Applet Security with Self-Signing Jar Files

Applets are (by design) restricted on what they can do. These restrictions are to protect a user from arbitrary code executing on their machine. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A signed applet should be signed using a certificate from a recognized certificate authority (costs money), but self-signing a certificate will work (is free).

Here is the Simplest (with reasonable options included) way to self-sign an applet.
Say that your applet is contained in a jar file named "Security.jar".

keytool -genkey -dname "cn=Trusted Developer" -validity 365 -storepass SecretStorePassword -keypass SecretKeyPassword
Note: You only need to do this ONCE
Trusted Developer is the developer's common name (Enter your name here)
365 is the number of days that the self signed certificate will be valid for
SecretStorePassword is the keystore password (Make up your own password!)
SecretKeyPassword is the key password (Make up your own password!)
jarsigner Security.jar -keystore SecretStorePassword -keypass SecretKeyPassword mykey
mykey is the default keystore alias

Below are all the steps necessary to produce a signed jar file named "Security.jar" from a Java source code file called Security.java

::] keytool -genkey -dname "cn=Trusted Developer" -validity 365 -storepass SecretStorePassword -keypass SecretKeyPassword

The above step does not need to be done again.

The following steps need to be done each time a self-signed jar file is to be made.

::] javac -version
javac 1.6.0_21

::] javac Security.java

::] jar -cf Security.jar Security.class

::] jarsigner -storepass SecretStorePassword -keypass SecretKeyPassword Security.jar mykey

The following step shows how to verify the signed jar file.

::] jarsigner -verify -verbose Security.jar

         138 Mon Oct 04 23:34:56 EDT 2010 META-INF/MANIFEST.MF
         259 Mon Oct 04 23:34:56 EDT 2010 META-INF/MYKEY.SF
         804 Mon Oct 04 23:34:56 EDT 2010 META-INF/MYKEY.DSA
           0 Mon Oct 04 23:34:44 EDT 2010 META-INF/
smk      620 Mon Oct 04 23:34:30 EDT 2010 Security.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Example

Normally Applet security prevents un-signed applets from displaying a user's account name.
The following applet source code attempts to display the user's account name.

Security.java

public class Security extends javax.swing.JApplet
{
    public Security()
    {
        add(new javax.swing.JLabel("user name = " + System.getProperty("user.name")));
    }
}

Getting a users account name is a restricted operation. The applet security model will prevent the applet from running.
The applet will run if the code is put in a signed jar file and the user accepts the code signature certificate.
Below is an example of the above applet put in a signed jar file. (Security.jar)

Sample signed applet

Signing pack200 compressed jar files

First read Java Applets in HTML5

Here are the steps:

::] javac -version
javac 1.6.0_21

::] javac Security.java

::] jar cvf Compressed_Security.jar *.class
added manifest
adding: Security.class(in = 620) (out= 381)(deflated 38%)

::] pack200 -r Compressed_Security.jar

::] jarsigner -storepass SecretStorePassword -keypass SecretKeyPassword Compressed_Security.jar mykey

::] pack200 Compressed_Security.jar.pack.gz Compressed_Security.jar

To verify that the compressed jar file is signed correctly, use unpack200 to uncompress the jar file.

::] unpack200 Compressed_Security.jar.pack.gz Verify.jar

::] jarsigner -verify -verbose Verify.jar
jarsigner -verify -verbose Verify.jar

         138 Mon Oct 04 23:36:24 EDT 2010 META-INF/MANIFEST.MF
         259 Mon Oct 04 23:36:24 EDT 2010 META-INF/MYKEY.SF
         804 Mon Oct 04 23:36:24 EDT 2010 META-INF/MYKEY.DSA
           0 Mon Oct 04 23:35:46 EDT 2010 META-INF/
smk      620 Mon Oct 04 23:34:30 EDT 2010 Security.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

pack200 Compressed jar file Signed Applet