×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Registered User
    Join Date
    Mar 2003
    Posts
    15

    Question Signing with multiple certificates

    Hello everyone,

    A client I'm developing an application for has purchased 3 separate certificates for Java Application signing. One is Verisign, the second one is Thawte and the third one is the Symbian ACS certificate (which is not normally used for Java application signing but we noticed that the Nokia 9300 they were using in testing allowed Java installations signed with that cert).

    Anyway, we are trying to sign the application with all 3 keys, hoping that the phone will pick a certificate that it recognizes and verify it. I'm signing with Carbide.j 1.5. This is the resulting JAD:


    -----------------------------------------------------
    MIDlet-1: xxxxxx, /icon.png, xx.xx.xx.xxxxxxxxxxxxxx
    MIDlet-Jar-Size: 186279
    MIDlet-Jar-URL: xxxx.jar
    MIDlet-Name: xxxxxxxxxxxx
    MIDlet-Permissions: javax.microedition.io.Connector.file.read, javax.microedition.io.Connector.file.write, javax.microedition.io.Connector.http, javax.microedition.io.Connector.bluetooth.server, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.https
    MIDlet-Vendor: XXX xxxxxxxx
    MIDlet-Version: 0.70
    MicroEdition-Configuration: CLDC-1.1
    MicroEdition-Profile: MIDP-2.0
    MIDlet-Certificate-1-1: MIIExDCCA6ygAwIBAgIQP7Bd6NRU/ZNFJS/kgPrRDzANBgkqhkiG9w0BAQUFADCBt[...]spWucyhmTifu2+K+7MlgORwa4qTVB4UOz/VRLIgkHAVYFdP2xSdFSG1h07Hfedblmjq
    MIDlet-Certificate-1-2: MIIEvzCCBCigAwIBAgIQQZGhWjl4389JZWY4HUx1wjANBgkqhkiG9w0BAQUFADBf[...]4C6BzYCjbFJPkXVViroi8tLqQXWIL2NVfR5UWpVZytk0gcBfXvZ6tQ==
    MIDlet-Certificate-2-1: MIIDOzCCAqSgAwIBAgIQR67tFcyxZFS6NJ0v4o/LqDANBgkqhkiG9w0BAQUFADBV[...]dJBufhjxG6ztdl3adRmzwtHGENzeQVbLwMfM59gpbSRCV4uLJO0/HJ+kXA3Q+
    MIDlet-Certificate-2-2: MIIDTjCCAregAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBzjELMAkGA1UEBhMCWkEx[...]XV2ZjAe9N+Cii+986IMvx3bnxSimnI3TbB3SOhKPwnOVRks7+YHJOGv7A==
    MIDlet-Certificate-2-3: MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkE[...]UZa4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
    MIDlet-Certificate-3-1: MIIElzCCA3+gAwIBAgIQbx4GjZlPr2MZIwNmcI1YdDANBgkqhkiG9w0BAQUFADCBt[...]cihn41nf/EBnqRBQgMD/3iveRsexPepFZagb9zbxV/AjYfuqATG1JBbdR1jBl5d
    MIDlet-Certificate-3-3: MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAk[...]ufTqj/ZA1k
    MIDlet-Jar-RSA-SHA1: g20WU4AaUKAeAMeWruzxu4FmK2KDKYJbp4WMQbxQZp0bwEJiuNjQn1sLuSCC2ie[...]bR+tzNVpI/ZBme50Nklstyn95b0VvAJNNxiiBhK4tpA=
    -----------------------------------------------------------------

    Unfortunately it doesn't install on any of our test phones, it triggers a security warning and fails to install. Signing with one certificate works (e.g. Verisign or Thawte on other phones). But all the phones we tested seem to be very confused by the presence of multiple certificates.

    Is there any way to sign the application with more than one key and have the phone pick the one it knows about / trusts? Or does it have an "all or nothing" policy and tries to verify all 3 certificates (in which case it will fail in most cases).

    Any suggestions would be appreciated. Thank you!
    Razvan

    --
    Razvan Dragomirescu
    Chief Technology Officer
    Cayenne Graphics SRL

  2. #2
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    I do not think anyone tried so far – anyone else here? I am very interested in this topic, too. First of all, let use see what the MIDP 2 specification in Chapter 4.1.4.3 says about this topic:
    If multiple CA’s are used then all the signer certificates in the application descriptor MUST contain the same public key.
    I have not tested this yet, so I am not sure I understand this sentence. Does it make sense to you? Have you followed this rule?

    Additionally, first of all I would avoid using this Symbian OS certificate. Although it should not be a problem VeriSign+thawte should be enough. Or am I wrong in this topic? Actually, when everything works, you can even have a fourth an own self-signed certificate.

    If you have a Nokia S60 2nd Edition device around, try the self-signed certificate procedures presented here in Forum Nokia Discussions either with two self-signed CAs or with one self-signed CA and one known public key of your bought certificates.

    Please keep us updated. In future, please use the code tag here and do be so kind not to shorten certificate entries. Complete ones might help others, too.
    Last edited by traud; 2008-01-12 at 12:04.

  3. #3
    Registered User
    Join Date
    Dec 2006
    Posts
    5

    Re: Signing with multiple certificates

    Hello, I was curious if anyone had any luck with this? We are trying to do the same thing, currently we have been signing our midlet with a verisign certificate however, we have run into problems with these certs working on a t-mobile razr. The t-mobile razr was missing the root cert.

    Anyway, we purchased a thawte and cybertrust cert which we can get to work if sign the midlet with just that certificate. However, if we sign it with the verisign and thawte certificatethen it does not work. Does anyone know a way to sign it with both.

  4. #4
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Signing with multiple certificates

    Are your customers downloading the MIDlet from your web server? You could check the phone model and serve a correct JAD file based on the User Agent information.

    Hartti

  5. #5
    Registered User
    Join Date
    Dec 2006
    Posts
    5

    Re: Signing with multiple certificates

    Yes we are downloading from our site but I am hoping to avoid having to have a different build each phone. Correct me if I am wrong but when I sign a midlet both the .jar and the .jad are changed, correct? I assume this because when I sign it the size of the .jar is changed.

    We could use the user-agent and send them the right file if we knew the root certs that were on each phone, without having to test it. Is there a database somewhere that has this info? I haven't been even able to determine which certs are on my Nokia 6103.

    My hope was to sign the midlet with all the 3rd party certificates we could and hope that the phone would find one that it would work for. Is this just wishful thinking?

    Any help in this area would be much appreciated, it has been a frustrating process so far.

  6. #6
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Signing with multiple certificates

    "Correct me if I am wrong but when I sign a midlet both the .jar and the .jad are changed, correct?"

    Nope. Just the JAD file is changed (signing info is added).

    The other thing is that the 3rd party domain might not have enough access rights on phones from certain operators (like it seems to be the case with T-Mobile)

    Hartti

  7. #7
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Quote Originally Posted by jstreb
    we purchased a […] cybertrust cert
    Is this for code signing? Do you have a link? I am aware of VeriSign, thawte and Java Verified only.
    Last edited by traud; 2007-09-14 at 13:47.

  8. #8
    Registered User
    Join Date
    Jun 2007
    Posts
    1

    Re: Signing with multiple certificates

    Have you found any solution for the problem?
    We're currently facing the same dilema with no success.

    Quote Originally Posted by jstreb
    Hello, I was curious if anyone had any luck with this? We are trying to do the same thing, currently we have been signing our midlet with a verisign certificate however, we have run into problems with these certs working on a t-mobile razr. The t-mobile razr was missing the root cert.

    Anyway, we purchased a thawte and cybertrust cert which we can get to work if sign the midlet with just that certificate. However, if we sign it with the verisign and thawte certificatethen it does not work. Does anyone know a way to sign it with both.

  9. #9
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Signing with multiple certificates

    T-Mobile U.S. phones do not have trusted 3rd party domain at all (meaning also that there are no Verisign or Thawte certificates which could be used for signing). You need to contact T-Mobile U.S. for getting your MIDlet signed
    http://blogs.forum.nokia.com/view_entry.html?id=379

    Hartti

  10. #10
    Regular Contributor
    Join Date
    Mar 2006
    Posts
    124

    Re: Signing with multiple certificates

    MIDP 2 Spec
    Creating the Signing Certificate
    1. The signer will need to be aware of the authorization policy for the device and contact the appropriate
    certificate authority. For example, the signer may need to send its distinguished name (DN) and public key
    (normally, packaged in a certificate request) to a certificate authority.
    2. The CA creates a RSA X.509 (version 3) certificate and returns it to the signer.
    3. If multiple CA’s are used then all the signer certificates in the application descriptor MUST contain the
    same public key.
    Insert Certificates into the application descriptor
    1. The certificate path includes the signer certificate and any necessary certificates but omitting the root
    certificate. The root certificate will be found on the device.
    2. Each certificate in the path is encoded (using base64 but without line breaks) and inserted into the
    application descriptor as:
    MIDlet-Certificate-<n>-<m>: <base64 encoding of a certificate>
    <n>:= a number equal to 1 for first certification path in the descriptor or 1 greater than the previous number for
    additional certification paths. This defines the sequence in which the certificates are tested to see if the
    corresponding root certificate is on the device. See the Authenticating a MIDlet suite section below.
    <m>:= a number equal to 1 for the signer’s certificate in a certification path or 1 greater than the previous
    number for any subsequent intermediate certificates.
    Creating the RSA SHA-1 signature of the JAR
    1. The signature of the JAR is created with the signers private key according to the EMSA-PKCS1-v1_5
    encoding method of PKCS #1 version 2.0 standard[RFC2437].
    Protection Domain Root Certificate A certificate associated with a protection domain that the
    device implicitly trusts to verify and authorize downloaded
    MIDlet suites
    Trusted MIDlet Suites using X.509 PKI
    31
    2. The signature is base64 encoded, formatted as a single MIDlet-Jar-RSA-SHA1 attribute without line
    breaks and inserted in the application descriptor.
    MIDlet-Jar-RSA-SHA1: <base64 encoding of Jar signature>
    Razvan,
    Can u please post the whole JAD file ? Are there multiple MIDlet-Jar-RSA-SHA1 at the end or only one ? The spec above says Signature of the jar is created with the signer's private key - which means is there are multiple root CA signers, there should be multiple signatures ? - Apparently I have'nt tried it.


    Also the table on Page 31 says the way the signer should be verified:

    If result is
    More than one full certificate path established and validated
    Then action is
    Implementation proceeds with the signature verification
    using the first successfully verified certificate path is used
    for authentication and authorization.
    To me this sound like implementation should iterate thru different root signers.

    What you think ?

  11. #11
    Registered User
    Join Date
    Aug 2007
    Posts
    1

    Re: Signing with multiple certificates

    Hi Razvan,

    have you solved this issue? It would be of great help if you could post your solution. We just got send home by a MNO because they could not install our demo application.

    Thank you very much,
    munte

  12. #12
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105

    Lightbulb

    I created two custom certificate authorities and tested those on a Nokia 6680. However, you have to go for VeriSign and Thawte as certificate authorities. Consequently, the steps below are not checked in a real world example and could be wrong. The following assumes Microsoft Windows as operating system. If you find a bug or if you have (understanding) problems, please register at Forum Nokia and reply to this thread. Before asking, make sure to go through every link in this post because these contain a lot of background information.

    My solution is to use the same certification request (*.csr) for all CAs, create this CSR only once! The Nokia Guide shows an example in chapter 3.5.2 how to use Sun keytool. In your JAD, make sure MIDlet-Jar-URL property is a relative URL as some tools have problems with absolute (http:// in front) ones. Before you begin, create one copy of your JAD file for each certificate authority plus one more because every signing process will override the exiting file. Create a keystore and this CSR. If you want to sign with another authority in the future, make sure the your CSR is still valid, therefore double-check the default values of keytool.

    Sign the first copy of your JAD-file. This will be a self-created CA-certificate for development cycle. This can be used in the Nokia Series 40 platform SDKs and on real phones (only Nokia S60 2nd Edition and Nokia Series 80 2nd Edition).

    Make a backup-copy of the current keystore (‘ownCA.sks’) in the Explorer. Send the CSR to VeriSign and Thawte. After receiving the reply, import it into your keystore. Do not import all replies at once. Just start with the first one.

    Sign the second copy of your JAD-file. Then again make a backup-copy of the current keystore (‘verisign.sks’) in the Explorer.

    Import the second reply and sign the third copy of your JAD. After that, do not forget to create a backup-copy of your current keystore (‘thawte.sks’)

    Open all these JADs and check the MIDlet-Jar-RSA-SHA1 property. It has to be the same in all JADs. Then copy this property and each MIDlet-Certificate-1-1 to the initial JAD (the one without MIDlet-Jar-RSA-SHA1). Change the first ‘1’ (one) appropriately (1, 2, 3, …). Then copy each MIDlet-Certificate-1-2, however, only for those JADs which have a MIDlet-Certificate-1-3, too (do not include the root certificate itself). If you have done that, select ‘save as’ this JAD not to loose your unsigned JAD. This JAD should contain
    Code:
    rest of your JAD
    MIDlet-Certificate-1-1: your VeriSign certificate
    MIDlet-Certificate-1-2: 
    MIDlet-Certificate-1-3: 
    MIDlet-Certificate-2-1: your Thawte certificate
    MIDlet-Certificate-2-2: 
    MIDlet-Certificate-2-3: 
    MIDlet-Certificate-3-1: your self-signed certificate
    MIDlet-Jar-RSA-SHA1: …
    Install your MIDlet (JAR and this JAD) on your emulators and testing phones. If it fails, double-check common pitfalls…

    Is this the holy grail? Unfortunately, it is not as your signed MIDlet still fails to install when not one of these authorities is installed and enabled for application signing on your device. Additionally as per MIDP 2 specification, your are not allowed to enable user-installed certificates for application signing. To avoid this issue in the future, please, please do not forget to comment to MIDP 3…

    Bugs. For example my Nokia 6680 allows this procedure, even if one of the certificates is missing, even the order in the JAD is not important. However, on my Nokia 9300i the installation is very, very slow and fails with error 23 in the ChildInstaller and then with error 45 in the Installer (if MIDlet-Certificate-1-x does not chain up correctly?). Furthermore, there is a limit in the size of a JAD on some device. Use the above with care and test and test and test. If you have problems and avoided the common pitfalls, remove your self-signed certificate. If it still fails, remove the next certificate-chain and so on.

    Recommendation: Use Java Verified instead of VeriSign + thawte. The Ovi Store team will guide you through its process.
    Quote Originally Posted by drazvan View Post
    I'm signing with Carbide.j 1.5.
    Could you tell me, how you used it? I am not able to create a JAD containing several chains using the graphical signing tool of Nokia Carbide.j or Sun Wireless Toolkit. I have to use the JadTool.jar and tweak its chainnum argument.
    Code:
    $ java -jar JadTool.jar -addjarsig -jarfile myMIDlet.jar -inputjad myMIDlet.jad -outputjad myMIDletSigned.jad -alias mykey -keystore ownCA.sks
    $ java -jar JadTool.jar -addcert -inputjad myMIDletSigned.jad -outputjad myMIDletSigned.jad -alias mykey -keystore verisign.sks -chainnum 1
    $ java -jar JadTool.jar -addcert -inputjad myMIDletSigned.jad -outputjad myMIDletSigned.jad -alias mykey -keystore thawte.sks -chainnum 2
    $ java -jar JadTool.jar -addcert -inputjad myMIDletSigned.jad -outputjad myMIDletSigned.jad -alias mykey -keystore ownCA.sks -chainnum 3
    -alias, -storepass, -keypass, -jarfile, -inputjad and -outputjad must be changed for your environment.
    Quote Originally Posted by drazvan View Post
    all the phones we tested seem to be very confused by the presence of multiple certificates.
    Which phones have you tested? By the way, for those who want to test their target devices before buying a certificate (thawte, VerSign, Java Verified, dual, …), follow-up there …
    Last edited by traud; 2011-02-22 at 13:35.

  13. #13
    Regular Contributor
    Join Date
    Jan 2008
    Posts
    173

    Question Re: Signing with multiple certificates

    Quote Originally Posted by traud View Post
    Additionally as per MIDP 2 specification, your are not allowed to enable user-installed certificates for application signing.
    Where in MIDP 2.0 is that stated?

  14. #14

  15. #15
    Regular Contributor
    Join Date
    Jan 2008
    Posts
    173

    Re: Signing with multiple certificates

    traud: Yes! I found the statement on page 505 in the specification. Thanks.

Similar Threads

  1. Thawte code signing certificates unsupported on Nokia phones?
    By dfun in forum Mobile Java Networking & Messaging & Security
    Replies: 6
    Last Post: 2007-01-11, 02:42
  2. SOS: I continue having problems whith signing MIDlets in NOKIA 9500!
    By Summerman in forum Mobile Java Networking & Messaging & Security
    Replies: 6
    Last Post: 2006-05-24, 20:48
  3. code signing, a free and secure approach
    By dm8tbr in forum Mobile Java Networking & Messaging & Security
    Replies: 2
    Last Post: 2005-11-24, 13:13
  4. Signing problem with 6630 and jad file
    By panwoo in forum Mobile Java General
    Replies: 7
    Last Post: 2005-11-19, 14:57
  5. MIDlet Signing, Verisign root certificates
    By ugur_ozmen in forum Mobile Java General
    Replies: 0
    Last Post: 2005-07-26, 10:04

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×