Self-signed security certificates.. (oh, the evil)

[Darren]

I was not quite clear enough. But..

Ok a linux box with apache among other things but i want to open a a socket
to port 80. Someone had a good idea of sending a http get requset and that
should do it if imy applet can get the privelidges

I'm sure this was mentioned on another thread in this group, but..
<http://www.physci.org/install/download.jsp>
Try that. See see how you go.

Easy enough. nice interface btw and i see you used a *cough* self signed
*cough* certificate .

Also, Roedy's WassUp applet at mindprod. yes i used that.

Roedy's applet is signed using a CA verified certificate,
mine is a self-signed certificate.

Nice one but as most of this thread is no longer visible (expired whatever)
can you recoomend a site that accurately instructs me on writing self
signing certificates for applets is Mozilla and IE?
Incidently I never said before this but I am very grateful for all your
input on this.

 

[Chris Berg]

Oh, and FTR, you quoted Roedy there, but 'attributed' it to me.

Sorry, Roedy

 

[Andrew Thompson]

Nice one but as most of this thread is no longer visible (expired whatever)
can you recoomend a site that accurately instructs me on writing self
signing certificates for applets is Mozilla and IE?

I don't have much time to go into it at the moment, but..

The JDK has the tools in it, you need to create a self-signed certificate.
<http://java.sun.com/j2se/1.5.0/docs/tooldocs/index.html#security>

The certificate is the same one used in all
modern Java's (modern Sun Java running in any browser).

Perhaps Roedy has a page on making the certificate, but I don't,
and don't know of any good ones off the top of my head.

Incidently I never said before this but I am very grateful for all your
input on this.

You're welcome.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Power and priviledge cannot move a people, who know where they stand, and
stand in the law."
Paul Kelly 'From Little Things, Big Things Grow'

 

[Dag Sunde]

Let's up the ante here by assuming you are a terrorist organisation
and the combined resources of all branches of the US government are
out to thwart you.

LOL...

Finally an entertaining lecture on security...

That said, Andrews 'problems' with groking code signing and certificates
are all too common. I was there myself 4-5 years ago, and worked, searched
and sweated for weeks before I finally got it. (And yes Andrew, I actually
bought one from Verisign at US$400 before I was able to test that it
worked).

After getting everything up and running, I too did like others in the
thread suggested got it into a .bat file (later an Ant task) before I forgot
the whole thing.

Later I have used both openSSL and KeyTool to make self-signed certificates
for testing purposes and to serve Applets off my own web-site.

This link is a reasonable walk-thru for using keyTool to create a
certificate:
http://www.jensign.com/JavaScience/www/selfsigned/

 

[Dag Sunde]

Well that is one method i see for solving my problem now bear in mind that
i
know very little of java security and policies other than what you good
people have told me and what i have found on google but if either i can
get
a web client to temorarily use my own policy file where it can get
permission to open a socket to my web site and read from it or find
another
way to do like a self signed sertificate it then that would be cool.

Darren...

Let's clear up this once and for all?

Your scenario is that:
* You have two web-servers
* Server A does NOT have server-side scripting available (B Does)
* On a web-page served from server A, you would like to inform
the user if server B is up and running.
* You tried to solve this by writing an Applet on the page from
server A. This Applet tried to open something on Server B.
If this was successful you would know that Server B was running.
* Your applet was stopped by a security-exception because it tried
to do a cross-domain request.
* I think it was I that lead you down the path to the .policy file.
That was wrong of me, and I just did it to verify that you
development machine didn't have any special setup.
* From this piont on, *forget* about .policy files.
* Create a jar file with a manifest from your original applet
* Use the following procedure to create a self-signed certificate
and sign your applet:
http://www.jensign.com/JavaScience/www/selfsigned/
* redeploy the applet, and things should be working.
* No need for any special security or permissino code.

(Or have I completely missed the point here?)

 

[Andrew Thompson]

(And yes Andrew, I actually
bought one from Verisign at US$400 before I was able to test that it
worked).

Thanks Dag. That is the first actual evidence I have,
that that happens.

[ I'm guessing you felt a little nervous about it, though. ;-) ]

 

[Dag Sunde]

(And yes Andrew, I actually
bought one from Verisign at US$400 before I was able to test that it
worked).

Thanks Dag. That is the first actual evidence I have,
that that happens.

[ I'm guessing you felt a little nervous about it, though. ;-) ]

I had read a lot about it up front, and I "thought" i had understood it.

So I showed up at my boss' office, and told him that I absolutely
had to have it, and that there was no way I could make our applet
behave without it. He gave in, and paid the bill.

I can assure you that there was one nervous programmer in the period
following, until I actually signed and tested our applet back then...
($400.- was a lot of money for us back then)

 

[Dag Sunde]

Nice one but as most of this thread is no longer visible (expired
whatever)
can you recoomend a site that accurately instructs me on writing self
signing certificates for applets is Mozilla and IE?
Incidently I never said before this but I am very grateful for all your
input on this.

http://www.jensign.com/JavaScience/www/selfsigned/

(No need to do the last two steps for signing).

 

[Andrew Thompson]

On Mon, 12 Sep 2005 08:28:32 GMT, Dag Sunde wrote:

(CA certified code signing certificates)

..So I showed up at my boss' office, and told him that I absolutely
had to have it, and that there was no way I could make our applet
behave without it. He gave in, and paid the bill.

One might also read that as 'the manager saw the sense of
trusting the tech. advice offered by his technical advisor'.

[ I hear a lot of bad things said about managers that AFAIU,
are good at doing what they are supposed to do, I.E.
managing people/projects, and ensuring the right technical
people are in place to handle the details. ]

 

[Raymond DeCampo]

By this you mean somebody interfering with the transmission from your
site to the end user in real time, which is much less likely than the
sort of attack of somebody downloading your code meddling with it,
then reposting it elsewhere.

I think a more likely strategy for a "man in the middle" attack is to
hijack a router and/or DNS server at an ISP and send people to a mirror
server. I agree that it is not a likely attack. I was just pointing
out that there is a technical purpose to having certificates beyond
self-signed. Whether the cost-benefit-risk calculation makes it worth
it is another story.

The Thawte style cert will protect you from both. A self-signed cert
will protect you from neither.

The self signed cert does almost nothing but add a fancy checksum to
the download.

Ray

 

[Darren]

Darren...

Let's clear up this once and for all?

Your scenario is that:
* You have two web-servers
* Server A does NOT have server-side scripting available (B Does)
* On a web-page served from server A, you would like to inform
the user if server B is up and running.
* You tried to solve this by writing an Applet on the page from
server A. This Applet tried to open something on Server B.
If this was successful you would know that Server B was running.
* Your applet was stopped by a security-exception because it tried
to do a cross-domain request.
* I think it was I that lead you down the path to the .policy file.
That was wrong of me, and I just did it to verify that you
development machine didn't have any special setup.
* From this piont on, *forget* about .policy files.
* Create a jar file with a manifest from your original applet
* Use the following procedure to create a self-signed certificate
and sign your applet:
http://www.jensign.com/JavaScience/www/selfsigned/
* redeploy the applet, and things should be working.
* No need for any special security or permissino code.

(Or have I completely missed the point here?)

nope. Nail on head.
Al goes well until i try implemeting itthen i get a class not found
load: class Helloserver.class not found.
java.lang.ClassNotFoundException: Helloserver.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.FileNotFoundException:
C:\applets\Helloserver.jar\Helloserver\class.class (The system cannot find
the path specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(Unknown Source)
at java.io.FileInputStream.<init>(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(Unknown
Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
Exception in thread "Thread-5" java.lang.NullPointerException
at sun.plugin.util.GrayBoxPainter.showLoadingError(Unknown Source)
at sun.plugin.AppletViewer.showAppletException(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

"C:\applets\Helloserver.jar\Helloserver\class.class "

Something wrong there. the class is called helloserver.class not class.class
and it's located in c:\applets\ not in c:\applets\helloserver.

I tried to open the jar file with winzip and i got "failed to load
main-class manifest attribute from c:\archive\Helloserver.jar"
Am I right in thinking the manifestis something to do with the security of
the signature of the jar?

Also am I right in thinking that once i've created the signiture, I can sign
as many applets as I want with the same signiture?

TIA

 

[Dag Sunde]

nope. Nail on head.
Al goes well until i try implemeting itthen i get a class not found
load: class Helloserver.class not found.
java.lang.ClassNotFoundException: Helloserver.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)

"C:\applets\Helloserver.jar\Helloserver\class.class "

Something wrong there. the class is called helloserver.class not
class.class
and it's located in c:\applets\ not in c:\applets\helloserver.

C:\... ???

Can you post the html you use to load the applet? Ie. the webpage containing
the applet.

I tried to open the jar file with winzip and i got "failed to load
main-class manifest attribute from c:\archive\Helloserver.jar"
Am I right in thinking the manifestis something to do with the security of
the signature of the jar?

Yes, the Jar file must have a manifest to be signed, but the 'jar' command
will add a default one if you don't specify one manually:

jar cfv test.jar MyClass.class

Also am I right in thinking that once i've created the signiture, I can
sign
as many applets as I want with the same signiture?

Yes, that is correct.

 

[Darren]

C:\... ???

Locally tested. I don't want to upload it till its working

Can you post the html you use to load the applet? Ie. the webpage containing
the applet.

<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR="000000">
<CENTER>
<APPLET
code = "Helloserver.class"
codebase = "c:\applets"
archive "Helloserver.jar"
width = "500"
height = "300"

</APPLET>
</CENTER>
</BODY>

Yes, the Jar file must have a manifest to be signed, but the 'jar' command
will add a default one if you don't specify one manually:

jar cfv test.jar MyClass.class I thought as much



Yes, that is correct.

It appears i'm beginning to understand this stuff after all.

 

[Dag Sunde]

"Dag Sunde" <[email protected]> wrote in message

Locally tested. I don't want to upload it till its working


<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR="000000">
<CENTER>
<APPLET
code = "Helloserver.class"
codebase = "c:\applets"
archive "Helloserver.jar"
width = "500"
height = "300"
</APPLET>
</CENTER>
</BODY>

Can you try to put the .jar in the same directory as the html,
and use 'codebase = "."'

(I suspect the codebase attribute doesn't like Disk-based paths).

 

[Darren]

Can you try to put the .jar in the same directory as the html,
and use 'codebase = "."'

(I suspect the codebase attribute doesn't like Disk-based paths).

I tried that, I even removed codebase lltogether. no difference though IE
didn't ask me for permission to run it. Should it have?

 

[Dag Sunde]

I tried that, I even removed codebase lltogether. no difference though IE
didn't ask me for permission to run it. Should it have?

I have an applet doing exactly what you are trying to do, and it works
perfect
when run from a web-server.

I tried just now to run it from a local drive (the html + jar), and the
Java-console
shows me a permission denied.

I suggest you set up a web-server locally, so you get a proper
test-environment
There are too many differences between running something from disk, and
running
it under the control of a web-server.

 

[Darren]

I have an applet doing exactly what you are trying to do, and it works
perfect
when run from a web-server.

I tried just now to run it from a local drive (the html + jar), and the
Java-console
shows me a permission denied.

I suggest you set up a web-server locally, so you get a proper
test-environment
There are too many differences between running something from disk, and
running
it under the control of a web-server.

Do you get a class not found error as well?

 

[Dag Sunde]

"Dag Sunde" <[email protected]> wrote in message
Do you get a class not found error as well?

No, but I use Swing and Suns Java-plugin.
That means I use a combination of two <object> tags
instead of the <aspplet> tag. That might be it?

Is your class a member of a package?

<object
id="helloFF"
type="application/x-java-applet"
archive="crossdomain.jar"
codebase="."
data="no.orion.crossdomain.CrossDomain.class"
width="250"
height="150"
class="notieapplet">
<param name="code" value="no.orion.crossdomain.CrossDomain.class" />
<param name="codebase" value="." />
<param name="archive" value="crossdomain.jar" />
<param name = "mayscript" value ="true"/>
<param name = "scriptable" value = "true" />

<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
id="helloIE"
type="application/x-java-applet"
data="no.orion.crossdomain.CrossDomain.class"
archive="crossdomain.jar"
codebase="."
width="150"
height="75">
<param name="code" value="no.orion.crossdomain.CrossDomain.class" />
<param name="codebase" value="." />
<param name="archive" value="crossdomain.jar" />
<param name="codebase" value="crossdomain.jar" />
<param name = "mayscript" value ="true" />
<param name = "scriptable" value = "true" />
</object>
</object>

 

[Darren]

No, but I use Swing and Suns Java-plugin.
That means I use a combination of two <object> tags
instead of the <aspplet> tag. That might be it?

I tried putting it on my website but it didn't solve the problem

Is your class a member of a package?

only a jar but that's not what you mean is it?
Is that what the data and param name = "code" attributes are about?
I notice one is for IE what's the FF mean on the other and "mayscript" and
"scriptable"?

 

[Dag Sunde]

I tried putting it on my website but it didn't solve the problem
only a jar but that's not what you mean is it?

No, I mean: at the top of your source-code file, is there a line like this:
package no.orion.crossdomain;
Where no.orion.crossdomain' is the package name for my class.

When I refere to the class 'Crossdomain.class' in the applet or object
tag, i have to specify the package name as well, so the full name becomes:
'no.orion.crossdomain.Crossdomain.class'

Is that what the data and param name = "code" attributes are about?
I notice one is for IE what's the FF mean on the other and "mayscript" and
"scriptable"?

The double use of object here is a trick Chris Head made up, since it
is only IE that recognize the 'classid=' attribute, so the other object
tag is for anything else that IE. (netscape, opera, FF...)

But for your simple applet, you don't need the complexity of the object
tag, so you should stick with the applet tag.

If you want, I can make an applet for you, that takes a server name and
a file name as parameters, and sign it for you, just as a test.

So you can try to put it on your server to see if it is you that do
anything wrong, or if it is something with your environment...