|Oracle® Java Micro Edition Software Development Kit Developer's Guide
Release 3.4 for Eclipse on Windows
This chapter describes how to work with sign MIDlets and work with MIDlet suite security. The Oracle Java ME SDK provides tools to sign MIDlet suites, manage keys, and manage root certificates.
MIDP 2.1 (JSR 118) includes a comprehensive security model based on protection domains. MIDlet suites are installed into a protection domain that determines access to protected functions. The MIDP 2.1 specification also includes a recommended practice for using public key cryptography to verify and authenticate MIDlet suites.
The general process to create a cryptographically signed MIDlet suite is as follows:
The MIDlet author, probably a software company, buys a signing key pair from a certificate authority (the CA).
The author signs the MIDlet suite with the signing key pair and distributes their certificate with the MIDlet suite.
When the MIDlet suite is installed on the emulator or on a device, the implementation verifies the author's certificate using its own copy of the CA's root certificate. Then it uses the author's certificate to verify the signature on the MIDlet suite.
After verification, the device or emulator installs the MIDlet suite into the security domain that is associated with the CA's root certificate.
For definitive information, consult the MIDP 2.1 specification:
See the following topics:
The SDK supports the following security domains:
minimum. All permissions are denied to MIDlets in this domain.
maximum. All permissions are granted to MIDlets in this domain. Maximum is the default setting.
unidentified_third_party. Provides a high level of security for applications whose origins and authenticity cannot be determined. The user is prompted frequently when the application attempts a sensitive operation.
identified_third_party. Intended for MIDlets whose origins were determined using cryptographic certificates. Permissions are not granted automatically, but the user is prompted less often than for the
operator. All permissions are denied to MIDlets in this domain.
manufacturer. Intended for MIDlet suites whose credentials originate from the manufacturer's root certificate.
In the SDK, when you use Run Project via OTA your packaged MIDlet suite is installed directly into the emulator where it is placed in a security domain. The emulator uses public key cryptography to determine the appropriate security domain.
If the MIDlet or MIDlet suite is not signed, it is placed in the default security domain.
If the MIDlet or MIDlet suite is signed, it is placed in the protection domain that is associated with the root certificate of the signing key's certificate chain. See the topic "Signing a Project". See "Signing a Project With a Key Pair."
If your project is a MIDlet suite, the entire suite is signed (the individual MIDlets contained within are not).
Follow these steps to specify the security domain for an emulated device.
Select the device in the device selector.
In the Properties Window, expand the General properties, and for the Security Domain option, select a domain from the dropdown list.
Follow these steps to set a MIDlet Suite's security domain at runtime.
Right-click the package and select Run As > Run Configurations... from the context menu.
Select the project's JAD file, then select the Emulation tab.
Specify the device and the security domain, and click Run.
You can also sign your MIDlet or IMlet with JADtool ("Sign MIDlet Suites (jadtool).".
Devices use signing information to check an application's source and validity before allowing it to access protected APIs. For test purposes, you can create a signing key pair to sign an application. A key pair consists of the following:
A private key that is used to create a digital signature, or certificate.
A public key that anyone can use to verify the authenticity of the digital signature.
You can create a key pair as described in "Managing Keystores and Key Pairs."
Follow these steps to sign a Java ME package in Eclipse.
In the Package view right-click on a package and select Properties to open the Properties dialog.
In the Java ME category, select Signing. For help with this page, view the following help topic: Java ME Development User Guide > Reference > Property Pages > Java ME.
Click Enable project specific settings. Specify a keystore and a password option.
To obfuscate code, see "Obfuscating."
The Oracle Java ME SDK command line tools described in "Manage Certificates (MEKeyTool)" manage an emulator's list of root certificates.
Oracle Java ME SDK ships a default keystore named
_main.ks in installdir
\runtimes\cldc-hi\appdb. This keystore is automatically copied from your installation's default location to each instance of the default devices (the emulators). These instances are typically stored in:
External devices have similar lists of root certificates, although you typically cannot modify them. When you deploy your application on an external device, you must use signing keys issued by a certificate authority whose root certificate is present on the device. This makes it possible for the device to verify your application.
In Eclipse you can also use MTJ utilities to manage keystores as described in "Signing a Project With a Key Pair." You can also use the
-import option to import certificates from these keystores as described in "Manage Certificates (MEKeyTool)."
This section is a summary of command line samples for keystore and certificate tasks. To find information on keytool, see:
These samples show literal paths on a sample system. You can replace the paths and options as you see fit. These samples contain line feeds to accommodate the book format. In practice they commands should be entered on a single line.
Generate a keypair.
As mentioned in "Managing Keystores and Key Pairs," Java ME includes a default keystore used for the emulators. For test purposes you can also make your own keypair containing a new keystore and a certificate. For example:
"C:\Program Files\Java\jdk1.6.0_35\bin\keytool" -genkeypair -alias mykp -keyalg RSA -keysize 1024 -validity 365 -dname "cn=dlp, L=Santa Clara, S=CA" -keypass 123456 -keystore D:/temp/mykeystore.ks -storepass 654321
List the keypair.
C:\Program Files\Java\jdk1.7.0_13\bin\keytool -list -alias mykp -keystore mykeystore.ks -storepass 654321
Export a certificate to a file.
C:\Program Files\Java\jdk1.7.0_13\bin\keytool -exportcert -alias mykp -keystore mykeystore.ks -storepass 654321 -file d:\temp\mykpcert
Print the certificate file.
C:\Program Files\Java\jdk1.7.0_13\bin\keytool -printcert -file d:\temp\mykpcert
Import the keystore (including your certificate) into the default keystore.
For a description of MEKeyTool, see "Manage Certificates (MEKeyTool)." In this example
mekeytool is launched from the Oracle Java ME SDK installation
mekeytool -import -alias mykp -keystore D:\temp\mykeystore.ks -MEkeystore D:\temp\_main.ks -storepass 654321