Jasbir21
asked on
Do not understand the signed applet code posted by irene
Hi, i posted question bef on signed applet,applicaton-applet socket and so on , i could not do it coz i was not getting the signing applet right.The tutorials were useful and i got a lot of help bu t still i was not able to do it.
Is there any of you who have used the said code below.I found it in the java forum.I don't understand how it works.Could any one explain it to me and help it work for me.I have changed from signed to policy .It's a nigtmare.
-----begin irene67's original message -----
These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.
2. Install JDK 1.3
Path for use of the following commands: [jdk 1.3 path]\bin\
(commands are keytool, jar, jarsigner)
Password for the keystore is *any* password. Only Sun knows why...
perhaps ;-)
3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
correct?
[no]: yes
(wait...)
Enter key password for tstkey
(RETURN if same as keystore password):
(press [enter])
4. Export key: keytool -export -alias tstkey -file tstcert.crt
Enter keystore password: *******
Certificate stored in file tstcert.crt
5. Create JAR: jar cvf tst.jar tst.class
Add all classes used in your project by typing the classnames in the
same line.
added manifest
adding: tst.class(in = 849) (out= 536)(deflated 36%)
6. Verify JAR: jar tvf tst.jar
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
7. Sign JAR: jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******
8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
(tstkey)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
(recommended to use HTML Converter Version 1.3)
10. (Omitted See Below)
-----end irene67's original message -----
To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
To export request:
keytool -certreg -alias tstkey -file tstcert.req
To import response:
keytool -import -trustcacerts -alias tstkey -file careply.crt
An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.
2) For development or otherwise, you may want to just use your self-signed certificate.
In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_0 2\lib\secu rity
For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\l ib\securit y
Import your self-signed cert into the cacerts keystore:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
(the password is literally 'changeit')
Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermissio n setting and all other classes from unsigned jars will run in the sandbox.
NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.
-end original message------------
Note: since i would be devoloping in the intranet , i think a self signed cert would be sufficient.
Thanks in advance
Is there any of you who have used the said code below.I found it in the java forum.I don't understand how it works.Could any one explain it to me and help it work for me.I have changed from signed to policy .It's a nigtmare.
-----begin irene67's original message -----
These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.
2. Install JDK 1.3
Path for use of the following commands: [jdk 1.3 path]\bin\
(commands are keytool, jar, jarsigner)
Password for the keystore is *any* password. Only Sun knows why...
perhaps ;-)
3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
correct?
[no]: yes
(wait...)
Enter key password for tstkey
(RETURN if same as keystore password):
(press [enter])
4. Export key: keytool -export -alias tstkey -file tstcert.crt
Enter keystore password: *******
Certificate stored in file tstcert.crt
5. Create JAR: jar cvf tst.jar tst.class
Add all classes used in your project by typing the classnames in the
same line.
added manifest
adding: tst.class(in = 849) (out= 536)(deflated 36%)
6. Verify JAR: jar tvf tst.jar
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
7. Sign JAR: jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******
8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
(tstkey)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
(recommended to use HTML Converter Version 1.3)
10. (Omitted See Below)
-----end irene67's original message -----
To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
To export request:
keytool -certreg -alias tstkey -file tstcert.req
To import response:
keytool -import -trustcacerts -alias tstkey -file careply.crt
An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.
2) For development or otherwise, you may want to just use your self-signed certificate.
In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_0
For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\l
Import your self-signed cert into the cacerts keystore:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
(the password is literally 'changeit')
Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermissio
NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.
-end original message------------
Note: since i would be devoloping in the intranet , i think a self signed cert would be sufficient.
Thanks in advance
ASKER
Hi objects, i was hoping you would answer.Thanks.I posted a new question, coz i thought i am asking to many questions in a posted question.
If i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.When i read the link that you gave me, i really understood that installing java should not be a big issue.( i would installit myself on the machines if my boss finds it a bit to difficult to do it)So, by installing java, ie(internet explorer) is going to use the plug in to open it right.so i could use the policy tool as well if boss is a bit fussy.
Thanks,pls do answer
If i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.When i read the link that you gave me, i really understood that installing java should not be a big issue.( i would installit myself on the machines if my boss finds it a bit to difficult to do it)So, by installing java, ie(internet explorer) is going to use the plug in to open it right.so i could use the policy tool as well if boss is a bit fussy.
Thanks,pls do answer
You need to be more specific about what problems you are having.
You keep repeatedly asking virtually the same question.
You keep repeatedly asking virtually the same question.
> If i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.
MS has nothing to do with creating a test cert.
MS has nothing to do with creating a test cert.
ASKER
Sorry, i am bad in explaining.Ok, to make the test cert, i need to download Microsoft Java SDK,but when i went to the website i found this:
*** WARNING ***
As part of the battles between Microsoft and Sun, Microsoft has stopped making their Java SDK available, and have removed virtually all Java documentation from their website. This means that, unless you already have a copy, or can persuade someone else to break the Microsoft licensing agreement and give you a copy (don't ask me!) then you won't be able to sign Java applets for use in Internet Explorer.
The workaround is to sign for the Sun Java Plugin, which can be installed in Internet Explorer, recognizes Netscape-signed applets (but not Netscape's security calls), and is distributed freely.
I'm hoping to rewrite this document to more fully explore code signing for the Java Plugin. If you'd like to hear about the update when (if) it happens, then follow the instructions below to add yourself to my mailing list.
Daniel Griscom, 3/7/03
So, my only option know would be using the java plugin.
Thanks
*** WARNING ***
As part of the battles between Microsoft and Sun, Microsoft has stopped making their Java SDK available, and have removed virtually all Java documentation from their website. This means that, unless you already have a copy, or can persuade someone else to break the Microsoft licensing agreement and give you a copy (don't ask me!) then you won't be able to sign Java applets for use in Internet Explorer.
The workaround is to sign for the Sun Java Plugin, which can be installed in Internet Explorer, recognizes Netscape-signed applets (but not Netscape's security calls), and is distributed freely.
I'm hoping to rewrite this document to more fully explore code signing for the Java Plugin. If you'd like to hear about the update when (if) it happens, then follow the instructions below to add yourself to my mailing list.
Daniel Griscom, 3/7/03
So, my only option know would be using the java plugin.
Thanks
ASKER
Sorry again if i was not being specific earlier.
> to make the test cert, i need to download Microsoft Java SDK
Wrong, to make a test cert you need to run keytool.
You need MS SDK to create a signed cab.
Wrong, to make a test cert you need to run keytool.
You need MS SDK to create a signed cab.
So exactly what is your problem with signing a jar, or changing security policy file? You've got lots of details of what is required in your previous questions.
ASKER
a)I thought i need the MAKECERT.exe tool to create a certificate??
__________________________ __________ __________ __________ __
Creating a certificate
A code signing certificate for MSIE can be generated by means of the MS tools provided with the Microsoft JAVA-SDK, downloadable from the Microsoft web site. To create a private certificate, follow these steps:
1: Using the MAKECERT.exe tool, generate a new certificate as follows:
makecert /sv "ms_ACME.pvk" /n "CN=ACME Certificate" ms_ACME.cer
where...
ms_ACME.pvk is the name of the private key file to be generated
ms_ACME.cer is the certificate file to be generated
ACME Certificate is the name of the certificate
Note: during this phase a password is requested in two occasions. It must be the same password in both cases and will be requested when signing the software, so DON'T forget it!
2: Generate a .spc file as follows:
Cert2spc ms_ACME.cer ms_ACME.spc
This step generates the file ms_ACME.spc
__________________________ __________ __________ ______
b) when i did the policy file, it works only on my comp, the moment i shifted it to the server.I tried it , i had some problems.
Sorry
__________________________
Creating a certificate
A code signing certificate for MSIE can be generated by means of the MS tools provided with the Microsoft JAVA-SDK, downloadable from the Microsoft web site. To create a private certificate, follow these steps:
1: Using the MAKECERT.exe tool, generate a new certificate as follows:
makecert /sv "ms_ACME.pvk" /n "CN=ACME Certificate" ms_ACME.cer
where...
ms_ACME.pvk is the name of the private key file to be generated
ms_ACME.cer is the certificate file to be generated
ACME Certificate is the name of the certificate
Note: during this phase a password is requested in two occasions. It must be the same password in both cases and will be requested when signing the software, so DON'T forget it!
2: Generate a .spc file as follows:
Cert2spc ms_ACME.cer ms_ACME.spc
This step generates the file ms_ACME.spc
__________________________
b) when i did the policy file, it works only on my comp, the moment i shifted it to the server.I tried it , i had some problems.
Sorry
ASKER
That's why i decided to use keytool after i could not get the makecert tool.Sorry for confusing things.
ASKER
When i did the steps using the above code, there were not error, however my wheen i typed the line
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt , i had the following error, bad command or file name.
Thanks
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt , i had the following error, bad command or file name.
Thanks
you just need to include the directory containing keytool in your PATH, or specify the absolute location of keytool.
> when i did the policy file, it works only on my comp
Yes (as previously explained) that's how it works.
Each jre has it's own policy file.
Yes (as previously explained) that's how it works.
Each jre has it's own policy file.
ASKER
> when i did the policy file, it works only on my comp
Sorry, i think i was not being specific again.My java code has to be in that dir( in the same com) to get it work.
I included the path by typing
set path=c:\j2sdk1.4.0.03\bin (note:keytool is located in the bin)
In my comp, i found the security file
on C:\j2dk1.4.0.03\jre\lib\se curity
I still got the same error.
Objects , sorry for disturbing you again and aganin, but i hope u understand that i am new to this ( industrial trainee), so i am trying all the ways i can find to finish it.I know i am jumbling all the facts as well
Thanks
Sorry, i think i was not being specific again.My java code has to be in that dir( in the same com) to get it work.
I included the path by typing
set path=c:\j2sdk1.4.0.03\bin (note:keytool is located in the bin)
In my comp, i found the security file
on C:\j2dk1.4.0.03\jre\lib\se
I still got the same error.
Objects , sorry for disturbing you again and aganin, but i hope u understand that i am new to this ( industrial trainee), so i am trying all the ways i can find to finish it.I know i am jumbling all the facts as well
Thanks
OK you are attermpting two different approaches at the same time and would suggest attacking one at a time to avoid confusion:
1. regards signing try:
c:\j2sdk1.4.0.03\bin\keyto ol .....
2. regards the policy file, it specifies not only what permissions to grant, but also to what code. ie. you move the classes, you need to change the entry.
This is discussed in the Java tutorial link on security I posted previously.
1. regards signing try:
c:\j2sdk1.4.0.03\bin\keyto
2. regards the policy file, it specifies not only what permissions to grant, but also to what code. ie. you move the classes, you need to change the entry.
This is discussed in the Java tutorial link on security I posted previously.
ASKER
Hi, think i would do signing first and not confuse things and jumble up everything.
I redid the whole thing again, and i typed the path as
set path=c:\j2sdk1.4.0.03\bin\ keytool, still had the same error.
Think i would state what i did:
step1: i created an applet and named it FileIO.java
step2: typed c:\j2sdk1.4.0_03\bin
So, now i am in the bin directory.
c:\j2sdk1.4.0_03\bin>
step3:Generate key:
c:\j2sdk1.4.0_03\bin> keytool -genkey -keyalg rsa -alias tstkey
step4:Export key:
c:\j2sdk1.4.0_03\bin> keytool -export -alias tstkey -file tstcert.crt
step5:Create JAR:
c:\j2sdk1.4.0_03\bin> jar cvf tst.jar FileIOAppl.class
step6:Verify JAR
c:\j2sdk1.4.0_03\bin> jar tvf tst.jar
step7:Sign JAR
c:\j2sdk1.4.0_03\bin> jarsigner tst.jar tstkey
step8:Verifiy Signing
c:\j2sdk1.4.0_03\bin> jarsigner -verify -verbose -certs tst.jar
step9:creating the html file
step10:htmlconverter
-------------------------- ---------- ---------- ----------
problem starts ....
step11 :change dir and set path
c:j2sdk1.4.0_03\jre\lib\se curity
set path=c:\j2sdk1.4.0.03\bin\ keytool
Then , i copied the tstcert and pasted it in the security folder
c:j2sdk1.4.0_03\jre\lib\se curity>key tool -import -keystore cacerts -storepass changeit -file tstcert.crt
and then i got that error.
I really do not know what mistake i could have down.
I redid the whole thing again, and i typed the path as
set path=c:\j2sdk1.4.0.03\bin\
Think i would state what i did:
step1: i created an applet and named it FileIO.java
step2: typed c:\j2sdk1.4.0_03\bin
So, now i am in the bin directory.
c:\j2sdk1.4.0_03\bin>
step3:Generate key:
c:\j2sdk1.4.0_03\bin> keytool -genkey -keyalg rsa -alias tstkey
step4:Export key:
c:\j2sdk1.4.0_03\bin> keytool -export -alias tstkey -file tstcert.crt
step5:Create JAR:
c:\j2sdk1.4.0_03\bin> jar cvf tst.jar FileIOAppl.class
step6:Verify JAR
c:\j2sdk1.4.0_03\bin> jar tvf tst.jar
step7:Sign JAR
c:\j2sdk1.4.0_03\bin> jarsigner tst.jar tstkey
step8:Verifiy Signing
c:\j2sdk1.4.0_03\bin> jarsigner -verify -verbose -certs tst.jar
step9:creating the html file
step10:htmlconverter
--------------------------
problem starts ....
step11 :change dir and set path
c:j2sdk1.4.0_03\jre\lib\se
set path=c:\j2sdk1.4.0.03\bin\
Then , i copied the tstcert and pasted it in the security folder
c:j2sdk1.4.0_03\jre\lib\se
and then i got that error.
I really do not know what mistake i could have down.
ASKER
Hi, i think i got my tstcert right.I mean when i click it , it considers it self trusted.
What do i do, so that i mean when i click my applet, a window should come out to ask or request permission.
In the posted link, they used tools such as cabarc.exe ...
(Microsoft Java SDK), but what should i use.
Thanks
What do i do, so that i mean when i click my applet, a window should come out to ask or request permission.
In the posted link, they used tools such as cabarc.exe ...
(Microsoft Java SDK), but what should i use.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi, i think it works.When i clicked the html file a window popped up and asked me whether i would like to grant permisson to this applet.
When i pressed yes, the error i got is
java.lang.SecurityExceptio n :Class " JDBCApplet$1's signer information does not match signer information of other classes in the same package.
I am posting that as a new question.Hope you would look into it .
Thanks.Sorry for troubling you so much
When i pressed yes, the error i got is
java.lang.SecurityExceptio
I am posting that as a new question.Hope you would look into it .
Thanks.Sorry for troubling you so much
The above descibes signing for a the Java plugin from Sun.