Sun JRE 1.5 beta 1 ignores Netscape Object Signing

Steps to reproduce: run the signed applet on this page in Netscape 7 using Sun JRE 1.5 beta 1 (build 1.5.0-beta-b32c).  The JAR file was created and signed using Netscape signtool.  The certificate used was a Netscape Object Signing certificate a Thawte multipurpose certificate, as detailed at:
http://www.thawte.com/support/code/tech.html

Expected result: Signing should be accepted and the applet should report the user.home property.

Actual result:  Signing is not accepted and the security exception is reported if the browser is Netscape 7 and the JRE is Sun 1.5 beta 1.

Error message:  A dialog labeled "Warning - Security" appears with the following message:
Certificate Not Verified
Code will be treated as unsigned.

The detailed report:

java.security.cert.CertificateException: Check signer key usage failed in certificate
    at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
    at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
    at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
    at java.security.SecureClassLoader.defineClass(Unknown Source)
(... etc...)

A similar report of this problem on a Sun Forum:
http://forum.java.sun.com/thread.jsp?forum=63&thread=521509&start=0&range=15
has an error message that shares the same first 6 lines:

java.security.cert.CertificateException: Check signer key usage failed in certificate
    at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
    at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at sun.plugin.extension.ExtensionInstallationImpl.verifyJar(Unknown Source)
    at sun.plugin.extension.ExtensionInstallationImpl.access$100(Unknown Source)
    at sun.plugin.extension.ExtensionInstallationImpl$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
(... etc...)

Workaround:  The signing may be accepted by JRE 1.5 beta 1 if Microsoft Internet Explorer for Windows XP is used instead of Netscape (however one person using IE6 (6.0.2800.1106) on Windows2000 SP4 (5.00.2195) reports the signing problem in that environment; it is not clear whether having accepted the certificate before installing 1.5 beta 1 is relevant).  The signing is accepted by JRE 1.4.x using either Netscape of Internet Explorer.  The problem is reported to occur with VeriSign certificates as well as Thawte certificates:
http://forum.java.sun.com/thread.jsp?forum=63&thread=521509&start=0&range=15.

The problem is fixed as of the release version of JRE 1.5.


If you have any comments please contact Mickey Segal.  A listing of  many Java resources is at this link.

Source code:

import java.awt.*;
import java.applet.*;

public class SigningTest2 extends Applet {

public void init() {}

public void paint(Graphics g)
{
    try
    {
        String userHome = System.getProperty("user.home");
        g.drawString("Signing worked. The user.home property is: " + userHome, 10, 30);
    }
    catch (SecurityException e)
    {
        g.drawString("Signing didn't work. The SecurityException is: " + e.getMessage(), 10, 10);
    }
}
} // END OF Class SigningTest2