HelloWorld

How to play outside the sandbox (using signed applets) Wayne Schroeder October 22, 1999 Last update: Dec 10 I'm making this available on the web since the information may be useful to many sites, but IF YOU ARE NOT WITH SDSC/NPACI DO NOT REQUEST A CERTIFICATE FROM US! There are actually four (or more) totally separate jar signing and security mechanisms (all immature), and multiple tools. This includes the Netscape built-in Java Run Time Environment, the Java Plug-in (1.1 and 1.2), and IE's RTE. Tools include the Java Keytool (with DSA keys), Keytool extended with JSSE (with RSA keys), and the Netscape signtool. In some environments, security specific applet code is needed; in some it is not. Only certain combinations work properly. The information available on the web and usenet is sometimes inaccurate (refering to older or different environments) and in some cases people are simply confused (which is easy since it is such a mess). However, http://mindprod.com/gloss.html ("Java glossary"), seems to be pretty good; see "Signed Applet". Also useful is Java's http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html. Here's the procedure I've managed to (eventually) get to work: (Note that for most people on the web this is informational only, SDSC/NPACI certificates are for the SDSC/NPACI user community only.) 1) Get a Certificate from our Certificate Authority. (For SDSC/NPACI users and staff, you can get a certificate from the NPACI/SDSC CA) The Java documentation tells you to generate your own (self-signed) certificate, but since we have a CA, it will be better to use our CA. This way, users of signed applets only have to install our CA's cert and then can be assured that the signed applets are authored by SDSC staff. It is also cleaner and more secure. To get a certificate, SDSC staff can connect your browser to our CA web page (https://ca.sdsc.edu) and follow the procedures. After your id is verified by our CA administrator (Bill Link), your certificate (signed by the CA) will be available to you via the web. Then you install your certificate into your Netscape browser (into it's certificate database file, which is protected by a password). 2) Develop your applet It is NOT necessary to use the Netscape security classes to enable privileges (that may be necessary if using the Netscape builtin Java JTE, but we're using the plugin). This is an example, but it is not needed for the plugin: PrivilegeManager.enablePrivilege("UniversalFileAccess"); Here's some sample applet code that works fine: public void init() { resize(150,50); file = new File("/users/sy/schroede/java/test"); } public void paint(Graphics g) { g.drawString("Hello world", 1, 25); try { if (file.exists()) { g.drawString("File Exists", 1, 50); } else { g.drawString("File does not exist", 1, 50); } } catch (SecurityException e) { g.drawString("Security Exception", 1, 50); } } Without signing, or if something about the signiture fails, "Security Exception" is printed. Here's the HTML that calls the applet: HelloWorld

No JDK 1.2 support for APPLET!! (This html code has to be much more complicated if you want it to be able to trigger/run an plugin install (for IE I believe). There is a tool that will produce this for you (http://java.sun.com/products/plugin/1.2/converter.html) but, unfortunately, it has an involved GUI interface to do even a simple one file conversion. It is a nice tool for converting lots of HTML files tho.) 3) Sign your applet with the Netscape signtool Run 'signtool -l' to see your certificates. These are the same ones displayed by Netscape via the buttons: Security, Certificates-Yours. 'signtool' is now installed in /usr/local/bin/signtool. number6 840% signtool -l using certificate directory: /users/sy/schroede/.netscape Object signing certificates --------------------------------------- Wayne Schroeder Test 3's NPACI ID Issued by: NPACI CA 9/21 (Certificate Manager) Expires: Thu Sep 14, 2000 [...] Put your Java class into a separate directory for signing. mkdir signdir cp *.class signdir And run the signtool specifying which key to use, the directory, and the jar file to create: $TMP/signtool/signtool -k"Wayne Schroeder Test 3's NPACI ID" -Z"foo.jar" signdir It will prompt for your Netscape key database password. (This is so that it can get you private key to use in signing the applet code. This private key matches the public key in your certificate.) (See applet_signing_details.txt for some more discussion.) The signtool and documentation is available at http://developer.netscape.com/docs/manuals/signedobj/signtool/index.htm The rest of this is what users do to run your applet: A) Install the Java plugin for Netscape, currently version 1.2.2. It is better to use the Java plugin because it is easier to update and therefore more current. This is fairly straight-forward and well documented. See http://java.sun.com/products/plugin. html coding can invoke the download process for users in some cases. The following example works, I believe, at least for Windows 98/Netscape:

No JDK 1.2 support for APPLET!! The converter will generate HTML for you that will handle all cases. B) Install the NPACI CA Cert into the registry (for PCs). One way to do this is to use Internet Explorer (IE) (even if one will using Netscape). IE stores it trusted certificates into the registry (Netscape doesn't) and the plugin uses the registry. This is explained (accurately) in: http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html. With IE, go to https://ca.sdsc.edu, click on Retrieval, and "Import CA Certificate Chain", and step thru the installation procedure. If that doesn't work, or if you don't have IE, see ftp://ftp.sdsc.edu/pub/security/npaci_certificates/notes . As explained in the notes file, there are .crt files in that directory that you can download and just click on to install. One final alternative method (if the above methods fail) is the following. Go to the https://ca.sdsc.edu page, list the certs, get the first one "Certificate Manager", display it, take the text between "-----BEGIN CERTIFICATE----" and "-----END CERTIFICATE----" (inclusive), and put it into a text file (this is a PEM format certificate). Then start up IE, click on Tools, Internet Options, click on Context, Certificates, and then Trusted Root Certification Authorities, and Import. Then give it the text file with the PEM certificate. It'll run thru a little dialog. Exit IE to be sure the database is updated. C) Access the applet page via Netscape. If you don't do step 2 (or you don't sign the applet), it will run but without extended privileges (in the above example, it will print "Security Exception"). Even if the applet is signed, no error messages appear in the Java console window (i.e., the verification of the signiture fails and so is ignored, but without letting the user know that anything went wrong). If all goes well, the user is presented with a window explaining that the applet is signed by you and verified by the NPACI CA, and asking whether the user wants to accept the certificate, either for the session or permanently. If the user accepts it permanently ("Grant Always"), the certificate will appear in the Java plugin control window, under "Certificates". The other certificates that the plugin uses are the IE trusted certificates, but these do not appear in the list. I'm not sure if all the IE certificates are used, or if only the trusted ones are used. This all seems rather complicated but, once set up isn't too bad. If all SDSC applets are signed with user certificates that are issued by the NPACI/SDSC CA, then once a user installs the NPACI/SDSC CA Certificate, they'll be given the option of trusting each of the SDSC applet authors. That is, they do A) and B) once, and then can do C) for any number of SDSC applets. And C) is a straight-forward GUI sequence. To run this on workstations (Solaris), I believe that users will be able to use keytool to install the NPACI CA cert. When I was working with this in October/November, 1.3 beta plugin didn't seem to be available yet (but will probably support this). In the near future, we can investigate this again. With help from Gary Cohen (local staff member), I've also gotten this to work under IE. The HTML is different, but it runs: % more Hello5IE.html HelloWorld

% ---- Debug notes: As cfdna@my-deja.com (via usenet Comp.lang.java.security) explained to me, in the Java Plug-in Control Panel, you can specify this runtime option: -Djava.security.debug=xxx where xxx can be one of the following: all turn on all debugging access print all checkPermission results jar jar verification policy loading and granting scl permissions SecureClassLoader assigns But even trying some of those, no messages are displayed indicating what went wrong in verifying a certificate. With 'all', the Java console would often hang after showing lots of messages. I've been told that the "jar" option prints debug information related to the JAR file signature verification, but it does not print out any info regarding the cert chain verification. Javasoft is considering popping up a window in case the chain does not verify, or the top-level cert of the chain is not contained in IE's CA database, so that the user knows something went wrong.