Java Technology Home Page
A-Z Index

Java Developer Connection(SM)
Online Training

Downloads, APIs, Documentation
Java Developer Connection
Tutorials, Tech Articles, Training
Online Support
Community Discussion
News & Events from Everywhere
Products from Everywhere
How Java Technology is Used Worldwide
 
Training Index

JavaBeansTM Short Course
Help: Signing Declarations with John Hancock

By MageLang Institute

[Tutorial Contents]
[Behavior] [API Docs] [Exercise] [Solution]

Help is available for each task, or you can go straight to the solution source code.

Task 1

Execute the following statement to make sure that "John Hancock" is not a known identity to your system.
javakey -r "John Hancock"

If John doesn't exist in your system, you will see the message "No one named John Hancock in the system." If John did exist, you will see the message "Removed John Hancock."

Task 2

Once removed, we can run the program unsigned to see what happens. Unpack the AllHancock.jar file and run appletviewer with the Declaration.html file.

To save the file, in Netscape Navigator, shift-click over the AllHancock.jar link.

To extract the files from the .jar file, from the directory you saved it in, execute:

jar xf AllHancock.jar
Then enter:
appletviewer Declaration.html

Task 3

Now, press the 'Introspect' button while there is nothing in the 'Enter class name' text field. The applet is able to reflect on itself with no security problems.

Task 4

Then try to inspect a system class like java.lang.String. When you press the 'Introspect' button with java.lang.String in the text field, you will see a lengthy security exception message on the display. This basically is saying that the applet is untrusted by you, so cannot access restricted things. In order to be trusted, it must be signed by someone. Then, the user of the applet must tell their system that they trust that someone AND install their public key into their system.

Task 5

In order for our applet to be trusted, we need to generate a certificate, create a jar file, sign it, and tell our .html file to use it. To generate the certificate, involves four steps:

Identify signer and state that you 'trust' them
javakey -cs "John Hancock" true
  • javakey is key security program
  • -c means to create an identity
  • -s means we are creating a code 'signer'
  • "John Hancock" is signer
  • true signifies we trust "John Hancock"
Generate a public-private key pair for signer
javakey -gk "John Hancock" DSA 512 Hancock_pub Hancock_priv
  • -gk means to generate key pair
  • "John Hancock" is identity
  • DSA is algorithm
  • 512 is key size
  • Hancock_pub / Hancock_priv are key pair files.
Setup a signer profile file
This file is a bunch of key-value pairs identifying who the signer is, how long the key is good for, and what the output file is.
For purposes of this exercise, just use the Hancock.cert file provided.
Generate a certificate
javakey -gc Hancock.cert
  • -gc means to generate a certificate
  • Hancock.cert is the certificate profile file
  • The command creates the file Hancock.x509 because the out.file directive provided that name.

For more information on the format of the signer profile file, see JavaSoft's online description of javakey.

Task 6

Now we can sign our code. First, we need to package our code up to be signed. The Freud.class file is the only one that has to be signed. If we include our general applet code in the signed package and the user does not trust the signer, they will get an empty screen on startup and will think they did something wrong. By not packaging the front-end, this won't happen. The command to place the Freud class in a jar file is:
jar cf Freud.jar Freud.class

This creates the file Freud.jar with the contents of Freud.class. To examine the contents:
jar tf Freud.jar

Task 7

Now we need to sign the .jar file. This requires a signing directive file similar to the signer profile file earlier. For purposes of this exercise, just use the Hancock.sign file provided. Once the directives file is setup, execute:
javakey -gs Hancock.sign Freud.jar
to create the file Freud.jar.sig. Rename Freud.jar.sig to be signedFreud.jar.
ren Freud.jar.sig signedFreud.jar

For more information on the format of the signing directive file, see JavaSoft's online description of javakey. This added the following files:

  • META-INF/MANIFEST.INF
  • META-INF/HANCOCK.SF
  • META-INF/HANCOCK.DSA

Task 8

Finally, create an html file that uses the signed file and test it. In the <APPLET> tag, include an archive=signedFreud.jar parameter. Then test it.
<APPLET archive=signedFreud.jar code=Declaration width=400 height=400>
</APPLET>

Task 9

Okay, now that you have this. What is necessary for a user to use it as trusted? Basically, only three steps. First, you need to provide the user with the Hancock.x509 file you created earlier. Then, they need to identify the signer as trusted on their system. Finally, they need to import the certificate file into their system.

In order for us to make believe we don't know who the signer is, we need to remove their identity from our database first.
javakey -r "John Hancock"
Deliver Hancock.x509 to user somehow.
Register "John Hancock" as trusted
javakey -c "John Hancock" true
  • There isn't a '-s' flag because John Hancock doesn't need to create certificates on the user's system.
Import the Hancock.x509 certificate file
javakey -ic "John Hancock" Hancock.x509
  • There is no magic in the filename or extension.
Run the signed applet.
appletviewer signedDeclaration.html
If you try introspecting classes like java.lang.String, you will see no security exceptions thrown.

You may have used a different name for your .html file.

Also, if you want to re-enable "John Hancock" as a signer, remove him with javakey -r "John Hancock", reinstate him as a trusted signer with javakey -cs "John Hancock" true, then import the public-private key pair back into the system with javakey -ikp "John Hancock" Hancock_pub Hancock_priv. If you do not do this and just regenerate the key, the 'signed' applet will become invalid because it won't pass the verification test.

Copyright © 1997 MageLang Institute. All Rights Reserved.

[ This page was updated: 10-Nov-99 ]

Products & APIs | Developer Connection | Docs & Training | Online Support
Community Discussion | Industry News | Solutions Marketplace | Case Studies
Glossary - Applets - Tutorial - Employment - Business & Licensing - Java Store - Java in the Real World
FAQ | Feedback | Map | A-Z Index
For more information on Java technology
and other software from Sun Microsystems, call:
(800) 786-7638
Outside the U.S. and Canada, dial your country's AT&T Direct Access Number first.
Sun Microsystems, Inc.
Copyright © 1995-99 Sun Microsystems, Inc.
All Rights Reserved. Legal Terms. Privacy Policy.