Editor's Note: Another great resource is Code Signing for Java applets, an excellent step-by-step guide which may be more up to date than this resource. |
The Java Signing FAQ is intended for people who already know how to program in some language (not necessarily Java though). To distinguish this from other Java FAQs, this is the "Java Signing FAQ", and it is posted in comp.lang.java.programmer.
The most up-to-date copy of this FAQ is available at: http://www.fastlane.net/~tlandry/javafaq.txt. It reflects the latest and most current version of the following Java enabled browsers:
Click on any heading to expand the list and see related questions.
A. The Java Signature FAQ gives the answer to your question in section N.n. ...
This gives them the answer, and shows them where to go for future questions (it also demonstrates that the FAQ can answer their questions, providing an incentive to go there next time.)
You can find this FAQ at http://www.fastlane.net/~tlandry/javafaq.txt
1.1 How do I search Deja News for past postings on Java topics, e.g. the FAQ?
A. Go to http://www.dejanews.com/home_sf.shtml
+ Under "Newsgroups" enter "comp.lang.java.programmer" (or whatever)
+ Under "Subject" enter "java code signing" (or other topic you find pressing)
+ Click "Create Filter"
+ It will go to a new document, and you should click the link labeled nnn Documents (nnn is some number). This makes finding information very easy.Also look at http://sunsite.unc.edu/java/cgi-bin/query and look at http://asknpac.npac.syr.edu/ for Java newsgroup search
http://www.javaworld.com/search.html can search the Javaworld newspaper
* taken originally from the "Java Programmers FAQ" by Peter van der Linden
1.2 Where can I find information about future Java APIs?
A. JavaSoft has followed a policy of creating new APIs in consultation with leading industry participants, then posting the draft specification for public review and comments. Check the JavaSoft roadmap of new APIs and products at http://Java.sun.com:80/products/api-overview/index.html Also, some APIs that are under consideration, possibly for JDK 1.2 are at: http://java.sun.com/products/jdk/preview/docs/
* taken originally from the "Java Programmers FAQ" by Peter van der Linden
2.0 What are the basic elements of public key encryption?
A. The four pillars of public key encryption are public/private key pairs, digital certificates, certificate authorities and an encryption algorithm.
Basically, the key pairs provide a means of exchanging messages, encryption algorithms "scramble" the message, digital certificates ensure that the send and receiver are who they claim to be, and the certificate authority ensures the validity of the digital certificates.
(This document will not get into the specific details of how this is accomplished. If you wish to learn more about digital certificates and encryption, read the documentation from Pretty Good Privacy (PGP) by Phil Zimmerman at "http://web.mit.edu/network/pgp")
2.1 What is a digital certificate?
A. A digital certificate is a software token that identifies you to others on the Internet, similar to the way your driver's license identifies you to others. Often recognized as a form of electronic signature, it is used to authenticate the identity of an individual or corporation. The receiver of a certificate must somehow validate that the sender is legitimate before accepting any risky requests from him/her.
2.2 What is a digital signature?
A. A digital signature is a means of applying a digital certificate to a message, thus guaranteeing that the message from who the sender claimed to be.
2.3 What does it mean to sign Java code?
A. Signing Java code means applying your digital signature to your .class, .jpg, .gif, etc. files. What this means to the end-user is the transmission of the Java applet is not sabotaged while in transit.
2.4 Why is it important to sign Java code?
A. Signing your Java code is important for two reasons. First, it is on of the cornerstones of public key encryption, i.e. security. Second, it gives the programmer access outside of the Java "sandbox," to additional resources.
2.5 What resources can I access if my code is signed?
A. In general you can gain access the following functionality:
- Issuing an RMI call to a remote object running on a different server than the applet's
- Executing a client-side program
- Reading from and writing to files stored on the client
- Sending a report to a local printer
- Accessing the system clipboard
- Reading the client's system properties (e.g. user name)
- Determining the structure of an object (fields, methods, values, etc.) using the Reflection API
2.6 If a Java applet can erase your hard disk, isn't that a security flaw?
A. No. Only signed applets can access resources such as the hard drive. Before the applet is allowed to access the resource, the browser must first ask some form of permission from the user. If the user does not allow the applet to access the resource is denied to the applet.
2.7 What are the competing methods of code signing?
A. Sun, Netscape and Microsoft all have competing methods of code signing. Unfortunately, all three are INCOMPATIBLE, which means you must sign you code three times with three different methods to support all Java enabled browsers.
This FAQ, we will only deal with the Netscape and Microsoft methods.
You can find more information on the Sun methods by reveiwing the Jdk 1.1 documentation available at http://Java.sun.com:80/products/api-overview/index.html
2.8 How to I purchase my digital signature?
<put info here>
2.9 Do I need two certificates to sign for both Netscape .jar and Microsoft .cab files?
A. Yes you need two certificates. One for Netscape Object Signing and one for Microsoft.
3.0 What tools do I need to sign my applet for Internet Explorer?
A. You need two programs to sign your code for Internet Explorer. Both programs are available for free at http://www.microsoft.com/java/download/dl_sdk2.htm in the Microsoft Java SDK 2.01.
The two programs are: cabarc.exe - this is similar to pkzip, except it will create cab files instead of zip or jar files. signcode.exe - this program will apply your digital signature to the .cab file
The idea is that you put all you applet files (*.class, *.gif, *.au, etc.) into a cab file, then you sign the cab file.
*Note: be sure to get the Latest MS Java SDK. Versions earlier than 2.0 may not work with the syntax in this FAQ.
3.1 Where can I get a digital signature for Internet Explorer?
A. You must apply for one at Verisign (www.verisign.com) or Thawte (www.thawte.com). You must use either a Class 2 or Class 3 certificate. When your application is accepted you will receive two files: MyKey.pvk - this contains your private key MyCredentials.spc - This contains your credentials
Be sure to back these files up in a secure place! (Do not post them to the Internet)
3.2 What are the advantages and disadvantages to the Microsoft Signing method?
A. Advantages over Sun or Netscape:
- CAB has higher compression than jar or zip
- CAB can contain ActiveX controls as well as Java files
- No programming changes are necessary
Disadvantages:
- Incompatible with JAR format
- Only Internet Explorer can read it
3.3 How do I sign the code (with full permissions)?
A. Signing your code is a two step process. First put your classes, graphics, sounds, etc. into a CAB file "mycab.cab" with the following command:
cabarc.exe -p -r -P g:\inetpub\wwwroot\java N mycab.cab *.*
Options: -p option means to save directory structure. -r means recurse subdirectories -P means strip specified prefix from files when added
Second, sign the cab file with the command:
signcode -spc c:\keys\MyCred.spc -v c:\keys\MyKey.pvk mycab.cab
Options: -spc location and name of your credentials file -v location and name of you private key file
You now have a signed CAB file that has access to all available resources.
3.4 How do I sign the code with refined permissions?
A. You can voluntarily place restrictions on your applet by signing with restrictions. A programmer may opt to use this method to explicitly request certain resources from the user ahead of time.
To do so you will need another program from the Microsoft Java SDK called "PINIEDIT.EXE." When you run this program, it will ask you what resources you need to explicitly request in your applet. It will then create a INI file. Here I named it MyPermissions.ini.
To sign your CAB file with refined permissions use the command:
signcode -j JavaSign.dll -jp c:\MyPermissions.ini -spc c:\keys\MyCred.spc -v c:\keys\MyKey.pvk mycab.cab
Options: -j Do exactly as seen above -jp Name of your INI file created with PINIEDIT.EXE
You now have a signed CAB file with restricted access.
A. CAB stand for CABinet archive file.
3.6 What <APPLET> tag do I need to use?
A. <applet width="550" height="300" code="MyApplet.class" codebase="/mycodebase/" archive="myjar.jar"> <param name="cabinets" value="mycab.cab"> You need a Java 1.1 capable browser to see this applet </applet>
This tag allows both Netscape and Microsoft browsers to read the same tag. Most browsers ignore the "cabinets" parameter.
3.7 Can IE read multiple CAB files on a web page?
A. Yes. A parameter named Cabinets may contain multiple CAB files, separated by commas (,).
Example: <param name="cabinets" value=cab1.cab,cab2.cab,cab3.cab">
3.8 CAN IE read CAB and JAR files in a single applet tag?
A. No it cannot. If there is a "cabbase" parameter, IE will ignore the ARCHIVE tag completely.
3.9 Can IE read signed JAR files?
A. IE can read JAR files, but it will ignore the manifest file (JAR Signature), therefore a signed JAR file is confined to the same applet "sandbox" as a regular unsigned applet.
3.10 How do I timestamp my CAB signatures?
A. According to Chris Shearer Cooper <ccooper@kersur.net>, you can timestamp your signed CAB file by adding
-t http://timestamp.verisign.com/scripts/timstamp.dll
to the command line.
3.11 What is a "Distribution Unit"?
A. Please see section 5 under "Microsoft method."
4.0 What tools do I need to sign my applet for Netscape Communicator?
A. You need one program, signtool, to sign your code for Netscape Communicator. The program is available for free at http://developer.netscape.com/software/tools/index.html?content=/software/signedobj/jarpack.html. in the package called "signtool."
4.1 Where can I get a digital signature for Netscape?
A. You must apply for one at Verisign (www.verisign.com) or Thawte (www.thawte.com). You must use either a Class 2 or Class 3 certificate. When your application is accepted you will receive 1 files: MyKey.p12 - this contains your private key
Other information is stored in CERT7.DB and KEY3.DB files. Be sure to back these files up as well!
Be sure to back these files and passwords up in a secure place! (Do not post them to the Internet)
4.2 What are the advantages and disadvantages to the Netscape method?
A. Advantages over Microsoft:
- Resources are requested from the user at the time they are used.
- uses the JAR format
Disadvantages:
- requires modification of your source code
4.3 Do I need to modify my code?
A. Yes. In order to access restricted resources you must modify your code using the Netscape Capability Classes. These classes are available for free at http://developer.netscape.com/library/documentation/signedobj/capsapi.html.
4.4 How do I use the Netscape Capabilities classes?
A. First, add the classes to your CLASSPATH.
Second, identify in your code where you request restricted resources. This is the code that you must modify.
Finally, requests to access restricted functions are performed through the enablePrivilege() method of the PrivilegeManager class. This method takes one parameter: a string object containing the name of the privilege that is being requested. This name is referred to as the target for the request.
For example, access to the client's local printer is requested as follows:
import netscape.security.*;
...
PrivilegeManager.enablePrivilege("UniversalPrintJobAccess");
... (printing code goes here)The UniversalPrintJobAccess target represents the privilege that allows access to a client's local printer. When this method is executed at runtime for a signed applet, the signer's certificate is displayed, prompting the client to grant the privilege requested.
4.5 What are some commonly used "Targets"?
A. Commonly requested privileges that you are likely to run across include the following:
Privilege Target Description UniversalConnect Access to network hosts different than the applet's codebase UniversalFileReadAccess Read access to the client's local files UniversalFileWriteAccess Write access to the client's local files UniversalFileDeleteAccess Delete access to the client's local files UniversalMemberAccess Access to an object's members using the Reflection API UniversalPrintJobAccess Access to the client's local printer UniversalPropertyRead Access to the client's system properties UniversalSystemClipboardAccess Access to the client's system clipboardA more complete set of privilege targets are available at Netscape's System Targets page (http://developer.netscape.com/library/documentation/signedobj/targets/index.htm).
4.6 Can I test my code without signing it?
A. If you modify your prefs.js file, all code will be recognized as being signed. This is good for developmental purposes.
Further intructions are available at http://developer.netscape.com/library/technote/security/sectn2.html.
A. signtool will first create the manifest files then zip all the files together into the jar file with the following command:
signtool.exe -dc:\keys\ -k"Ted S Landry's VeriSign Trust Network ID" -Zmyjar.jar Java
Options: -d name of the directory holdings the .db files and MyKey.p12. -k nickname of your signing certificate -Z the name of the zar file to create
Java is the name of the directory holding all my class files, libraries, graphics, etc.
Upon execution, signtool will read all files in the Java directory, create a new directory Java/Meta-inf that contains the JAR manifest file.
Second, signtool will create the actual JAR file.
4.8 How do I find out my certificate nickname?
A. Use the command:
signtool.exe -dc:\keys\ -L
This will list out all certificates on your "keyring," for example:
S Certificates - ------------ AT&T Certificate Services Thawte Personal Premium CA BelSign Object Publishing CA * Ted S Landry's VeriSign Trust Network ID Canada Post Corporation CA - ------------The asterisk designates the correct nickname to use. It is case sensitive, so use it exactly as it is shown with the signtool.exe -L option.
4.9 What <APPLET> tag do I need to use?
A. To support all browsers I use the tag:
<applet width="550" height="300" code="MyApplet.class" codebase="/mycodebase/" archive="myjar.jar"> <param name="cabinets" value="mycab.cab"> You need a Java 1.1 capable browser to see this applet </applet>
*The "cabinets" parameter is specific the IE browser.
4.10 Can Netscape read signed JAR files?
A. Netscape can read all JAR files, but will only recognize signatures generated using the signtool tool.
4.11 Can Netscape read multiple JAR files?
A. No. As of Netscape 4.04, the Netscape browser cannot read multiple JAR files in the archive tag. This is a known bug and is projected to be fixed in Netscape 4.05.
A. Sun Activator is a Javasoft written Java VM created to replace the VM in browsers such as IE and Netscape. Sun did this to reduce inconsistencies between the Sun, Microsoft and Netscape Virtual Machines.
<INSERT SUN ACTIVATOR INFORMATION HERE> <Currently Activator is in BETA, and signing information will be provided when the final version is released.>
6.0 Why would I save my classes to disk on the client browser?
A. Some applets are quite large, even with JAR and CAB compression. This results in download time that may be unacceptible for some applications. To remedy this problem, both Netscape and Microsoft have proprietery means of saving your Java classes to the users hard disk, such that, the only time a user must download the applet is when the classes have changed.
---- snip ------- from email message from jxski@spies.com ---- snip ----
another reason for putting classes on the local disk (section 6) -- at least for Netscape -- is making use of native methods. Netscape will only let classes loaded from the local disk load native libraries. Once the lib is loaded, however, netloaded classes can call the native methods (provided they have access to the class, the method isn't private, etc. -- normal Java stuff).
6.1 What is the Microsoft method?
The following section was contributed by Chris Shearer Cooper <ccooper@kersur.net>:
The Microsoft method uses the DUBUILD utility. This is to "build" a "Distribution Unit". It creates a CAB file like cabarc, but with additional information describing the applet and its version. It looks like this:
dubuild myApplet.cab . /D "My happy applet" /I *.class /V 1,1,1,47
You follow this with the same signcode as with the cabarc command. Then your APPLET tag looks something like this :
<APPLET code=myApplet name=myApplet width=400 height=300> <PARAM name=useslibrary VALUE="My happy applet"> <PARAM name=useslibrarycodebase VALUE="myApplet.cab"> <PARAM name=useslibraryversion VALUE="1,1,1,47"> </APPLET>
Much as it pains me to say this, it's pretty cool - by doing this, your applet is downloaded once and stored in a special spot on the user's machine. The next time you visit a site that uses this applet, it checks the version numbers and doesn't even touch the CAB file if it already has an up-to-date applet stored locally.
HOWEVER, it's buggy in MSIE 4.0 and 4.01. If you have signed your CAB with extra permissions requested, it seems to forget those permissions during the process of storing the applet locally.
7.0 How will Java code signing change in JDK1.2?
7.1 Where can I find additional applet signing information?
*Dan Griscom has a very good web page at http://www.suitable.com/Doc_Codesigning.shtml that goes into great detail regarding code signing. RECOMMENDED.
*Netscape has their Object Signing Tools FAQ available at: http://developer.netscape.com/software/tools/index.html?content=/software/signedobj/jarpack.html
Thank you to all those people that helped create this FAQ. Without people like the following, the Internet would never be what it is today.
Thanks to:
Peter van der Linden - creator "Java Programmers FAQ" - available at http://www.best.com/~pvdl/javafaq.txt
George Ruban - http://www.geocities.com/SiliconValley/Vista/2013
Gerald Shifrin
Robert Lynch
Paul Vincent Craven, AA0PE - http://www.raccoon.com/~pcraven
Chris Shearer Cooper <ccooper@kersur.net>
Dan Griscoms applet signing page at http://www.suitable.com/Doc_Codesigning.shtml
I'm looking for feedback on this document. If you have and additions or suggestions, please email them to tlandry@fastlane.net.