Do not understand the signed applet code posted by irene

Hi, i posted question bef on signed applet,applicaton-applet socket and so on , i could not do it coz i was not getting the signing applet right.The tutorials were useful and i got a lot of help bu t still i was not able to do it.

  Is there  any of you who have used the said code below.I found it in the java forum.I don't understand how it works.Could any one explain it to me and help it work for me.I have changed from signed to policy .It's a nigtmare.

-----begin irene67's original message -----
These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).

The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...

1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.

2. Install JDK 1.3
Path for use of the following commands: [jdk 1.3 path]\bin\
(commands are keytool, jar, jarsigner)
Password for the keystore is *any* password. Only Sun knows why...
perhaps ;-)

3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
[no]: yes


Enter key password for tstkey
(RETURN if same as keystore password):

(press [enter])

4. Export key: keytool -export -alias tstkey -file tstcert.crt

Enter keystore password: *******
Certificate stored in file tstcert.crt

5. Create JAR: jar cvf tst.jar tst.class
Add all classes used in your project by typing the classnames in the
same line.

added manifest
adding: tst.class(in = 849) (out= 536)(deflated 36%)

6. Verify JAR: jar tvf tst.jar

Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

7. Sign JAR: jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******

8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar

130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
(recommended to use HTML Converter Version 1.3)

10. (Omitted See Below)

-----end irene67's original message -----

To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.

1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.

To export request:
keytool -certreg -alias tstkey -file tstcert.req

To import response:
keytool -import -trustcacerts -alias tstkey -file careply.crt

An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.

2) For development or otherwise, you may want to just use your self-signed certificate.
In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.

To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security

Import your self-signed cert into the cacerts keystore:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
(the password is literally 'changeit')

Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the setting and all other classes from unsigned jars will run in the sandbox.

NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.

The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

-end original message------------

Note: since i would be devoloping in the intranet , i think a self signed cert would be sufficient.

Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From your previous message you have stated you developing an applet for use by the MS VM. Is this still true?
The above descibes signing for a the Java plugin from Sun.
Jasbir21Author Commented:
Hi objects, i was hoping you would answer.Thanks.I posted a new question, coz i thought i am asking to many questions in a posted question.
  If  i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.When i read the link that you gave me, i really understood that installing java should not be a big issue.( i would installit myself on the  machines if my boss finds it a bit to difficult to do it)So, by installing java, ie(internet explorer) is going to use the plug in to open it i could use the policy tool as well  if boss is a bit fussy.

Thanks,pls do answer
You need to be more specific about what problems you are having.
You keep repeatedly asking virtually the same question.
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

> If  i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.

MS has nothing to do with creating a test cert.
Jasbir21Author Commented:
Sorry, i am bad in explaining.Ok, to make the test cert, i need to download Microsoft Java SDK,but when i went to the website i found this:

*** WARNING ***  
As part of the battles between Microsoft and Sun, Microsoft has stopped making their Java SDK available, and have removed virtually all Java documentation from their website. This means that, unless you already have a copy, or can persuade someone else to break the Microsoft licensing agreement and give you a copy (don't ask me!) then you won't be able to sign Java applets for use in Internet Explorer.

The workaround is to sign for the Sun Java Plugin, which can be installed in Internet Explorer, recognizes Netscape-signed applets (but not Netscape's security calls), and is distributed freely.

I'm hoping to rewrite this document to more fully explore code signing for the Java Plugin. If you'd like to hear about the update when (if) it happens, then follow the instructions below to add yourself to my mailing list.

Daniel Griscom, 3/7/03

So, my only option know would be using the java plugin.


Jasbir21Author Commented:
Sorry again if i was not being specific earlier.
> to make the test cert, i need to download Microsoft Java SDK

Wrong, to make a test cert you need to run keytool.
You need MS SDK to create a signed cab.

So exactly what is your problem with signing a jar, or changing security policy file? You've got lots of details of what is required in your previous questions.
Jasbir21Author Commented:
a)I thought i need the MAKECERT.exe tool to create a   certificate??
Creating a certificate
A code signing certificate for MSIE can be generated by means of the MS tools provided with the Microsoft JAVA-SDK, downloadable from the Microsoft web site. To create a private certificate, follow these steps:
1: Using the MAKECERT.exe tool, generate a new certificate as follows:

makecert /sv "ms_ACME.pvk" /n "CN=ACME Certificate" ms_ACME.cer

ms_ACME.pvk is the name of the private key file to be generated
ms_ACME.cer is the certificate file to be generated
ACME Certificate is the name of the certificate
Note: during this phase a password is requested in two occasions. It must be the same password in both cases and will be requested when signing the software, so DON'T forget it!
2: Generate a .spc file as follows:

Cert2spc ms_ACME.cer ms_ACME.spc

This step generates the file ms_ACME.spc


b) when i did the policy file, it works only on my comp, the moment i shifted it to the server.I tried it , i had some problems.

Jasbir21Author Commented:
That's why i decided to use keytool after i could not get the makecert tool.Sorry for confusing things.
Jasbir21Author Commented:
When i did the steps using the above code, there were not error, however my wheen i typed the line
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt , i had the following error, bad command or file name.

you just need to include the directory containing keytool in your PATH, or specify the absolute location of keytool.
> when i did the policy file, it works only on my comp

Yes (as previously explained) that's how it works.
Each jre has it's own policy file.
Jasbir21Author Commented:
> when i did the policy file, it works only on my comp

Sorry, i think i was not being specific again.My java code has to be in that dir( in the same com) to get it work.

I included the path by typing

set path=c:\j2sdk1.4.0.03\bin (note:keytool is located in the bin)

In my comp, i found the security file
on C:\j2dk1.4.0.03\jre\lib\security

I still got the same error.
Objects , sorry for disturbing you again and aganin, but i hope u understand that i am new to this ( industrial trainee), so i am trying all the ways i can find to finish it.I know i am jumbling all the facts as well


OK you are attermpting two different approaches at the same time and would suggest attacking one at a time to avoid confusion:

1. regards signing try:

c:\j2sdk1.4.0.03\bin\keytool .....

2. regards the policy file, it specifies not only what permissions to grant, but also to what code. ie. you move the classes, you need to change the entry.
This is discussed in the Java tutorial link on security I posted previously.
Jasbir21Author Commented:
Hi, think i would do signing first and not confuse things and jumble up everything.

I redid the whole thing again, and i typed the path as
set path=c:\j2sdk1.4.0.03\bin\keytool, still had the same error.

Think i would state what i did:

 step1: i created an applet and named it

 step2: typed c:\j2sdk1.4.0_03\bin
So, now i am in the bin directory.


step3:Generate key:
c:\j2sdk1.4.0_03\bin> keytool -genkey -keyalg rsa -alias tstkey

step4:Export key:
c:\j2sdk1.4.0_03\bin>  keytool -export -alias tstkey -file tstcert.crt

step5:Create JAR:

c:\j2sdk1.4.0_03\bin> jar cvf tst.jar FileIOAppl.class

step6:Verify JAR
c:\j2sdk1.4.0_03\bin>  jar tvf tst.jar

step7:Sign JAR
c:\j2sdk1.4.0_03\bin> jarsigner tst.jar tstkey

step8:Verifiy Signing
c:\j2sdk1.4.0_03\bin> jarsigner -verify -verbose -certs tst.jar

step9:creating the html file


problem starts ....

step11 :change dir and set path


  set path=c:\j2sdk1.4.0.03\bin\keytool

  Then , i copied the tstcert and pasted it in the security folder
c:j2sdk1.4.0_03\jre\lib\security>keytool -import -keystore cacerts -storepass changeit -file tstcert.crt

and then i got that error.

I really do not know what mistake i could have down.

Jasbir21Author Commented:
Hi, i think i got my tstcert right.I mean when i click it , it considers it self trusted.
What do i do, so that i mean when i click my applet, a window should come out to ask or request permission.

In the posted link, they used tools such as cabarc.exe ...
(Microsoft Java SDK), but what should i use.


> step11 :change dir and set path

I didn't see anything talking about changing path.

> c:j2sdk1.4.0_03\jre\lib\security>keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
> and then i got that error.

So your problem has nothing to with signing, it is related to importing the test cert.
As I mentioned above either add your bin dir to your path, or specify the absolute path:

c:\j2sdk1.4.0.03\bin\keytool -import -keystore cacerts -storepass changeit -file tstcert.crt


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jasbir21Author Commented:
Hi, i think it works.When i clicked the html file a window popped up and asked me whether i would like to grant permisson to this applet.

When i pressed yes, the error i got is
java.lang.SecurityException :Class " JDBCApplet$1's signer information does not match signer information of other classes in the same package.
I am posting that as a new question.Hope you would look into it .

Thanks.Sorry for troubling you so much

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.