ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Java Plug-in 1.3 and RSA Signed Applets
Pages: 1, 2, 3

Why SimpleScannerApplet needs to be trusted
The SimpleScannerApplet needs to be trusted because it has the potential to make network connections to arbitrary Internet hosts. This capability is not permitted by the default applet security policy. Attempts to make connections to hosts other than the one from which the applet is loaded will result in the throwing of a SecurityException.



The following HTML file can be used to run the applet.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "DTD/xhtml1-transitional.dtd">
<html>
<head><title>SimpleScannerApplet</title></head>
<body>
<div style="text-align: center">
<h1>SimpleScannerApplet</h1>
<applet name="ScanApplet" code="SimpleScannerApplet.class" archive="scan.jar"
  width="600" height="125">
Java not supported.
</applet>
</div>
</body>
</html>

If you compile the apple and run it iwth appletviewer and the HTML above, you'll get the following output.

Screen shot.

You'll be able to scan your local host for open TCP ports because the appletviewer loads the applet from your local file system.

Screen shot.

However, if you try to scan other hosts, you'll encounter a security exception.

Screen shot.

Using SimpleScannerApplet with Java Plug-in 1.3
In order to be able to use SimpleScannerApplet to scan other hosts, we'll make it available as an RSA signed applet that executes via the Java plug-in 1.3. This involves the following steps.

  1. Package the applet classes as a JAR file.
  2. Obtain and install an RSA code signing certificate.
  3. Sign the JAR file using the RSA code signing certificate.
  4. Convert the scanner.htm file with Sun's HTML converter.
  5. Deploy the converted scanner.htm file and signed JAR file.

I'll walk you through each of the above.

Using the jar Tool
JAR files are used to archive the class files and other files used by applets and applications. JAR files are similar to Unix tar files and Windows zip files. The applet's classes must be packaged into a JAR file for code signing. Sun's keytool only signs JAR files and not individual class files.

The process of creating a JAR file is simple. Go to the directory where you compiled SimpleScannerApplet.java. You'll find the following .class files in this directory:

SimpleScannerApplet$Scanner.class
SimpleScannerApplet$ScannerException.class
SimpleScannerApplet.class
SimpleScannerApplet$1.class

Use the following command to create a JAR file named scan.jar that packages these files:

jar -cvf scan.jar *.class

The above command will generate the following output:

added manifest
adding: SimpleScannerApplet$1.class(in = 180) (out= 130)(deflated 27%)
adding: SimpleScannerApplet$Scanner.class(in = 2376) (out= 1249)(deflated 47%)
adding: SimpleScannerApplet$ScannerException.class(in = 453) (out= 276)(deflated 39%)
adding: SimpleScannerApplet.class(in = 2185) (out= 1096)(deflated 49%)

If you've used the Unix tar command, you'll notice the similarity between the jar syntax and the tar syntax.

Obtaining an RSA Code Signing Certificate
To sign scan.jar, you'll need an RSA code signing certificate. This step is the most complicated one in the process and can take days to weeks depending upon the certificate authority that you use.

Generating a Self-Signed Certificate

The first thing that you'll need to do is to create an RSA public-private key pair, a self-signed certificate, and a keystore to hold the key pair and the certificate. Fortunately, you can use Sun's keytool to accomplish this in a few simple steps.

Open up a command line window and enter the following command. (You can substitute your own alias for jamie. An alias is just a name by which you refer to your public-private key pair.)

keytool -genkey -alias jamie -keyalg rsa

The keytool will prompt you for information that will be used to generate your self-signed certificate. Substitute your information for the information that I entered (indicated in bold). Use your domain name in place of your first and last name. Also, select a password that is different than mine.

Enter keystore password: 123456
What is your first and last name?
[Unknown]: jaworski.com
What is the name of your organizational unit?
[Unknown]: Software development
What is the name of your organization?
[Unknown]: James Jaworski
What is the name of your City or Locality?
[Unknown]: Chula Vista
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=jaworski.com, OU=Software development, O=James Jaworski, L=Chula Vista, ST=CA, C=US> correct?
[no]: yes

Enter key password for <jamie>
(RETURN if same as keystore password): 123456

The keytool will generate the key pair and self-signed certificate and store them in a file named .keystore that is located in the directory specified by the user.home Java system property. You can use the following program to find the value of user.home.

public class DisplayUserHome {
public static void main(String[] args) {
System.out.println(System.getProperty("user.home"));
}
}

Generating a Certificate Signing Request

The next step in obtaining your certificate is to submit a certificate signing request (CSR) to a certificate authority (CA). A CSR is a request to have the CA sign your self-signed certificate (thereby legitimizing it). When a CA signs your certificate, it tells the world that it has verified your identity and the fact that the certificate belongs to you. That way, when others use your signed JAR files, they will have a high degree of assurance that your JAR files were, in fact, signed by you, and not someone else posing as you.

You use keytool to create a CSR as follows. Substitute your alias for jamie and your password for 123456.

keytool -certreq -alias jamie
Enter keystore password: 123456
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQHEwtDaHVsYSBW
aXN0YTEXMBUGA1UEChMOSmFtZXMgSmF3b3Jza2kxHTAbBgNVBAsTFFNvZnR3YXJlIGRldmVsb3Bt
ZW50MRUwEwYDVQQDEwxqYXdvcnNraS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPb5
Yt3M48Lwf2OjVYBG8+89HF35JB/YpHyyHt4DTohFeS2KbAQEvI03FGtG9KXZpzgumBttxhfiqRF8
6bF2GO8eDK1COubJ6ckEZziSlTUFYoLXqmLTui85TApXB8kJzj+SygQ2OP0APtVy6E3dq66izl89
RUzMdTH60QPxtbc5AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBEtAffkQVHRB8bGsm6yP7Sb8zZ
ert3h8pXdBlFjtC+SZZxUQq/rOGyqh1H320ZqJlcnmRBrgQth3KDh3WPXposnTt4eHwJKyK/whUk
0ucbkDo3cdidLLg4/as0QsVmje7udzcCdnCX6NuQqjvAayaOviU1i5GvN8ALbpWwbrf0uw==
-----END NEW CERTIFICATE REQUEST-----

The output of the keytool is your CSR. Redirect or copy it to a text file.

Submitting Your CSR to a Certificate Authority

Now that you have a CSR, you need to get it signed by a recognized certificate authority. Although there are a number of CAs that will sign your certificate, I would suggest that you use Thawte Consulting or Verisign because their certificates are recognized by all browsers and have been proven to work with the Java plug-in 1.3. Of the two, I recommend Thawte because they provide excellent service and their certificates are about half the price of Verisign's.

If you decide to use Thawte, you can find out more information about obtaining an RSA code signing certificate. If you use Verisign, check out their information.

Importing Your Signed Certificate

When your CA has verified your identity and signed your certificate. It will return a certificate or certificate chain in a standard text format (such as PKCS #7). The following is an example.

-----BEGIN PKCS #7 SIGNED DATA-----
MIIGhwYJKoZIhvcNAQcCoIIGeDCCBnQCAQExADALBgkqhkiG9w0BBwGgggZcMIID
QTCCAqqgAwIBAgIDB9BsMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJaQTEV
MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNV
BAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9u
IFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENBMSYw
JAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTAxMjIy
MzAyNDNaFw0wMjAxMjIyMzAyNDNaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTEUMBIGA1UEBxMLQ2h1bGEgVmlzdGExFzAVBgNVBAoTDkphbWVz
IEphd29yc2tpMR0wGwYDVQQLExRTb2Z0d2FyZSBkZXZlbG9wbWVudDEVMBMGA1UE
AxMMamF3b3Jza2kuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDM6Wku
ZYeoaEQVZWbKBLxbnID4N3wcDVsYAPDI/nIY5dnC2bFGyHNGCxEmeiAYdjb+rHuN
g2uhycZ1TtRNBOf9hnOw+NMyHAXytsIEf7wrf/H0WoAyvbZeG+sXrVMRpJJeCem0
BDAdairYkly/fdWIujlIa7mwVEBK9csgfIcutQIDAQABo3wwejAfBgNVHSUEGDAW
BggrBgEFBQcDAwYKKwYBBAGCNwIBFjARBglghkgBhvhCAQEEBAMCBBAwHQYDVR0E
BBYwFDAOMAwGCisGAQQBgjcCARYDAgeAMBcGA1UdEQQQMA6CDGphd29yc2tpLmNv
bTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBADQdapQceZZ++qQJdSVT
i7wNFjDI72RkQzvGNWzmDg8mfIa7ZxsVCBblvOrCu9Ow8m1H+IJdyLTKLllXgo5M
zRIk8eB1+AY2H1MRI+G6fTudGCJbdfXS+G7ceGLf9HZ32gVIWvEJ682ihnefPsHE
W3WW05VtaTKidC0WAZAoe4h/MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQF
ADCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE
BxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYG
A1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQ
VGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRo
YXd0ZS5jb20wHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkG
A1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBU
b3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNl
cnZlciBDQTEmMCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC
2oQl/Kj0R1HahbUgdJSGHg91yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNk
CXDF/rFrKbYvScg71CcEJRCXL+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0
e982OsK1ZiIS1ocNAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
AQEEBQADgYEAB/pMaVz7lcxG7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllD
fU+VPaGLtwtimHp1it2ITk6eQNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpa
PNW15yAbi8qkq43pUdniTCxZqdq5snUb9kLy78fyGPmJvKP/iiMucEcxAA==
-----END PKCS #7 SIGNED DATA-----

Once you receive your signed certificate from your CA, you need to import it into your keystore using keytool. I stored my certificate in the file thawtecert.txt before I imported it.

keytool -import -alias jamie -file thawtecert.txt
Enter keystore password: 123456
Enter key password for <jamie>: 123456

Top-level certificate in reply:

Owner: EmailAddress=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

Issuer: EmailAddress=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Serial number: 1
Valid from: Wed Jul 31 17:00:00 PDT 1996 until: Thu Dec 31 15:59:59 PST 2020
Certificate fingerprints:
MD5: C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
SHA1: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C

... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore

That's all you need to do to obtain and install your RSA code signing certificate. Now let's sign the scan.jar file.

Using Your Certificate to Sign JAR Files
If you got to this point and you still don't have an RSA code signing certificate, don't worry, I'll show you how to sign scan.jar using my certificate.

To sign scan.jar, use the following jarsigner command. Substitute your alias for jamie.

jarsigner scan.jar jamie
Enter Passphrase for keystore: 123456
Enter key password for jamie: 123456

The jarsigner tool will replace scan.jar with a signed version of the same file. The signature will use the public-private key pair identified by the alias (jamie) and the signed certificate associated with the key pair (the one that you received from the CA).

You can also verify the JAR files signature using jarsigner:

jarsigner -verify scan.jar

If your scan.jar is properly signed it will respond with "jar verified." Otherwise, it will respond with a message indicating that the signature is missing or invalid.

Using HTMLConverter
Now that you have a signed JAR file, you need to convert any HTML files that reference the applet so that the applet executes with the Java plug-in. You do this using Sun's HTML converter.

The HTML converter is packaged as a .zip file. Unzip the file to a directory on your system.

In the converter/classes directory, you'll see two shell files (HTMLConverter.bat and HTMLConverter.sh) that are used to execute the HTML converter. Use HTMLConverter.bat if you're running Windows and HTMLConverter.sh if you're running Linux/Solaris.

When you run the shell file, the following window will open.

Screen shot.

Select the directory containing scanner.htm and then click the Convert button. The contents of the converted scanner.htm will appear similar to the following.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html>
<head><title>SimpleScannerApplet</title></head>
<body>
<div style="text-align: center">
<h1>SimpleScannerApplet</h1>
<!--"CONVERTED_APPLET"-->
<!-- CONVERTER VERSION 1.3 -->
<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
WIDTH = "600" HEIGHT = "125" NAME = "ScanApplet"
codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,0,0">
<PARAM NAME = CODE VALUE = "SimpleScannerApplet.class" >
<PARAM NAME = ARCHIVE VALUE = "scan.jar" >
<PARAM NAME = NAME VALUE = "ScanApplet" >
<PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
<PARAM NAME="scriptable" VALUE="false">
<COMMENT>
<EMBED type="application/x-java-applet;version=1.3"
CODE = "SimpleScannerApplet.class" ARCHIVE = "scan.jar"
NAME = "ScanApplet" WIDTH = "600" HEIGHT = "125"
scriptable=false pluginspage="http://java.sun.com/products/plugin/1.3/plugin-install.html">
<NOEMBED></COMMENT>
Java not supported.

</NOEMBED></EMBED>
</OBJECT>

<!--
<APPLET CODE = "SimpleScannerApplet.class" ARCHIVE = "scan.jar" WIDTH = "600" HEIGHT = "125" NAME = "ScanApplet">
Java not supported.

</APPLET>
-->
<!--"END_CONVERTED_APPLET"-->

</div>
</body>
</html>

Deploying the Signed Applet
Having created and signed scan.jar and converted scanner.htm using HTML converter, you're ready to deploy these files. Put scan.jar in the same directory as scanner.htm. You can also run the scanner from your local file system using Navigator or Internet Explorer. In fact, it's a good idea to do so, just to make sure that everything works as it should. The following screen capture shows the scanner working in Internet Explorer 5.5.

Screen shot.

Jamie Jaworski is a Java security expert and author, focused on cryptography and such.


Return to ONJava.com.