• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Signing applets

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, i am new to signing applets.I found this article very useful but i think i did a mistake since i am still a baby in Java.I hope anyone could help me.Pls..
original message<ncoleman1>-----begin irene67's original message -----
These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.
2. Install JDK 1.3
Path for use of the following commands: [jdk 1.3 path]\bin\
(commands are keytool, jar, jarsigner)
Password for the keystore is *any* password. Only Sun knows why...
perhaps ;-)
3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
correct?
[no]: yes
(wait...)
Enter key password for tstkey
(RETURN if same as keystore password):
(press [enter])
4. Export key: keytool -export -alias tstkey -file tstcert.crt
Enter keystore password: *******
Certificate stored in file tstcert.crt
5. Create JAR: jar cvf tst.jar tst.class
Add all classes used in your project by typing the classnames in the
same line.
added manifest
adding: tst.class(in = 849) (out= 536)(deflated 36%)
6. Verify JAR: jar tvf tst.jar
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
7. Sign JAR: jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******
8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
(tstkey)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
(recommended to use HTML Converter Version 1.3)
10. (Omitted See Below)
-----end irene67's original message -----
To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
To export request:
keytool -certreg -alias tstkey -file tstcert.req
To import response:
keytool -import -trustcacerts -alias tstkey -file careply.crt
An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.

2) For development or otherwise, you may want to just use your self-signed certificate.
In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security
Import your self-signed cert into the cacerts keystore:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
(the password is literally 'changeit')

Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermission setting and all other classes from unsigned jars will run in the sandbox.
NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

---end mesage -----------------

I am going to use my applet on an intranet, so i think a self signed cert is sufficient.I am using j2sdk1.4.0_03.

When i typed this line:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
When i redid the whole thing , i typed the last line, got this error
Bad command or file name.
I have read other tutorials, and i found it differs with each other and it is also a bit confusing.This steps listed above seems simple .Could anyone pls help me?

Thanks,
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jasbir Dhaliwal:

When i typed this line:
keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
When i redid the whole thing , i typed the last line, got this error
Bad command or file name.


Well, I can't comment on everything you wrote, since it's been nearly 2 years since anyone paid me to worry about such things, but as far as your problem with "keytool", it looks like you simply haven't added your JDK's "bin" directory to your PATH. That's not a Java problem but a problem in getting your OS (Windows, Linux or whatever) set up.
BTW, I closed your other post since as far as I could see it was just a duplicate of this one. You should be able to delete it if you like.
[ March 24, 2003: Message edited by: Tim Holloway ]
 
Jasbir Dhaliwal
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, i tried it again, and this is what i got:
Hi, i need to connect my applet to a database.So, i need to sign it.
Step 1:I created my applet(java code)-tst.java
step2 :i went to the j2sdk1.4.0_03\bin
c:\j2sdk1.4.0_03\bin>
(so now i am in the bin directory)

step3: generate key
c:\j2sdk1.4.0_03\bin> : keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: *******
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
correct?
[no]: yes
(wait...)
Enter key password for tstkey
(RETURN if same as keystore password):
(press [enter])
ok - i got this step right
step4: . Export key:
Enter keystore password: *******
Certificate stored in file tstcert.crt
ok-i got this step right

step 5. Create JAR
jar cvf tst.jar tst.class classes12.zip nls_charset12.zip
(Add all classes used in your project by typing the classnames in the
same line.
added manifest)
adding: tst.class(in = 849) (out= 536)(deflated 36%)
adding:classes12.zip...
adding:nls_charset12.zip...
ok- i got it right
step6:6. Verify JAR
jar tvf tst.jar
i got it right
step7: Sign JAR:
jarsigner tst.jar tstkey
Enter Passphrase for keystore: *******
i got it ok
step 8 Verifiy Signing:
jarsigner -verify -verbose -certs tst.jar
i got it ok
step 9:create html file
step10: create link
<HTML>
<HEAD><TITLE>JDBC Applet</TITLE></HEAD>
<BODY BGCOLOR="brown">
<H2 ALIGN="center">JDBC Applet</H2>
<BR>
<P ALIGN="center">
<!--"CONVERTED_APPLET"-->
<a href=my>http://j2sdk1.4.0_03/bin/my/tst.crt</a>;
<!-- HTML CONVERTER -->
<OBJECT
classid="clsid:CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA"
WIDTH = 700 HEIGHT = 550
codebase="http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab#Version=1,4,0,30">
<PARAM NAME = CODE VALUE = "tst.class" >
<PARAM NAME = ARCHIVE VALUE = "tst.jar,classes12.zip,nls_charset12.zip" >
<PARAM NAME="type" VALUE="application/x-java-applet;jpi-version=1.4.0_03">
<PARAM NAME="scriptable" VALUE="false">
<PARAM NAME = "JdbcDriver" VALUE ="oracle.jdbc.driver.OracleDriver">
<PARAM NAME = "JdbcUrl" VALUE ="jdbc racle:thin:@216.53.126.14:1521:KLM">
<PARAM NAME = "User" VALUE ="combtest">
<PARAM NAME = "Password" VALUE ="combtest">
<COMMENT>
<EMBED
type="application/x-java-applet;jpi-version=1.4.0_03"
CODE = "tst.class"
ARCHIVE = "tst.jar,classes12.zip,nls_charset12.zip"
WIDTH = 700
HEIGHT = 550
JdbcDriver = "oracle.jdbc.driver.OracleDriver"
JdbcUrl = "jdbc racle:thin:@216.53.126.14:1521:KLM"
User = "combtest"
Password = "combtest"
scriptable=false
pluginspage="http://java.sun.com/products/plugin/index.html#download">
<NOEMBED>
</NOEMBED>
</EMBED>
</COMMENT>
</OBJECT>
<!--
<APPLET CODE = "tst.class" ARCHIVE = "tst.jar,classes12.zip,nls_charset12.zip" WIDTH = 700 HEIGHT = 550>
<PARAM NAME = "JdbcDriver" VALUE ="oracle.jdbc.driver.OracleDriver">
<PARAM NAME = "JdbcUrl" VALUE ="jdbc racle:thin:@216.53.126.14:1521:KLM">
<PARAM NAME = "User" VALUE ="combtest">
<PARAM NAME = "Password" VALUE ="combtest">

</APPLET>
-->

<!--"END_CONVERTED_APPLET"-->
</BODY>
</HTML>
I was going through the forum , and i found another step
(i am still in the bin directory)
extra step:keytool -import -keystore cacerts -storetype JKS -alias test -file tst.crt
Enter keystore password:******
Owner :
Issuer:
Serial number:
Valid from:
Certificate fingerprints:
Trust this certificate:yes
Certificate was added to keystore.
-------------------------------
When i ran the html , a window pops up and asks me whether i would like download the applet>
I press grant this session.
Then , another message pops up:
java.lang.SecurityException:class"tst.class$1",signer information does not match signer information of other classes in the same package"
Pls help, i don't know what to do?
Best regards,
Jasbir
 
reply
    Bookmark Topic Watch Topic
  • New Topic