.*;
import java.awt.*;
public class HelloWorld extends Applet {
public void paint(Graphics g) {
g.drawString("Hello, world!", 100, 50);
}
}
[HelloWorld.html]
<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY bgcolor="black">
<FONT color="white">HelloWorld Program says:</FONT>
<APPLET archive="HelloWorld.jar" code="HelloWorld.class" width="600" height="100">
</APPLET>
</BODY>
</HTML>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Setting IE7's protected-mode off, before you download the signed applet.