How to sign a Java applet
by, 12-09-2011 at 06:16 AM (14311 Views)
Why signing an applet?
By default, a Java applet is running inside a restricted environment called “sandbox”. The sandbox isolates the applet outside the browser environment and user’s computer, preventing maliciously coded applets from running without user’s granted permission.
Applets are considered to be untrusted if they are not signed with a security certificate. Untrusted applets are also referred to as unsigned applets. Being inside the security sandbox, unsigned applets are limited to execute only a set of safe operations.
The following operations that unsigned applets are prevented from executing:
- Accessing the local file system, executable files, system clipboard, and printers on client’s computer.
- Connecting to any server other than the server where they are hosted.
- Loading native libraries.
- Altering the SecurityManager.
- Creating a ClassLoader.
- Reading some of system properties.
So if you wish to write an applet that needs to do some of the above operations, you need to sign your applet using a security certificate. For example, you write an applet that reads local file system, enumerates printers or uploads files via FTP…
A signed applet can only run outside the security sandbox if the user grants permission by accepting the applet’s security certificate. If the user denies, the applet will run within the security sandbox as an unsigned applet.
There is another way to give permissions to applets, it is the applet’s policy file. However, the policy file approach is not convenience for end users since it requires user’s intervention to manually store the file on their computer in the right location. The policy file is suitable for development and testing purpose only.
To sign an applet, you need to have:
- A signing tool. The Java SDK provides a tool called “jarsigner”. The tool is located at your_java_home_folder\bin directory.
- An RSA keypair of public key and private key. The Java SDK provides a tool called “keytool” to generate the keypair.
- The applet and all its class files, bundled as a JAR file.
Getting RSA Certificates
You can purchase for RSA certificates from a Certificate Authority (CA), such as VeriSign and Thawte. To obtain a certificate from a CA, you need to provide the certificate signing request (CSR). The steps are as follow:
- Use keytool to generate an RSA keypair.
- Use keytool to generate the certification signing request, then submit the CSR to the CA.
- The CA will send you a certificate reply (chain) by email. Import the chain into your keystore.
- Use jarsigner to sign applet’s JAR file.
You should follow all the steps above to get your certificate validated by the CA. However, for the simplicity of testing purpose, you can skip the second and third steps. That means the certificate generated by the keytool can be used to sign the applet without validation from the CA, as long as the user accepts the security certificate signed for the applet.
This article will guide you with the first and last steps. For full steps, refer to the reference links at the end of this article.
The syntax to generate a keypair is as follow:
keytool -genkey -alias <alias_name> -keystore <keystore_name> -keypass <key_pass> -dname <distinguished name> -storepass <store_pass> -validity <days_will_expired>
keytool -genkey -alias signFiles -keystore compstore -keypass kpi_100626 -dname "CN=MyApplet" -storepass a8b6c5 -validity 1825
will generate a keypair with an alias “signFiles”, the key pair is stored in a file named “compstore” with a password “a8b6c5”, password for the key is “kpi_100626”, distinguished name is “CN=MyApplet” means the certificate represents for an entity named “MyApplet”, and the validity of the certificate is up to 5 years (1825 days).
After the command is executed, a file “compstore” is created and it contains your certificate information.
Bundling Java Applets as JAR Files
To use jarsigner to sign applets with RSA certificates, the applets must be bundled as JAR files. The Jar tool (command jar ...), which comes with the Java 2 SDK, can be used for that purpose. For example, to create a JAR file MyApplet.jar containing all the files under the current directory and its sub-directories:
jar cvf MyApplet.jar
After the JAR file is created, you should verify its content using the jar tool again, for example:
jar tvf MyApplet.jar
This ensures that the class files are stored with the proper path within the JAR file.
Signing Java applet
The syntax to sign the applet’s JAR file is as follow:
jarsigner -keystore <keystore_name> -storepass <store_pass> -keypass <key_pass> -signedjar <signed_jar_file_path> <original_jar_file_path> <alias_name>
The following command will sign the MyApplet.jar file with the certificate stored in “compstore” file:
jarsigner -keystore compstore -storepass a8b6c5 -keypass kpi_100626 -signedjar SMyApplet.jar MyApplet.jar signFiles
The command outputs a signed jar file named “SMyApplet.jar”. Your applet has been signed and you are now ready to deploy it on your server.
When a signed applet is loaded in a browser for the first time, a security dialog says that the applet’s certificate is not validated and asks you to accept or deny. Once you accepted the certificate, your applet is able to do the restricted operations which are not allowed for normal applets.
Figure: The security dialog appears when a signed applet is loading for the first time and needs user’s acceptance.
Signing reference libraries
If your applet is using external libraries, you need to sign all of them as well. Otherwise, the code of the external libraries is considered as untrusted.
- What Applets Can and Cannot Do:
- How to Sign Applets Using RSA-Signed Certificates: