Saturday, February 16, 2008

Signed Java Applets

Hey, welcome back with a new blog !! today I am talking about both Java and web, more clearly Java Applets

Let us see the problem. Days ago, I was developing a Java Applet that capture a snapshot for Desktop and send it to Flash movie embedded in the same HTML page to provide Desktop Sharing (viewing share not remote access) facility for our web application. I finished developing the applet on Eclipse IDE and it was running well. When embedding it in HTML page, it gave access denied (java.awt.AWTPermission createRobot)
(as I used AWT package to capture the screen). So, what is the problem ?!!

I surfed the net for such problem and it was the first time to deal with Java security policy. This policy resides in java.policy file located at $JAVA_HOME\jre\lib\security. Problem is that Applets, unlike Applications, are not trusted by default by Java security policy. It is restricted for some operations like accessing the local file system, asking for socket connection,... etc. The solution is what called Signed Java Applet.

Before completing with Java Signed Applet, let us see why the applet run on Eclipse IDE the first time. When running the applet in Applet Viewer through Eclipse, Eclipse generates a policy file in the folder contains this applet called java.policy.applet and associate it with the applet. The content of the file (for my applet) was as following:

/* AUTOMATICALLY GENERATED ON Tue Apr 16 17:20:59 EDT 2002*/

grant {

It is clear that it allows the developer applet to do everything assuming that developers (which use Eclipse IDE) are mature enough to take care about disasters may harm their local computers. So everything is running on Applet Viewer.

Java Signed Applet is an applet associated with a digital certificate. Digital certificates are authored by trustworthy authorities. Signing an Applet needs to get a certificate from one of these authorities, which is most of time costs money for sure, so users can trust your applet and give it permission to do its operation. Digital certificate contains the holder party(which is you in this case) besides the certificate authority (e.g. Sun MicroSystems). No specific authorities monopoly giving certificates, but companies have good reputation or something like that can give this certificate. You can create your own certificate for developing and testing issues.

After singing the applet, browser will pop up a dialog to users when the applet is loading displaying the digital certificate associated with the applet and let the user permit the applet to be authorized on his computer or reject the certificate which let the applet behave like unsigned one.

We may talk about digital certificates in details later; but at a glance, it depends on public key encryption algorithms (e.g. RSA algorithm, click here to read more about RSA) that generates a pair of public and private keys and use this to verify the validity of the certificate within its expiration period.

Now, let us see how to sign our applets with our own digital certificate for development purposes:

1. Create your code for the applet as usual.
It is not necessary to set any permissions or use security managers in
the code.

2. Install JDK 1.5
Path for use of the following commands: $JAVA_HOME\bin
(commands are keytool, jarsigner)
Password for the keystore is any password.

3. Generate key:
keytool -genkey -keyalg rsa -alias tstkey
Enter keystore password: ******* (any password)
What is your first and last name?
[Unknown]: Your Name
What is the name of your organizational unit?
[Unknown]: YourUnit
What is the name of your organization?
[Unknown]: YourOrg
What is the name of your City or Locality?
[Unknown]: YourCity
What is the name of your State or Province?
[Unknown]: YS
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
[no]: yes


Enter key password for tstkey
(RETURN if same as keystore password):

(press [enter])

4. Export key: keytool -export -alias tstkey -file tstcert.crt

Enter keystore password: *******
Certificate stored in file tstcert.crt

5. Encapsulate your applet in a JAR file (click here to read how to create JAR files).

6. Sign JAR:
jarsigner signedApplet.jar tstkey
Enter Passphrase for keystore: *******

8. Verifiy Signing: jarsigner -verify -verbose -certs signedApplet.jar

130 Thu Feb 12 13:04:12 GMT+02:00 2008 META-INF/MANIFEST.MF
183 Thu Feb 12 13:04:12 GMT+02:00 2008 META-INF/TSTKEY.SF
920 Thu Feb 12 13:04:12 GMT+02:00 2008 META-INF/TSTKEY.RSA
Thu Feb 12 12:58:28 GMT+02:00 2008 META-INF/
smk 849 Thu Feb 12 12:49:04 GMT+02:00 2008 SignedApplet.class

X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

9. Create HTML file for use of the Applet using tag

<"applet" code="SignedApplet.class" width=100 height=140 archive="signedApplet.jar">"</"applet">

where signedApplet.jar reside next to HTML file and SignedApplet.class encapsulated in it.

10. Run HTML page and test your applet.

I tested it on my PC using JDK 1.5 Update 8 to sign the applet and take the applet on my laptop and run well.

I hope this helps.

No comments: