|
 |
 |
|
Summary of ProcessMake any necessary changes in the applet's code (see Writing code for Microsoft Internet Explorer). Collect the tools you'll need: Internet Explorer 4.0 (or later), a Microsoft Authenticode digital ID,
Note: this procedure has been extensively revamped due to changes in Microsoft's tools. It is now based on the code signing tools included with Microsoft's Java SDK 2.01. Note: Internet Explorer version 4 was the earliest to recognize signed applets, and only under Windows. The Macintosh version of Explorer doesn't (and may never) recognize signed applets. Ahh, standards... Collect toolsYou'll need seven items to do Explorer digital signing: Microsoft Internet Explorer 4, a Microsoft Authenticode digital ID, a DOS program called Download Internet Explorer 4.0 from the Microsoft web site at <http://www.microsoft.com/windows/ie/default.htm>. To get a digital ID from VeriSign, use Internet Explorer 4.0 or later under Win95 (make sure Java and JavaScript are enabled). Go to <http://www.verisign.com/>. Click "Developer Tools and Code Signing" and click "Buy Now" next to "Digital ID For Microsoft Authenticode". Follow the directions for enrolling for a Class 3 software publishing ID. Note: VeriSign used to have a Class 2 digital ID, for use by individual developers. It could be obtained in a manner of minutes, and cost $20/year. They're no longer offering this level of ID; my guess is too many people were buying Class 2 IDs rather than the (much more profitable) Class 3 IDs. Oh, well... When you receive your ID from VeriSign, you will be prompted to store it in a pair of files: your certificate file (with suffix ".spc") and your private key file (with suffix ".pvk"). When you use the code signing tools below you'll need to specify the location of these two files. (Copy them onto a floppy disk for safekeeping.)
Note: if you get an Authenticode digital ID from Thawte, the ID will be installed directly into the Windows key registry, not into " Alternatively, you can create your own test certificates using Now that you've got your certificate, you'll need to get the other tools. They are all part of Microsoft's Java SDK 2.02, which can be found (9/3/99) at <http://www.microsoft.com/java/download.htm>. (It's a 16MB download to get 300kB of files; sorry.) The first tool is If you're looking to permanently install your Java classes on the user's browser, check out
Note: these tools requires the "Microsoft CryptoAPI" to work. Although this isn't documented anywhere, this API is installed when you install Internet Explorer 4.0 or later. Set up a directory for signingCreate a top-level directory for the signing. Within that directory, create a subdirectory containing all the .class files for your applet (I called mine "MyApplet"). Within the subdirectory, place copies of all .class files in their directories. Top level .class files should be right inside this directory, and all package .class files should be in subdirectories with the package names (e.g. all my "util" package .class files are inside a subdirectory called "util"). Include all images files as well (these are utilized by Explorer, although not Navigator). Create a .cab signing batch fileCreate the following DOS batch file called @ECHO OFF REM This batch file creates and signs a .cab file. The first argument should be the REM name of the directory of files to be put into the cabinet (NO terminating "\", REM please!) The second argument should be the formal name of the REM applet. The third argument should be low, medium or high (generally low). REM Note: you should be in the directory containing the directory of REM files to be CABbbed/signed when you run this. REM I'll set up a couple of variables to make things more readable. You'll need to REM edit these values to match your setup. If you get an error such as REM "Out of environment space" then you'll have to increase your environment space. REM (Boy, do I love DOS.) REM This is the location of the digital ID certificate file (.spc). For convenience, REM I put mine in the same directory as my Navigator ID database. SET CERT_FILE="c:\program files\netscape\users\griscom\mycred.spc" REM This is the location of the digital ID private key file (.pvk). SET KEY_FILE="c:\program files\netscape\users\griscom\mycred.pvk" REM First, create the CAB file. The arguments here are: REM -r Recurse into subdirectories REM -p Preserve path names REM -P [arg] Strip the argument (here "%1\") from the beginning of each path REM N [arg] Create the given named .cab file REM [rest] Put these files (here "%1\*.*") into the .cab file REM Note! this does NOT use the -s option to reserve space for the signature; REM the latest version of signcode (from the Java SDK 2.01) doesn't need this. ECHO *********** About to create .cab archive using cabarc *********** cabarc -r -p -P %1\ N %1.cab %1\*.* REM Next, sign the code. Arguments are: REM -j javasign.dll This provides the tools to do Java permission levels REM -jp [arg] The permission level to be used REM -spc [arg] Software publishing certificate file REM -v [arg] Private key file REM -n [arg] Nice name of archive (shown in digital ID dialog) REM [arg] Archive file to be signed (here "%1.cab") ECHO *********** About to sign archive using signcode *********** signcode -j javasign.dll -jp %3 -spc %CERT_FILE% -v %KEY_FILE% -n %2 %1.cab REM Finally, timestamp the code. (I put this in a separate command to make each REM command simpler.) NOTE! for this to work you must have an Internet REM connection up and running. Arguments are: REM -x Timestamp the archive; do not sign it (it's already done) REM -t [arg] The timestamp server's HTTP address (here it's VeriSign) REM -tr [arg] The number of times to try timestamping before giving up REM [arg] Archive file to be timestamped (here "%1.cab") ECHO *********** About to timestamp .cab archive using signcode *********** signcode -x -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 5 %1.cab REM Punt the various environment variables SET CERT_FILE= SET KEY_FILE= ECHO *********** Done timestamping .cab archive *********** Change the CERT_FILE and KEY_FILE values to correspond to the location of your public credential file and private key file, respectively. Make sure that
Note: if you gave your ID a password when you got it from VeriSign,
Remember: if you use Thawte as your CA you'll have to modify the Do the actual signingChange to the directory that contains the directory containing your applet's .class files. Then, run cabsign MyApplet "Super Duper Applet" "low" You'll see lots of messages scroll up the screen. When done, a new file with the applet directory's name and the suffix ".cab" will be created.
Note: if you don't have an active connection to the Internet when you do this, the timestamping process will fail. The resulting archive will be valid and signed, just not timestamped.
Note: the timestamping URL I give in my batch file above is for VeriSign. If your certificate wasn't issued by VeriSign then you should probably use your CA's timestamping service (although I believe VeriSign's will work, it isn't very fair). Verify the signed archiveThe first time you create a signed archive you'll want to verify it. Do this using chktrust MyApplet.cab If the archive is signed properly, you'll get a "Security Warning" dialog asking if you want to install and run "Super Duper Applet", which was signed by you (signature verified by your CA). If not, you won't. Install the signed archivePut the signed .cab archive into the web server directory containing the main class of your applet. Change the .html file that invokes the applet so that it mentions the archive: <title>My Wonderful Signed Applet</title>
<hr>
<applet code="MyApplet.class" width=600 height=350>
<param name="CABBASE" value="MyApplet.cab">
</applet>
<hr>
Note: f you need to have an applet with multiple .cab archives, you can use the Possible ProblemsTimestamping may fail for a number of reasons:
If you don't see a security dialog when the applet is loaded into Explorer then the applet isn't properly signed and won't be allowed any privileges. If your signed applet gets a Once in a while I've seen a If all else fails, then try this: at each step in the signing process, substitute information that you know is wrong. Examples: put in incorrect passwords, change file names, change paths, rename files, etc. If this changes the results (new error message, different error message, etc.) then your original information was probably correct. If not, then either the problem is occurring before that step, or your original information was itself wrong. Note on Microsoft Security LevelsInternet Explorer actually supports three different security levels: "high", "medium" and "low." The batch file above assumes that you want the low security level, which grants all possible privileges to the applet. High level means that the applet is restricted to the sandbox, just like an unsigned applet. Medium level sounds more interesting: the applet has access to a certain amount of temporary hard disk space, and can do "user-directed" file I/O. Problem: for your code to take advantage of the abilities granted at the Medium level you must use Microsoft-proprietary Java classes. This means that if you rely on these capabilities your code will be restricted to running on Microsoft platforms. Since I like conspiracy theories, I view this as one more attempt by Microsoft to lure programmers into writing Java code that only works on Microsoft platforms, thus subverting a major threat to their hegemony. Other, more charitable souls may see this as Microsoft's generous efforts to enhance Java. You'll have to decide for yourself. For more information, see Signing a Cabinet File with Java Permissions at <http://www.microsoft.com/Java/sdk/32/pg/pg_pkgdist_signcode_4.htm>. Next section: Signing for both Navigator and Explorer
|
||||||
| Copyright © 2012 Daniel Griscom | Site design myriadweb.com |
