Code Signing Digital IDs for Sun Java
Signing Realizing
the Possibilities of Internet Software
Distribution
What
Is Code Signing? When customers buy software in a store,
the source of that software is obvious. Customers can tell who
published the software, and they can see whether the package has
been opened. These factors enable customers to make decisions about
what software to purchase and how much to "trust" those
products.
When customers download software from the Internet,
the most they see is a message warning them about the dangers of
using the software. The Internet lacks the subtle information
provided by packaging, shelf space, and shrink-wrap. Without any
assurance of the software's integrity, and without knowing who
published the software, it's difficult for customers to know how
much to trust software downloaded from the Internet.
The
solution to these issues is Sun Java Object Signing coupled with
VeriSign® Code Signing Digital IDs.
Object Signing, through the use of digital signatures, enables
software developers to include information about themselves and
their code with their software.
When customers download
software signed with a Sun Java Code Signing Digital ID issued by
VeriSign, they can be assured of:
Content Source: End
users can confirm that the software really comes from the publisher
who signed it. Content Integrity: End users can verify
that the software has not been altered or corrupted since it was
signed.
Users benefit from this software accountability
because they know who published the software and that the code
hasn't been tampered with. In the extreme case that software
performs unacceptable or malicious activity on their computers,
users can also pursue recourse against the publisher. This
accountability and potential recourse serve as a strong deterrent to
the distribution of harmful code.
Developers and Web masters
benefit from Object Signing because it builds trust in their names
and makes it more difficult to falsify their products. By signing
their code, developers build a trusted relationship with users, who
learn they can download software signed by that publisher or Web
site with confidence. With Sun Java Signing, developers can create
exciting Web pages using signed Java applets, plug-ins, or other
executables. And users can make educated decisions about what
software they want to download.
Who
Needs a Code Signing Digital ID? Any software publisher
planning to distribute code or content over the Internet or through
an extranet risks impersonation and tampering. VeriSign Code Signing
Digital IDs for Sun Java Signing protect against these
hazards.
VeriSign offers Code Signing Digital IDs
designed for commercial software developers: companies and other
organizations that publish software. This class of Digital ID
provides assurance regarding an organization's identity and
legitimacy, much like a business license, and is designed to
represent the level of assurance provided today by retail channels
for software.
What
Does Object Signing Look Like to End Users? Applications
that run Java Applets and applications on the Java Runtime
Environment (JRE) come with security features that recognize Object
Signing. For example, when users visit a Web page that uses Java
applets to provide animation or sound, their browsers download code
to their machines to achieve the desired effects. While this may
provide substantial value, users run the risk of downloading viruses
or other unwanted code.
When an application running on the
JRE encounters a software component that is trying to gain access to
the user's machine, it automatically checks to see if there is a
recognized digital signature with that software. If the code is
signed with Sun Java Signing, JRE prompts the application to display
a warning dialog box similar to the following:
Image 1: The Java Plug-in Security Warning dialog
box launched by the WebStart launcher. The warning
dialog box informs the end user:
Of the true identity of the
publisher Of the type of access requested by the software That
VeriSign has authenticated the identity of the code
signer.
The end user can choose to grant or deny the
requested privileges, or to view the Digital ID used to sign the
code. The warning dialogs also provide the user with an estimated
level of the risk (high, medium, or low) associated with the
requested privileges and a means for viewing the details included in
the software developer's Digital ID.
Image 2: The Certificate Properties dialog box
launched by the WebStart launcher.
Technical
Background
What is a Digital ID? A Digital
ID (also known as a digital certificate or Code Signing Digital ID)
is a form of electronic credential for the Internet. Similar to a
drive's license, employee ID card, or business license, a Digital ID
is issued by a trusted third party to establish the identity of the
ID holder. The third party who issues the Digital ID is known as a
Certification Authority (CA).
Digital ID technology is based
on the theory of public key cryptography. In public key cryptography
systems, every entity has two complementary keys—a public key and a
private key—which function only when they are held together. Public
keys are widely distributed to users, while private keys are kept
safe and only used by their owner. Any code digitally signed with
the publisher's private key, can be successfully verified only with
the complementary public key. Another way to look at this is that
code that is successfully verified using the publisher's public key
(which is sent along with the digital signature) can only have been
digitally signed using the publisher's private key (thus
authenticating the source of the code), and has not been tampered
with. For more information on public keys and private keys, please
see the VeriSign white paper, "Introduction to Public Key
Cryptography.")
The purpose of a Digital ID is to reliably
link a public/private key pair with its owner. When a CA such as
VeriSign issues Digital IDs, it verifies that the owner is not
claiming a false identity. Just as when a government issues you a
passport it is officially vouching for the fact that you are who you
say you are, when a CA issues you a Digital ID, it is putting its
name behind the statement that you are the rightful owner of your
public/private key pair.
A Digital ID is valid only for the
period of time specified by VeriSign. The ID contains information
about its beginning and expiration dates. VeriSign can also revoke
(cancel) any Digital ID it has issued and maintains a list of
revoked Code Signing IDs. This list of revoked Code Signing Digital
IDs, called a Code Signing Digital ID Revocation List (CRL), is
published by VeriSign so anyone can determine the validity of any
Digital ID.
Certification Authorities Certification
Authorities, such as VeriSign, are organizations that issue Digital
IDs to applicants whose identities they are willing to vouch for.
Each Digital ID is linked to the Code Signing Digital ID of the CA
that signed it.
As the Internet's leading Certification
Authority, VeriSign has the following responsibilities:
- Publishing the criteria for granting, revoking, and managing
Digital IDs
- Granting Digital IDs to applicants who meet the published
criteria
- Managing Digital IDs (for example, enrolling, renewing, and
revoking them)
- Storing VeriSign's root keys in an exceptionally secure
manner.
- Verifying evidence submitted by applicants
- Providing tools for enrollment
- Accepting the liability associated with these responsibilities
How Does Object Signing Work with VeriSign Code Signing
Digital IDs? Sun Java Signing relies on industry-standard
cryptography techniques such as X.509 v3 Code Signing IDs and PKCS
#7 and #10 signature standards. These well-proven cryptography
protocols ensure a robust implementation of code signing
technology.
Object Signing uses digital signature technology
to assure users of the origin and integrity of software. In digital
signatures, the private key generates the signature and the
corresponding public key validates it. To save time, the Object
Signing protocols use a cryptographic digest, which is a one-way
hash of the document.
Note: Java Runtime Environment
(JRE) version 1.3 or newer must be installed on the end user's
machine.
The Code Signing Process:
- Publisher creates code.
- Publisher obtains a Sun Java Code Signing Digital ID from
VeriSign.
- Using the Java 2 Software Development Kit, the publisher:
- Creates a hash of the code, using an algorithm such as MD5
or SHA
- Encrypts the hash using their private key
- Creates a package containing the code, the encrypted hash,
and the publisher's Code Signing Digital ID
- The end-user's Java Runtime Environment (JRE) encounters the
package.
- The end-user's JRE examines the publisher's Code Signing
Digital ID. Using the VeriSign root public key that is already
embedded in the end-user JRE trusted root store, the end-user JRE
verifies the authenticity of the Code Signing Digital ID (which is
itself signed by the VeriSign root private key).
- Using the publisher's public key contained within the
publisher's Digital ID, the end-user JRE decrypts the signed hash.
- The end-user JRE runs the code through the same hashing
algorithm as the publisher, creating a new hash.
- The end-user JRE compares the two hashes. If they are
identical, the JRE sends a message stating that the content has
been verified by VeriSign. The end user is assured that the code
was signed by the publisher identified in the Digital ID and that
the code hasn't been altered since it was signed.
Image 3: Verifying the Code Signing Digital ID on
the end user's computer. The entire process is
transparent to end users, who see only a message that the content
was signed by its publisher and verified by
VeriSign.
The
Six Steps to Signing Code These instructions provide an
overview of obtaining and using Sun Java Signing and a Code Signing
Digital ID from VeriSign.
Step 1: Download the Java 2
Software Development Kit (SDK). The Java2 SDK for the Solaris
SPARC/x86, Linux86, and Microsoft Windows platforms is available
free of charge from java.sun.com.
You will be using the
following tools to apply for your Code Signing Digital ID and sign
your code: keytool, jar, and jarsigner.
Step 2: Generate a
public/private key pair. Enter the following code, specifying
an alias for your keystore, to generate a public/private key pair.
C:\>C:\jdk1.3\bin\keytool -genkey -keyalg rsa
-alias MyCert
In this string, the keystore alias is
MyCert. Keytool responds with prompts to enter a
password for your keystore, your name, organization, and address
information. The public/private key pair generated by keytool is
saved to your keystore and will be used to sign Java Applets and
Applications.
Note: Your private key is never sent to
VeriSign, so if you lose it, you will be unable to sign code. If
your private key is lost or stolen, please contact VeriSign to
cancel your Code Signing Digital ID.
Step 3: Generate a
Code Signing Digital ID Signing Request (CSR). Enter the
following code to generate a CSR:
C:\>C:\jdk1.3\bin\keytool -certreq -alias
MyCert
In this string, keytool is requested to create a
CSR for the key pair in the keystore MyCert.
After prompting you to enter the password for your
keystore, keytool will generate a CSR.
-----BEGIN NEW CODE SIGNING ID
REQUEST----- MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwE AYDVQQHEwlDdXBlcnRpbm8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbX MxFjAUBgNVBAsTDUphdmEgU29mdHdhcmUxEzARBgNVBAMTClN0YW5sZXk gSG8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTgU8PovA4y59eb oPjY65BwCSc/zPqtOZKJlaW4WP+UhmebE+T2Mho7P5zXjGf7elo3tV5uI 3vzgGfnhgpf73EoMow8EJhly4w/YsXKqeJEqqvNogzAD+qUv7Ld6dLOv0 CO5qvpmBAO6mfaI1XAgx/4xU/6009jVQe0TgIoocB5AgMBAAGgADANBgk qhkiG9w0BAQQFAAOBgQAWmLrkifKiUYtd4ykhBtPWSwW/IKkgyfIuNMML dF1DH8neSnXf3ZLI32f2yXvs7u3/xn6chnTXh4HYCJoGYOAbB3WNbAoQR i6u6TLLOvgv9pMNUo6v1qB0xly1faizjimVYBwLhOenkA3Bw7S8UIVfdv 84cO9dFUGcr/Pfrl3GtQ== -----END
NEW CODE SIGNING ID REQUEST-----
This string is an example of a CSR generated
using keytool. A CSR contains a copy of the requestor's public key
and a hash of the data entered in step 2 signed with the
requestor's private key. Copy the CSR and paste
it into the VeriSign Sun Java Signing Digital ID application form,
accessible at http://www.verisign.com/products/signing/index.html.
When
your request is approved, VeriSign will attach your Sun Java Code
Signing Digital ID to your confirmation e-mail.
Upon receipt,
the attached Code Signing Digital ID is saved to a file on your
computer.
A Code Signing Digital ID is a "trust path" or "chain"
back to the VeriSign root certificate. This "trust path" allows
your code to be validated on any standard JRE without installing
any additional files. Note: VeriSign takes a
number of steps to verify your identity. For commercial publishers,
VeriSign does a considerable amount deal of background checking. As
a result, it will take approximately 3-5 business days to verify
your information and issue a Code Signing Digital ID.
Step
4: Import your Sun Java Signing Code Signing Digital
ID. Enter the following code, with the path to your Code
Signing Digital ID, to import the chain into your keystore.
C:\>C:\jdk1.3\bin\keytool -import -alias
MyCert -file VSSStanleyNew.cer
In this string, keytool is requested to import
the Code Signing Digital ID "VSSStanleyNew.cer" into the keystore
MyCert. Step 5: Bundle your applet into a JAR
file. Use jar to bundle your Applets or applications as a JAR
file.
C:>C:\jdk1.3\bin\jar cvf C:\TestApplet.jar
.
This string creates a JAR file
C:\TestApplet.jar. The JAR file contains all the files under the
current directory and its sub-directories.
Jar
responds with:
added manifest adding: TestApplet.class
(in = 94208) (out= 20103)(deflated 78%) adding:
TestHelper.class (in = 16384) (out= 779)(deflated 95%)
Step 6: Sign your applet. Use jarsigner to
sign the JAR file, using the private key you saved in your keystore.
C:\>C:\jdk1.3\bin\jarsigner C:\TestApplet.jar
MyCert At the prompt, enter the password to your
keystore.
Jarsigner hashes your Applet or Application, and
stores the hash in the JAR file created in step 5 with a copy of
your Code Signing Digital ID. Verify the output of your
signed JAR file.
C:>C:\jdk1.3\bin\jarsigner -verify -verbose
-certs d:\TestApplet.jar
This string verifies that the files have been
saved to the JAR file and that the signature is correct.
When the signed JAR file is downloaded, the Java
Runtime Environment will display your Digital ID to the user. If the
file is tampered with in any way after it has been signed, the user
will be notified and given the option of refusing
installation.
For more in-depth instructions on the use of
the Java 2 Software Development Kit, please see the JavaTM 2 Platform, Standard Edition, v 1.3
Documentation, available at http://www.javasoft.com/j2se/1.3/docs.html.
Conclusion Sun
Microsystems and VeriSign are committed to making the Internet a
secure and viable platform for commerce and the distribution of
content. With Sun Java Object Signing and a VeriSign Code Signing
ID, your code will be as safe and trustworthy to your customers as
it would be if you shrink-wrapped it and sold it off a store
shelf.
For more information about VeriSign Code Signing
Digital IDs for Sun Java Signing, including pricing, availability,
and Frequently Asked Questions, please visit
www.verisign.com/developers.
|
© 2002 VeriSign, Inc. All rights reserved. Legal
Notices Main Phone: 650-961-7500 · Fax:
650-961-7300 Sales:
650-426-5115
| |