14 Security and IMlet Signing

This chapter describes how the security architecture is organized in Oracle Java ME SDK 8.

Applications are installed, run, closed, and restarted according to the IMlet life cycle described in the Java ME Embedded Profile specification. You can find the specification in the meep-8.0.zip file located under docs\api in the Java ME SDK installation directory. The default location is C:\Java_ME_platform_SDK_8.0\docs\api\meep-8.0.zip

In particular, the following chapters in the specification are the most relevant for understanding the security model:

Security for Applications
Security Authentication Providers
Security Policy Providers

The following is the general process for creating a cryptographically signed IMlet suite:

The IMlet author, probably a software company, buys a signing key pair from a certificate authority (CA).
The author signs the IMlet suite with the signing key pair and distributes the company's certificate with the IMlet suite.
When the IMlet suite is installed on the emulator or on a device, the implementation verifies the author's certificate using its own copy of the CA's root certificate. Then the implementation uses the author's certificate to verify the signature on the IMlet suite.
After verification, the device or emulator assigns the IMlet suite to one of the clients defined by the security policy. The default authentication scheme (X.509-based certificate) uses the certificate DN to determine to which client an application must be bound.

Security Policy Provider Clients

Oracle Java ME SDK 8 supports the following clients by default:

Signed: An example client with all permissions granted.
untrusted: Defines the security policy for untrusted applications. According to the X.509 authentication scheme, unsigned applications are bound to the untrusted client.

Configuring the Security Policy

To configure the security policy for a device, right-click the device in the Device Selector and select Security Configuration. Figure 14-1 shows the Security Configuration window.

Figure 14-1 The Security Configuration Window

Description of "Figure 14-1 The Security Configuration Window"

The options in the Security Providers group at the top of the Security Configuration window can be used if you want to specify a custom security provider implementation JAR file, and class names of your custom authentication provider and security policy provider. For information about creating custom providers, see Chapter 15, "Custom Security Policy and Authentication Providers".

To add a client, click Add under the Clients list, specify a name and click OK. To remove a client, select it in the list and click Remove.

When you select a client from the list, you can add, edit, and remove permissions and certificates for the selected client.

To add a permission, select the necessary client, and click Add under the Permissions list. Then select the permission from the list, specify the name of the protected resource (you can use wildcards) and the requested actions separated by commas (for example, read,write), and click OK. To edit a permission, select it from the list of permissions, and click Edit under the Permissions list. To remove a permission, select it in the list, and click Remove.

To add a certificate, select the necessary client, and click Add under the Certificates list. Then select the certificate from the list of available certificates and click OK. To remove a certificate, select it in the list, and click Remove.

Signing a Project

Devices use signing information to verify an application's source and validity before allowing it to access protected APIs.

Oracle Java ME SDK 8 provides a default built-in keystore, but you can also create any number of key pairs using the Keystores Manager as described in Managing Keystores and Key Pairs.

The key pair consists of the following keys:

A private key that is used to create a digital signature.
A public key that anyone can use to verify the authenticity of the digital signature.

To sign a project with a key pair:

Right-click a project and select Properties.
In the Signing category, select Sign JAR.
Select an existing keystore or click Open Keystores Manager to create another keystore. For information about managing keystores, see Managing Keystores and Key Pairs.
Select a key pair alias.

A keystore might be accessed by several key pairs, each with a different alias. If you prefer to use a unique key pair, click Open Keystores Manager and create a new key pair.

The Certificate Details area displays the subject, issuer, and validity dates for the selected keystore.
Click OK.

It is also necessary to export the certificate to the device. For more information, see Managing Root Certificates.

Managing Keystores and Key Pairs

For test purposes, you can create a signing key pair to sign an IMlet. The Keystores Manager administers this task. The keystores known to the Keystores Manager are listed when you sign a project.

To deploy an IMlet on a device, you must obtain a signing key pair from a certificate authority recognized by the device. You can also import keys from an existing Java SE platform keystore.

To create a keystore:

Open the Tools menu and select Keystore Management.
Click Add Keystore.
Select Create a New Keystore and specify a name, location, and password.
Click OK.

To add an existing keystore:

Open the Tools menu and select Keystore Management.
Click Add Keystore.
Select Add Existing Keystore and specify the path to the keystore file. The default location for user-defined keystores is the user's folder under C:\Users.
Click OK.

You might have to unlock this keystore and each key pair within it.

To create a new key pair:

Open the Tools menu and select Keystore Management.
Select a keystore.

Note:

You cannot create key pairs in the default built-in keystore.
Click New.
Specify an alias used to refer to this key pair and at least one field under Certificate Details. Optionally, you can also provide a password.
Click OK.

To remove a key pair, select it in the list and click Delete.

Managing Root Certificates

The Oracle Java ME SDK 8 command-line tools manage the emulator's list of root certificates.

External devices have similar lists of root certificates. When you deploy your application on an external device, you must use signing keys issued by a certificate authority whose root certificate is on the device. This makes it possible for the device to verify your application.

Each emulator instance has its own keystore. The keystore file is named _main.ks and located under appdb\certs in the device's configuration directory. For example, the default keystore for EmbeddedDevice1 is userdir\javame-sdk\8.0\work\EmbeddedDevice1\appdb\certs\_main.ks

You can use the -import option to import certificates from these keystores as described in Manage Certificates (mekeytool).

To export a certificate to an emulated device:

Open the Tools menu and select Keystore Management.
Select a keystore, and then select a key.
Click Export.
Select and emulator and a certificate, and click Export.

Note:

Before exporting, you can modify the list of registered keys by selecting any key and clicking Delete Key to delete it from the list.
Click Close when you are done.

Command-Line Security Features

The full spectrum of the Oracle Java ME SDK 8 security features are also available from the command line. You can adjust the emulator's default protection domain, sign IMlet suites, and manage certificates.

Sign IMlet Suites (jadtool)

jadtool is a command-line interface for signing IMlet suites using public key cryptography according to the MEEP specification. Signing an IMlet suite is the process of adding the signer certificates and the digital signature of the JAR file to a JAD file. jadtool is also capable of signing payment update (JPP) files.

jadtool only uses certificates and keys from Java ME platform keystores. Java SE software provides keytool, the command-line tool to manage Java SE platform keystores.

jadtool.exe is located under bin in the Java ME SDK installation directory.

The following options can be used with the jadtool command:

-help

Prints usage instructions for jadtool.

-addcert

Adds the certificate of the key pair from the given keystore to the JAD file or JPP file. This option has the following syntax:

-addcert -alias <key_alias> [-storepass <password>] [-keystore <keystore>] [-certnum <number>] [-chainnum <number>] [-encoding <encoding>] -inputjad <filename> -outputjad <filename>

-addjarsig

Adds a digital signature of the input JPP file to the specified output JPP file. This option has the following syntax:

-addjarsig [-jarfile <filename>] -keypass <password> -alias <key_alias> -storepass <password> [-keystore <keystore>] [-chainnum <number>] [-encoding <encoding>] -inputjad <filename> -outputjad <filename>

-showcert

Displays information about certificates in JAD files. This option has the following syntax:

-showcert [[-certnum <number>] [-chainnum <number>] | [-all]] [-encoding <encoding>] -inputjad <filename>

Manage Certificates (mekeytool)

mekeytool manages the public keys of certificate authorities (CAs). It is functionally similar to the keytool utility that comes with the Java SE Development Kit (JDK). The purpose of the public keys is to facilitate secure HTTP communication over SSL (HTTPS).

Before using mekeytool, you must have access to a Java Cryptography Extension keystore. You can create one using the Java SE keytool utility (found in the bin directory under the JDK installation location).

Oracle Java ME SDK 8 provides a default Java ME keystore, which is located in the Java ME SDK installation directory under runtimes\cldc-hi\appdb\certs. This keystore contains an index file named _main.ks and a set of certificate files.

Each emulator instance has its own keystore located in the device folder, for example: userdir\javame-sdk\8.0\work\EmbeddedDevice1\appdb\certs. If you do not specify a value for -keystore, the default keystore is used.

The -Xdevice option can be used with any command to run it on the specified device. Note that not every device supports all of the mekeytool commands. Specify the device name after a colon. For example, to list the keys in the keystore of EmbeddedDevice1, run the following command:

> mekeytool.exe -Xdevice:EmbeddedDevice1 -list

The following commands can be used with the mekeytool utility:

-help

Prints usage instructions for mekeytool.

-import

Imports a public key from the source keystore to the device's keystore. This command has the following syntax:

-import [-keystore <filename>] [-storepass <password>] [-keypass <password>] [-alias <key_alias>]

Option	Description	Default
`-keystore`	Path to the JCA keystore file or file that contains the certificate	`%HOME%\.keystore.ks`
`-storepass`	Password to unlock the input JCA keystore	N/A
`-keypass`	Private key password for the JKS or PKCS12 keystore	N/A
`-alias`	The key pair alias in the input JCA keystore	N/A

-list

Lists the keys in the Java ME keystore, including the owner and validity period for each.

-delete

Deletes a key from the given Java ME keystore with the given owner. This command has the following syntax:

-delete {-owner <owner> | -number <number>}

Option	Description	Default
`-number`	The key number in the keystore. Keys are numbered starting from 1. To view the key number, use the `-list` option.	N/A
`-owner`	The key owner.	N/A

-export

Exports the key from the keystore. This command has the following syntax:

-export -number <number> -out <filename>

Option	Description	Default
`-number`	The key number in the keystore. Keys are numbered starting from 1. To view the key number, use the `-list` option.	N/A
`-out`	Name of the output file.	N/A