Home > Funambol, Java > How to Sign a MIDlet

How to Sign a MIDlet

December 14th, 2009 Leave a comment Go to comments

These are the required steps in summary to sign MIDlets with a certificate.

  1. Generate public/private key pairs.
  2. Generate Certificate Signing Request (CSR) and submit it to CA .
  3. Sign the MIDLet with the certificate.

Here are the list of software required to accomplish the steps:

  1. Sun Java 2 SDK or JRE
  2. Sun Wireless Tool Kit (WTK)

Generate public/private key pairs

Create a Keystore

From the command line navigate to Java 2 SDK bin directory (if it is not in the PATH yet) and type the below command :

keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>

It prompts you to enter a password for your keystore, your name, organization, and address. For example:


C:\tmp>keytool -genkey -keyalg rsa -keystore vitraining.keystore -alias vitraining
Enter keystore password:  1234567890
What is your first and last name?
  [Unknown]:  akhmad daniel
What is the name of your organizational unit?
  [Unknown]:  vitraining
What is the name of your organization?
  [Unknown]:  vitraining
What is the name of your City or Locality?
  [Unknown]:  bandung
What is the name of your State or Province?
  [Unknown]:  jawa barat
What is the two-letter country code for this unit?
  [Unknown]:  ID
Is CN=akhmad daniel, OU=vitraining, O=vitraining, L=bandung, ST=jawa barat, C=ID
correct?
  [no]:  yes

Enter key password for <vitraining>
        (RETURN if same as keystore password):

You will find the keystore file on the directory called vitraining.keystore.

 

List the generated keypairs

To see your generated keypairs entry, type the below command :

keytool -keystore <keystore_filename> –list

For example:

C:\tmp>keytool -keystore vitraining.keystore -list
Enter keystore password:  1234567890

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

vitraining, Dec 14, 2009, keyEntry,
Certificate fingerprint (MD5): CA:EE:0C:D6:64:4D:C3:A3:B9:92:9B:14:58:E0:A1:76

 

Generate Certificate Signing Request (CSR) and submit it to CA

Next, you need to generate a Certificate Signing Request (CSR) for the enrollment process.

Generate CSR

Type the below command to create a CSR for the key pair in the keystore:

keytool –certreq –file <certreq_filename.csr> –keystore <keystore_filename> -alias <alias_name>

For example:

C:\tmp>keytool -certreq -file vitraining.csr -keystore vitraining.keystore -alias vitraining
Enter keystore password:  1234567890

You will find a new CSR file in the directory called vitraining.csr. Submit the generated CSR to CA.

 

Sign the MIDLet with the certificate

Once the CA has approved your request, you will receive the certificate, usually by email containing the certificate. You need to copy paste or save the attachment of the certificate file to a file. The next steps are:

Import the certificate to your keystore

Use the below command

keytool –import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file <cert_filename>

For example:

C:\tmp>keytool -import -trustcacerts -keystore vitraining.keystore -alias vitraining -file vitraining.cert
Enter keystore password:  1234567890
Certificate reply was installed in keystore

Now the keystore is filled up with the valid certificate.

 

Sign the JAD file

Use JadTool utility to sign a JAR file by adding both of the certificate and the JAR file’s digital signature to the Java Application Descriptor (JAD) file, the process will be :

a. Adding the certificate to JAD

To add the certificate as the value of an attribute named MIDlet-Certificate-m-n, we will use JadTool.jar. Here m is the number of the certificate chain, and n is an integer that, for new certificates, begins at one and increments by one each time you add a new certificate to the JAD file.

java -jar %WTK_HOME%\bin\JadTool.jar -addcert -keystore <keystorename> -alias <aliasname> -storepass <password> -inputjad <input_jadfile> -outputjad <output_jadfile>

For example:

java -jar %WTK_HOME%\bin\JadTool.jar -addcert -keystore vitraining.keystore -alias vitraining -storepass 1234567890 -inputjad test.jad -outputjad test_t.jad

When succeeded, you should see the below attributes added to your output JAD file (in the example test_t.jad):

MIDlet-Certificate-1-1

MIDlet-Certificate-1-2

MIDlet-Certificate-1-3

b. Adding JAR’s digital signature to the JAD

This last process will get the JAR’s digital signature, stores it as the value of the MIDlet-Jar-RSA-SHA1 attribute of the output JAD file.

java -jar %WTK_HOME%\bin\jadtool.jar -addjarsig -jarfile <jar_file> -keystore <keystorename> -alias <aliasname> -storepass <password> -keypass <password> -inputjad <input_jadfile> -outputjad <output_jadfile>

The default value for -jarfile is the MIDlet-Jar-URL property in the JAD file. For example:

java -jar %WTK_HOME%\bin\jadtool.jar -addjarsig -jarfile test.jar -keystore vitraining.keystore -alias vitraining -storepass 1234567890 -keypass 1234567890 -inputjad test.jad –outputjad test_t.jad

Conclusion

Here is to conclude:

  1. keystore file is the file you created for storing public and private key pairs
  2. csr file is the file you created for submission to get a valid certificate from CA
  3. after getting the certificate, save it to a file, and the store it to back your keystore file
  4. the keystore file is ready for use for signing JAR and JAD files

 

  • Share/Bookmark
Categories: Funambol, Java Tags: , , , , , ,
  1. David
    November 30th, 2010 at 00:40 | #1
    Reply | Quote

    Hello:

    I have a Thawte certificate (299$) and I want to sign my MIDlet. My app has one permission: javax.wireless.messaging.sms.send.

    First scenario:

    I use Netbeans. If I try to sign my MIDlet, only the .jad file changes. Netbeans adds the following lines:

    MIDlet-Certificate-1-1: MIIEJjCCAw6gAwIBAgIQHJqq1asymZ……..
    MIDlet-Certificate-1-2: MIIEnDCCA4SgAwIBAgIQR5dNeHOlv……
    MIDlet-Certificate-1-3: MIIERTCCA66gAwIBAgIQM2VQCH….

    If I try to install this MIDlet sending the jad and the jar files throught Bluetooth, the installation goes ok. The app is secure. But if I try to send a SMS, (I push a “Send” command in a Form) the SMS is not sent. Nothing happens!!! No errors or exceptions, nothing, but if the MIDlet is not signed, the app can send the SMS well.

    The second scenario:

    I try to install the application using only the .jar file.

    I sign my application with jarsigner:

    jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore Keystore.p12 -storetype pkcs12 MyMIDlet.jar myalias

    Doing this, the jar file increases it size. I can see inside the META-INF folder, inside the jar file, that:

    1. The Manifest file has several digest. One for each file inside the jar:

    Manifest-Version: 1.0
    bla bla bla…

    Name: res/icon.png
    SHA1-Digest: NFzSgJ9d8aHy/v4thNG+sMAhNiQ=

    Name: etc…

    2. I have two new files: myalias.SF and myalias.RSA

    But if I try to install this jar I obtain an error message: The application is not trusted!

    Help!!

  1. No trackbacks yet.
This site uses a Hackadelic PlugIn, Hackadelic SEO Table Of Contents 1.6.0.