Self signing using keytool
Hi,
I followed the procedure to self sign an applet with keytool in the link below:
http://forum.java.sun.com/thread.jspa?threadID=230408&messageID=1584191
but I can't make it work :(
I begin with signing my jar, and the user receive the signed jar and the certificate (query.cer). He imports it with keytool (keytool -import -alias query -file query.cer -keystore newstore), and he changes his policy file. My applet tries to read the filesystem.
- When there's no policy file, the browser asks if I trust the certificate, but never allows me to see the filesystem.
- When the policy file specifies
grant{
permission java.security.AllPermission;
};
It doesn't ask for a certificate, and allows me to see the filesystem.
Until now, I'm ok..
- When the policy file specifies
grant SignedBy"query"{
permission java.security.AllPermission;
};
It doesn't ask for a certificate, andDOES NOT allow me to see the filesystem.
However, when I list the signatures, I have:
>keytool -keystore newstore -list -alias query
Enter keystore password: *********
query, Mar 30, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 18:71:4C:46:6B:A6:75:73:0C:1B:EF:14:D3:15:D2:4A
I don't think the problem is here, but my html page is:
<body>
<div align="center">
<h4>Saisissez votre query</h4>
<APPLET code="QueryApplet.class" archive ="Stst.jar" width=400 height=400>
</APPLET>
</div>
</body>
I hope somebody knows the problem and can help me!
calypso
[1908 byte] By [
calypsoa] at [2007-10-1 9:31:56]
Never got the signedby policy to work for me either.
http://forum.java.sun.com/thread.jspa?threadID=409341&tstart=45
fourth post
Here is how I sing the applet:
http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
second post
Note that if you have the line:
permission java.lang.RuntimePermission "usePolicy";
in the grant { section all signatures are ignored and access is granted ONLY when a
polcy is set up for it. So
- When the policy file specifies
grant {
permission java.security.AllPermission;
};
It doesn't ask for a certificate, and allows me to see the filesystem.
Seems unlikely to me. Asking for trust or not depens on the presence of this line:
permission java.lang.RuntimePermission "usePolicy";
Thank you harmmeijer, I read your posts but I still don't know what I can do.
I launch the applet with appletviewer:
appletviewer -J-Djava.security.policy=.java.policy query.html
As I saw in your messages, when I press a button processing a "forbidden action", it throws an java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read).
I changed my .java.properties like this:
grant SignedBy "query"
{
permission java.lang.RuntimePermission "usePolicy";
permission java.security.AllPermission;
};
And it doesn't work.. What an I do to make it work, ie to process fobidden actions when I accept the certificate?
I never run a signed applet in the applet viewer, just open the html file in a browser.
As I stated before I never got got the signedby policy to work and challenge anyone who
can make it work on windows platform (example is given in my pref post).
The signed applet example I posted in my pref post should work as long as you leave out
permission java.lang.RuntimePermission "usePolicy";
What this line does is force the applet to use policy WHEN THE APPLET IS OPENED IN A
BROWSER.
When you use the applet viewer you force it to use policy with the -Djava.security.policy=.java.policy
Try it like this:
appletviewer -J-Djava.security.policy=mypolicy.policy query.html
Then in the directory of the html file and the applet add a file called mypolicy.policy
with the following content:
grant {
permission java.security.AllPermission;
};
Now your applet should run in the appletviewer allthough you don't need to sign it
anymore.
Ok, but with that solution, all the applet will have the rigth to go outside of the sandbox, isn't it?
Yes but it's only used if you explicitly ask for it
-J-Djava.security.policy=mypolicy.policy
When I open the example given in my first post with the applet viewer I get the security
exception and never get asked if I trust the signature or not.
Had to change some things to make in work in the appletviewer though
the html file so javascript doesn't set the object tag
the java file to system.out.println instead of setting html elements and remove jsobject code.
My guess is that appletviewer allways forces to use a policy.
So in short:
When running with the appletviewer provide a polcicy in the command that starts the appletviewer
When running in a browser you can sign the applet but you have to make sure there is
no usepolicy somewhere in the java.policy.
This might clear things up.
When talking about policy there are 2 kinds of policy.
mypolicy.policy which is only used if I specifically ask for it when starting the applet viewer.
and
C:\Program Files\Java\jre1.5.0\lib\security\java.policy
Which is allways used when you open an applet in your browser.
If this file contains the usepolicy your browser will not ask if you trust a signed applet or not.
When I run a signed applt in the applet viewer I never get asked if I trust it or not so my guess
is that the applet viewer works differently than the browser.
Hi!Does that solution, using keytool, works for IE?
Not for msjvm, signing doesn't do much for the msjvm as well (with jarsigner).
When you have the object (embed) tag in your html page IE will use the SUN plugin to
run the applet (like with Flash). All policy's and jarsigner signatures will work now.
Doesn't matter if it's IE or mozilla.
