Invalid Certificate Chain – Unable to Validate Signed Jar File

After a typical Oracle Forms installation, it is recommended to sign custom JAR files, including jacob.jar to avoid Java run time warning messages.

Prior to signing the custom jar files, we obtain either a CA-issued Code Signing (CS) certificate or create a self-signed certificate. The advantage of choosing CA signed certificate over a self-signed one is that the former negates the need to import it into JRE for each user.

For simplicity, here we will be signing jacob.jar with a self-signed certificate.

Create a Keystore

Navigate to the location where the keystore will be created.

cd C:\Oracle\jar

%JAVA_HOME%\bin\keytool -genkey -alias selfsigned -keyalg rsa -keystore selfsign.jks -keysize 2048 -validity 1460
Enter keystore password:
Re-enter new password:
-------------------------
Is CN=AK, OU=Admin, O=XYZ, L=Toronto, ST=Ontario, C=CA correct?
  [no]:  yes
Enter key password for <selfsigned>
        (RETURN if same as keystore password):
--------------------------

Typically after this, you would generate a Certificate Signing Request for the CA, if that is the requirement. But we are not doing that.

Let’s query the contents of the keystore.

%JAVA_HOME%\bin\keytool -list -v -keystore selfsign.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry
Alias name: selfsigned
Creation date: Oct 11, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=AK, OU=Admin, O=XYZ, L=Toronto, ST=Ontario, C=CA
Issuer: CN=AK, OU=Admin, O=XYZ, L=Toronto, ST=Ontario, C=CA
---------------------------

Sign JAR File(s)

Jacob 1.20(recommended to be used with Oracle Forms 12.2.1.4.0) already has required entries in its manifest but other custom jar files like those containing icons will need to be updated, before signing jar files. Ref: How to Add Manifest Entries into Custom Jar Files Such as jacob.jar or Jar Files Containing Icons(Doc ID 1583119.1).

%JAVA_HOME%\bin\jarsigner -keystore selfsign.jks jacob.jar selfsigned
Enter Passphrase for keystore:
jar signed.

Warning:
The signer's certificate is self-signed.

Verify the output of the signed jar with the below command

%JAVA_HOME%\bin\jarsigner -verify -verbose –certs jacob.jar
s        3725 Wed Oct 11 22:16:10 UTC 2023 META-INF/MANIFEST.MF
      >>> Signer
      X.509, CN=AK, OU=Admin, O=XYZ, L=Toronto, ST=Ontario, C=CA
      [
      Signature algorithm: SHA256withRSA, 2048-bit key
      [certificate is valid from 10/11/23 9:49 PM to 10/10/27 9:49 PM]
      [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-----------------------

The issue above is because within the Java trust store (JAVA_HOME\jre\lib\security\cacerts) the certificate doesn’t exist and hence it’s unable to validate.

Import the certificate into cacerts, bounce Oracle middleware services, and re-validate the signed jacob.jar.

%JAVA_HOME%\bin\keytool -exportcert -alias selfsigned -keystore selfsign.jks -file trust.crt
%JAVA_HOME%\bin\keytool -import -trustcacerts -alias selfsigned -file trust.crt -v -keystore %JAVA_HOME%\jre\lib\security\cacerts

Place the jar file in the required location; for Oracle Forms, it’s typically under ORACLE_HOME\forms\java. If you need OLE functions(dependent on Jacob jar configuration), you can run Webutil demo and not deal with Java Security warning messages anymore. Ref: How to Configure Webutil in Forms 12c (Doc ID 2070183.1)