Do not understand the signed applet code posted by irene

Posted on 2003-03-22
Medium Priority
Last Modified: 2013-11-23
Hi, i posted question bef on signed applet,applicaton-applet socket and so on , i could not do it coz i was not getting the signing applet right.The tutorials were useful and i got a lot of help bu t still i was not able to do it.

  Is there  any of you who have used the said code below.I found it in the java forum.I don't understand how it works.Could any one explain it to me and help it work for me.I have changed from signed to policy .It's a nigtmare.

-----begin irene67's original message -----
These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).

The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...

1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.

2. Install JDK 1.3
Path for use of the following commands: [jdk 1.3 path]\bin\
(commands are keytool, jar, jarsigner)
Password for the keystore is *any* password. Only Sun knows why...
perhaps ;-)

3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
[no]: yes


Enter key password for tstkey
(RETURN if same as keystore password):

(press [enter])

4. Export key: keytool -export -alias tstkey -file tstcert.crt

Enter keystore password: *******
Certificate stored in file tstcert.crt

5. Create JAR: jar cvf tst.jar tst.class
Add all classes used in your project by typing the classnames in the
same line.

added manifest
adding: tst.class(in = 849) (out= 536)(deflated 36%)

6. Verify JAR: jar tvf tst.jar

Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

7. Sign JAR: jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******

8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar

130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
(recommended to use HTML Converter Version 1.3)

10. (Omitted See Below)

-----end irene67's original message -----

To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.

1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.

To export request:
keytool -certreg -alias tstkey -file tstcert.req

To import response:
keytool -import -trustcacerts -alias tstkey -file careply.crt

An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.

2) For development or otherwise, you may want to just use your self-signed certificate.
In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.

To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security

Import your self-signed cert into the cacerts keystore:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
(the password is literally 'changeit')

Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermission setting and all other classes from unsigned jars will run in the sandbox.

NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.

The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

-end original message------------

Note: since i would be devoloping in the intranet , i think a self signed cert would be sufficient.

Thanks in advance
Question by:Jasbir21
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
LVL 92

Expert Comment

ID: 8188758
From your previous message you have stated you developing an applet for use by the MS VM. Is this still true?
The above descibes signing for a the Java plugin from Sun.

Author Comment

ID: 8188794
Hi objects, i was hoping you would answer.Thanks.I posted a new question, coz i thought i am asking to many questions in a posted question.
  If  i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.When i read the link that you gave me, i really understood that installing java should not be a big issue.( i would installit myself on the  machines if my boss finds it a bit to difficult to do it)So, by installing java, ie(internet explorer) is going to use the plug in to open it right.so i could use the policy tool as well  if boss is a bit fussy.

Thanks,pls do answer
LVL 92

Expert Comment

ID: 8188846
You need to be more specific about what problems you are having.
You keep repeatedly asking virtually the same question.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 92

Expert Comment

ID: 8188849
> If  i use MS VM, becoz of the court thing($$$), i am unable to make a test cert.

MS has nothing to do with creating a test cert.

Author Comment

ID: 8188921
Sorry, i am bad in explaining.Ok, to make the test cert, i need to download Microsoft Java SDK,but when i went to the website i found this:

*** WARNING ***  
As part of the battles between Microsoft and Sun, Microsoft has stopped making their Java SDK available, and have removed virtually all Java documentation from their website. This means that, unless you already have a copy, or can persuade someone else to break the Microsoft licensing agreement and give you a copy (don't ask me!) then you won't be able to sign Java applets for use in Internet Explorer.

The workaround is to sign for the Sun Java Plugin, which can be installed in Internet Explorer, recognizes Netscape-signed applets (but not Netscape's security calls), and is distributed freely.

I'm hoping to rewrite this document to more fully explore code signing for the Java Plugin. If you'd like to hear about the update when (if) it happens, then follow the instructions below to add yourself to my mailing list.

Daniel Griscom, 3/7/03

So, my only option know would be using the java plugin.



Author Comment

ID: 8188926
Sorry again if i was not being specific earlier.
LVL 92

Expert Comment

ID: 8188941
> to make the test cert, i need to download Microsoft Java SDK

Wrong, to make a test cert you need to run keytool.
You need MS SDK to create a signed cab.

LVL 92

Expert Comment

ID: 8188956
So exactly what is your problem with signing a jar, or changing security policy file? You've got lots of details of what is required in your previous questions.

Author Comment

ID: 8188992
a)I thought i need the MAKECERT.exe tool to create a   certificate??
Creating a certificate
A code signing certificate for MSIE can be generated by means of the MS tools provided with the Microsoft JAVA-SDK, downloadable from the Microsoft web site. To create a private certificate, follow these steps:
1: Using the MAKECERT.exe tool, generate a new certificate as follows:

makecert /sv "ms_ACME.pvk" /n "CN=ACME Certificate" ms_ACME.cer

ms_ACME.pvk is the name of the private key file to be generated
ms_ACME.cer is the certificate file to be generated
ACME Certificate is the name of the certificate
Note: during this phase a password is requested in two occasions. It must be the same password in both cases and will be requested when signing the software, so DON'T forget it!
2: Generate a .spc file as follows:

Cert2spc ms_ACME.cer ms_ACME.spc

This step generates the file ms_ACME.spc


b) when i did the policy file, it works only on my comp, the moment i shifted it to the server.I tried it , i had some problems.


Author Comment

ID: 8188994
That's why i decided to use keytool after i could not get the makecert tool.Sorry for confusing things.

Author Comment

ID: 8188996
When i did the steps using the above code, there were not error, however my wheen i typed the line
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt , i had the following error, bad command or file name.

LVL 92

Expert Comment

ID: 8189000
you just need to include the directory containing keytool in your PATH, or specify the absolute location of keytool.
LVL 92

Expert Comment

ID: 8189011
> when i did the policy file, it works only on my comp

Yes (as previously explained) that's how it works.
Each jre has it's own policy file.

Author Comment

ID: 8189069
> when i did the policy file, it works only on my comp

Sorry, i think i was not being specific again.My java code has to be in that dir( in the same com) to get it work.

I included the path by typing

set path=c:\j2sdk1.4.0.03\bin (note:keytool is located in the bin)

In my comp, i found the security file
on C:\j2dk1.4.0.03\jre\lib\security

I still got the same error.
Objects , sorry for disturbing you again and aganin, but i hope u understand that i am new to this ( industrial trainee), so i am trying all the ways i can find to finish it.I know i am jumbling all the facts as well


LVL 92

Expert Comment

ID: 8189089
OK you are attermpting two different approaches at the same time and would suggest attacking one at a time to avoid confusion:

1. regards signing try:

c:\j2sdk1.4.0.03\bin\keytool .....

2. regards the policy file, it specifies not only what permissions to grant, but also to what code. ie. you move the classes, you need to change the entry.
This is discussed in the Java tutorial link on security I posted previously.

Author Comment

ID: 8189335
Hi, think i would do signing first and not confuse things and jumble up everything.

I redid the whole thing again, and i typed the path as
set path=c:\j2sdk1.4.0.03\bin\keytool, still had the same error.

Think i would state what i did:

 step1: i created an applet and named it FileIO.java

 step2: typed c:\j2sdk1.4.0_03\bin
So, now i am in the bin directory.


step3:Generate key:
c:\j2sdk1.4.0_03\bin> keytool -genkey -keyalg rsa -alias tstkey

step4:Export key:
c:\j2sdk1.4.0_03\bin>  keytool -export -alias tstkey -file tstcert.crt

step5:Create JAR:

c:\j2sdk1.4.0_03\bin> jar cvf tst.jar FileIOAppl.class

step6:Verify JAR
c:\j2sdk1.4.0_03\bin>  jar tvf tst.jar

step7:Sign JAR
c:\j2sdk1.4.0_03\bin> jarsigner tst.jar tstkey

step8:Verifiy Signing
c:\j2sdk1.4.0_03\bin> jarsigner -verify -verbose -certs tst.jar

step9:creating the html file


problem starts ....

step11 :change dir and set path


  set path=c:\j2sdk1.4.0.03\bin\keytool

  Then , i copied the tstcert and pasted it in the security folder
c:j2sdk1.4.0_03\jre\lib\security>keytool -import -keystore cacerts -storepass changeit -file tstcert.crt

and then i got that error.

I really do not know what mistake i could have down.


Author Comment

ID: 8189897
Hi, i think i got my tstcert right.I mean when i click it , it considers it self trusted.
What do i do, so that i mean when i click my applet, a window should come out to ask or request permission.

In the posted link, they used tools such as cabarc.exe ...
(Microsoft Java SDK), but what should i use.


LVL 92

Accepted Solution

objects earned 800 total points
ID: 8192153
> step11 :change dir and set path

I didn't see anything talking about changing path.

> c:j2sdk1.4.0_03\jre\lib\security>keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
> and then i got that error.

So your problem has nothing to with signing, it is related to importing the test cert.
As I mentioned above either add your bin dir to your path, or specify the absolute path:

c:\j2sdk1.4.0.03\bin\keytool -import -keystore cacerts -storepass changeit -file tstcert.crt


Author Comment

ID: 8199703
Hi, i think it works.When i clicked the html file a window popped up and asked me whether i would like to grant permisson to this applet.

When i pressed yes, the error i got is
java.lang.SecurityException :Class " JDBCApplet$1's signer information does not match signer information of other classes in the same package.
I am posting that as a new question.Hope you would look into it .

Thanks.Sorry for troubling you so much


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question