CS1520: Programming Languages For Web Applications

Introduction

This is a brief description of the procedure for packaging and signing a Java applet. This has to be done to enable some privileges that aren't usually given to most applets, such as the ability to connect to a server other than the web server on which the applet is stored.

Procedure

1. Create your keys

   This really only needs to be done once for all the JARs (or other documents) you want to sign. In reality, this creates a cryptographic personal identity for you. Others won't be able to determine the authenticity of your identity, which typically requires a trusted third party, but any user of your applet will be prompted for acceptance of your key in order to enable the restricted functionality. So it's good enough for us.

   The Java SDK provides the keytool utility for creating and managing cryptographic keys. Every set of keys are stored in a password-protected file called a keystore and are, themselves, password protected within the file. keytool is used on the command line. The first argument specifies the action we'd like the utility to perform. We also need to specify the keystore to use and the name of the keys we'd like to manipulate.

   Example:
   

   keytool -genkeypair -alias signing -keyalg RSA -keystore ~/.keystore -keypass mypass

   This states that we'd like to generate a pair of keys (-genkeypair) with the name "signing" using the encryption algorithm called "RSA" (optional), we want to store the keys in a file called ".keystore", a hidden file in our home directory (~), and we're assigning the password "mypass" to the keys. The keytool utility will prompt for more information about the user whose identity is being created and also for a password to the keystore file, which, if the file doesn't already exist, will be assigned to the file. Any future uses of the keys will require us to enter first the keystore file password followed by the password for the keys themselves.

2. Create The JAR (Java ARchive)

   We need the jar utility for this, which is used at the command line and is very similar to the tar utility. The first argument to the tool is a string of single characters that indicate the action we'd like to take. The following arguments depend on what action we're performing but generally are the names of the files we're using.

   jar cf <jar filename> <list of files>
   NOTE: The angle brackets shouldn't be typed on the command line

   Example:
   

   jar cf ClientApplet.jar *.class

3. Sign the JAR

   Just like signing a piece of paper, we have to attach our personal identity to the document, in this case our JAR file, to verify that we created or "approved" it.  The Java SDK provides the jarsigner utility for this purpose. Like the other utilities, this is used from the command line and requires some arguments, particularly the JAR file to sign, the keystore from which to get the keys to use as the signature, and the name of the keys to get from the keystore. For example:

   jarsigner -keystore .keystore ClientApplet.jar signing

   This signs the JAR named ClientApplet.jar (assumed to be in the current directory) using the keys named "signing" that are stored in the keystore called ".keystore" (also located in the current directory).