Java: Code Signing: Java application Part-1

First of all sorry for the format of this document.
Each of the mobile platform has a code signing process that will verify that the mobile application is authentic. The objective of code signing is to ensure that mobile applications is well trusted, virus-free, and traceable to the company.

Verisign ACS (Authenticated Content Signing) Portal issues certificates for various mobile platforms. It has a good diagram on how mobile code signing works:

These instructions provide an overview of obtaining and using Sun Java signing and a
VeriSign Digital Certificate. The steps covered here are using the command promt utility. Other way around is to used J2ME's Utility for MIDLet signing if you are signing an j2me application.

Download the Java 2 SDK.
The Java2 SDK for all platforms is available free of charge from java.sun.com.

We will be using the following tools to apply for your VeriSign Code Signing Digital Certificate and sign your code: keytool, jar, and jarsigner.

Generate a public/private key pair.
If you are novice (like i was before starting my first code signing task), i recommend you read my another blog entry to get know how of security terms like keypair, keystore and etc. Enter the following code, specifying an alias for your keystore, to generate a public/private key pair:

C:\> C:\jdk1.3\bin\keytool -genkey -keyalg rsa -alias MyCert

In this string, the keystore alias is MyCert and algorithm used is RSA.
Keytool responds with prompts to enter a password for your keystore and your name,
organization, and address information. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java applets and applications.

Note: Your private key is never sent to VeriSign, so if you lose it, you will be unable to sign code. If your private key is lost or stolen, please contact VeriSign to cancel your certificate.

Generate a certificate signing request (CSR).
Enter the following code to generate a CSR:

C:\>C:\jdk1.3\bin\keytool -certreq -alias MyCert

In this string, keytool is requested to create a CSR for the key pair in the keystore MyCert.
After prompting you to enter the password for your keystore, keytool will generate a CSR
similar to the following:

-----BEGIN NEW CODE SIGNING ID REQUEST-----

MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHE
wlDdXBlcnRpbm8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxFjAUBgNVBAsTDU
phdmEgU29mdHdhcmUxEzARBgNVBAMTClN0YW5sZXkgSG8wgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBALTgU8PovA4y59eboPjY65BwCSc/zPqtOZKJlaW4WP+Uhmeb
E+T2Mho7P5zXjGf7elo3tV5uI3vzgGfnhgpf73EoMow8EJhly4/YsXKqeJEqqvNog
zAD+qUv7Ld6dLOv0CO5qvpmBAO6mfaI1XAgx/4xU/6i6u6TLLOvgv9pMNUo6v1qB0
xly1faizjimVYBwLhOenkA3Bw7S8UIVfdv84cO9dFUGcr/Pfrl3GtQ==

-----END NEW CODE SIGNING ID REQUEST-----

This string is an example of a CSR generated using keytool. A CSR contains a copy of the requestor’s public key and a hash of the data entered in step 2 signed with the requestor’s private key.

Copy the CSR and paste it into the VeriSign Sun Java Code Signing Digital Certificate application form, accessible at
http://www.verisign.com/products/signing/index.html.

When your request is approved, VeriSign attaches your Sun Java Code Signing Digital
Certificate to your confirmation email.

Upon receipt, the attached certificate is saved to a file on your computer.
A digital certificate is a “trust path” or “chain” back to the VeriSign root certificate. This trust path enables your code to be validated on any standard JRE without installing any additional files. Note: VeriSign takes a number of steps to verify your identity. For commercial publishers, VeriSign does a considerable amount of background checking. As a result, it will take approximately 3-5 business days to verify your information and issue a certificate.

Import your Digital Certificate.
Enter the following code, with the path to your certificate, to import the chain into
your keystore.

C:\>C:\jdk1.3\bin\keytool -import -alias MyCert -file ABhiNew.cer

In this string, keytool is requested to import the Digital ID “ABhiNew.cer” into the
keystore MyCert.

Bundle your applet into a Java Application Resource (JAR) file.
Use jar to bundle your applets or applications as a JAR file.
C:>C:\jdk1.3\bin\jar cvf C:\TestApplet.jar
This string creates a JAR file “C:\TestApplet.jar.” The JAR file contains all the files under the current directory and its subdirectories.
JAR responds with:

added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)

Sign your applet.
Use jarsigner to sign the JAR file, using the private key you saved in your keystore.

C:\>C:\jdk1.3\bin\jarsigner C:\TestApplet.jar MyCert

At the prompt, enter the password to your keystore. Jarsigner hashes your applet or application and stores the hash in the JAR file created in step 5 with a copy of your certificate.
Verify the output of your signed JAR file.

C:>C:\jdk1.3\bin\jarsigner -verify -verbose -certs d:\TestApplet.jar

This string verifies that the files have been saved to the JAR file and that the signature is correct.When the signed JAR file is downloaded, the JRE displays your VeriSign Digital Certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.