Java applets signing

    Java applets allow to making interactive interface and use a lot of additional Java functionalities. Such as sound playing, access to the computer file system, downloading external data using all kinds of protocols even with use of simple socket, image cropping, digital signing and so on. And all this directly in the browser! The developer can master the entire power of all Java potentialities and external Java libraries. Things that can be done using the applet sometimes not even available in very feature-rich JavaScript frontend.

    When the applet is provided to the user the following problem arises: JVM refuses to run the applet because it thinks that the applet is insecure, while the browser displays to the user many aggressive warnings with frightening and confusing messages. In order to get rid of them you need to sign the applet by trusted certificate and configure the desired settings in the manifest file.

    The applet run reduces to jar file launch by the browser. JVM security mechanism starts jar file loading and check it for safety before classes will be loaded. At the same time the applets security levels settings in client JVM, parameters of the jar file manifest, as well as digital signature verification are checked.

    Applet signing implies signing jar file with using jarsigner utility. This utility inserts in jar file the encrypted key that contains information about the resources. If you try to modify the classes of signed jar file, then it won’t pass security inspection and won’t be executed.

    Applet can be unsigned or signed by self-made or trusted certificate. JVM tries not to load unsigned applets (the behavior depends on the version and settings). If you sign the applet by self-made certificate the browser will display warning messages which can scare the user. Such response is good only for developers but not for end users.

    The process of applet signing

    First we need to create a keystore file with help of keytool utility. In this example we will do self-made certificate and will sign applet by this certificate.

    keytool -genkeypair -keystore mystore -storepass storePassword -alias mykey -keypass keyPassword

    This command creates keystore that contains the signature key. Further we need to sign the applet by this keystore:

    jarsigner applet.jar -keystore mystore -storepass storePassword -keypass keyPassword mykey

    Since we signed applet by self-made certificate the following message appears in console:

    Warning:
    The signer certificate will expire within six months.

    After that the applet will run in browsers with security warning messages displaying. To avoid it we must obtain a trusted certificate and sign the applet by it.

    Receiving a trusted certificate and applet signing

    Trusted certificate must be purchased from the respective organization. The cost can range from $ 200 to $ 500 per year. We ordered it from Godaddy. Keytool is used for operations with certificates. The process of obtaining the certificate looks like:

    1) Create a keystore.

    keytool -genkeypair -alias keyName -keypass keyPassword -keystore keystore -storepass storePassword -keyalg RSA -keysize 2048

    2) After keystore generation the untrusted certificate will be inside it. To make it trusted you need to generate the request file to the authorized organization.

    keytool -certreq -alias keyName -file request.csr -keypass keyPassword -keystore keystore -storepass storePassword

    The result will be request.csr file, which you need to send to an authorized organization. For it you should create the request on this organization website and upload request.csr.

    3) After payment the organization gives a link to download the verification file that should be imported back into keystore. Verification file can be presented in several formats, but we talk about it later. This file is imported with help of the same keytool utility.

    keytool -importcert -alias keyName -file resounce.pem -keypass keyPassword -trustcacerts -keystore keystore -storepass storePassword

    The applet have to be signed with received keystore:

    jarsigner applet.jar keyName -keystore keystore -storepass storePassword -keypass keyPassword

    After the signed applet run the browser will show friendly window with the message of applet belonging to trusted source. Moreover if you put a tick the message will never appear.

    Different kinds of certificates

    Jarsigner utility accepts only keystore  – certificate store, which must contain the key. When we want to make a trusted certificate the authorized organization can send us the answer in different formats.

    There are two basic encodings of certificates:

    • DER – binary format;
    • PEM – ASCII format, coded in BASE 64.

    Certificate files can have the extension:

    • .CRT – more typical for Unit-systems;
    • .CER – Microsoft standard;
    • .KEY –  contains both private and public key.

    The keytool utility can import only PEM format. Certificates types can be converted into each other using openssl.

    From pem into der:

    openssl x509 -in cert.crt -outform der -out cert.der

    From der into pem:

    openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

    You can read more details here:

    1. https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
    2. https://www.sslshopper.com/article-most-common-openssl-commands.html

    Importing existing certificate into keystore

    Jarsigner utility signs jar-files with keystore, which is generated by keytool utility. Unfortunately if you already have an existing certificate, then to import it into keystore can be a problem, since there are no standard mechanisms to do it. If you face with this problem you can read this workaround.

    Useful links

    Utilities contained in JDK:

    1. http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
    2. http://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html

    Java-applets signing articles:

    1. http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html
    2. http://habrahabr.ru/post/204984/

    Commercial certificate receiving:

    1. http://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html

    Different certificate formats and their converting:

    1. https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
    2. https://www.sslshopper.com/article-most-common-openssl-commands.html
    3. http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/

    Importing existing certificate into keystore:

    1. http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html