×

Discussion Board

Results 1 to 15 of 15
  1. #1
    Registered User
    Join Date
    Dec 2006
    Posts
    13

    Midlet signing process

    Can anyone give an official midlet signing process? My understand is that:
    1. submitting CSR to CA
    2. receive certificate from CA
    3. sign the midlet
    Done.

    I also heard that after Step 3, I need to submit signed midlet to a thirdparty for counter signing, just like Symbian signing. Is this true? Thanks a lot.

  2. #2
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Midlet signing process

    You go and buy the certificate from a CA and then use if for signing your midlets, as you describe.
    You might have heard about Java Verified process, in which you submit your midlet to a testing and after it passes it gets signed with a UTI/Java Verified certificate. Those midlets are placed in the same trusted 3rd party domain as the midlets signed with code signing certificates. Some distributors require this before they agree to distribute the MIDlet.
    For more info
    http://www.javaverified.com

    Hartti

  3. #3
    Registered User
    Join Date
    Nov 2006
    Posts
    14

    Re: Midlet signing process

    During the Java Verified process do we have to actually pay the tester?
    I don't want to sell my application, i want it to be free and don't charge people for using it.

  4. #4
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Then either go for no signing at all or go for VeriSign+thawte.

  5. #5
    Registered User
    Join Date
    Nov 2006
    Posts
    14

    Angry Re: Midlet signing process

    I rather go for a deep hacking into the phone's firmware or throw out the window my 6233 than paying for this. For God's sake, programming in Java is totally free, you don't need to pay anything to use the whole Java API, without security pop-ups.

    And i don't think that the phone's Certificates List is closed. I have an original non-branded Nokia 6233, with a list of 17 authority certificates preinstalled, and i can delete at least 5 of them. Now, if the list is supposed to be closed, why the phone allows you to delete them (resulting a modified list) ? ( Because is not closed!!! )

    Have you heard of DoJa Phones ??? Well, DoJa is Java Made in Japan (SE K610im very nice Doja phone). Everything into a DoJa phone is Hooked UP: The Browser, The Music Player, The Virtual Machine, The User Settings, and you have full access to phone's security. Why can't it be like this with Java phones???

    I mean, if the user wants to use a particular certificate (assuming his own risk), why can't he do so??? ( like an usual computer )

  6. #6
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Midlet signing process

    Thanks for your feedback pig30n! This security related behavior is specified the MIDP security policy recommendation, so the best way to make any changes in this in the future is to provide these comments to the MIDP3 working group (http://jcp.org)

    About the certificate list being closed:
    MIDP security policy states that one should not be able to install midlet signing certificates on the deviceafter manufacturing. Also it is possible to remove certificates as you mentione, however adding new is impossible.

    best regards,
    Hartti

  7. #7
    Registered User
    Join Date
    Nov 2006
    Posts
    14

    Talking Re: Midlet signing process

    I must disagree with your statement! The list of authority certificates is not closed!!!
    I have just uploaded my own certificate, generated with OpenSSL (with RSA MD5 algorithm on 1024 bytes) on my site, and downloaded OTA and installed successfully on my 6233 (firmware 4.91, Non Branded EURO-B Classic Black).

    If you don't believe me, i can give you the link and install it yourself.
    Here are some sample photos...

    The list:
    http://aycu38.webshots.com/image/943...5312586_rs.jpg

    My actual certificate:
    http://aycu12.webshots.com/image/841...6199632_rs.jpg

    PS: If you wonder why the name of the certificate is "Razvan", is because Razvan is my name :P.
    The certificate is valid from yesterday (14 dec) 7300 days = 20 x 365 days.

    Best Regards!
    Last edited by pig30n; 2006-12-15 at 23:50.

  8. #8
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Midlet signing process

    When you select Options->Select Use for your certificate, can you change the application signing on?

    Hartti

  9. #9
    Registered User
    Join Date
    Nov 2006
    Posts
    14

    Re: Midlet signing process

    Yes !

    Only if the Signature Algorithm for the certificate is SH1RSA.
    It doesn't work if you use MD5RSA(only Cross-certification and Server authentication available).
    Probably the phone doesn't support MD5-Certificates for application signing.
    The funny thing is that all certificates used to sign applications (Thawte, VeriSign, UTI, Nokia Content Signing for ex.) use sh1.
    You can see the public key in the "Nokia Content Signing" certificate, by downloading Snake III or Rally 3D from nokia site and open the JAD file.
    And guess what? Its generated with sh1 :P. Those games are signed by nokia because they use bluetooth for multiplayer, and they shouldn't bother the gamer with security questions.

    Anyway, the important thing is that there is a new certificate in that list.
    I have used this blog to achieve this.
    http://browndrf.blogspot.com/2006/06...ed-midlet.html
    Last edited by pig30n; 2006-12-15 at 23:55.

  10. #10
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Midlet signing process

    I stand corrected.
    Have you also installed a midlet signed with the corresponding key?

    Curious to know what changes did you do to browndrf's procedure?

    Hartti

  11. #11
    Registered User
    Join Date
    Nov 2006
    Posts
    14

    Re: Midlet signing process

    Hi.

    I do encounter a problem signing the MIDlet, it says that the "public key in reply and keystore does not match". I think there is a problem when merging the leaf with the root certificate, using internet explorer. I will try other software and as soon as i solve the problem i will let everybody know.

    The procedure is basically the same, just one little modification in cer file generation command line, to generate using sh1. (by default it generates md5 wich is better than sh1, because the best computer in the world will take ~ 100 years to find the private key, and is useless to do that when the certificate is only valid for 20-30 years :P ).

    But until tuesday i will put "on hold" this research, in order to study for a faculty exam ( Electronical Measurements )

    Have a nice day!
    Last edited by pig30n; 2006-12-15 at 23:52.
    There are 10 kinds of people. Those who understand binaries, and those who don't!

  12. #12
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Quote Originally Posted by pig30n
    all certificates used to sign applications (Thawte, VeriSign, UTI, Nokia Content Signing for ex.) use SHA-1.
    Although Java Verified, Nokia and Sony Ericsson use SHA-1, VeriSign uses MD2 and thawte uses MD5 for their roots. I cannot follow you on this point. Please explain in more detail. Yes, the hash over your JAR is in SHA-1 as per MIDP 2.0 specification.
    Quote Originally Posted by pig30n
    Only if the Signature Algorithm for the certificate is SH1RSA.
    It doesn't work if you use MD5RSA(only Cross-certification and Server authentication available).
    I cannot confirm this on my Nokia Series 40 3rd Edition device (Nokia 6270). We would have to check whether this is a Feature Pack 1 issue (Nokia 6233) or something special about your firmware. By the way, does this firmware version make a Nokia 6233 a Feature Pack 2 device as it has A2DP Bluetooth profile for stereo music, now? I never understood the feature pack versions for Nokia Series 40.
    Quote Originally Posted by hartti
    what changes did you do to browndrf's procedure?
    You add -sh1 to the parameter list of the openssl req command.
    Quote Originally Posted by pig30n
    until tuesday i will put "on hold" this research
    Please, give us a hyperlink to your certificate in the mean time or please give us your terminal commands, so we can follow the first step, the installation of the certificate.
    Quote Originally Posted by pig30n
    if the user wants to use a particular certificate (assuming his own risk), why can't he do so?
    This is a re-occuring question which is theoretic as nothing can be done anymore except to inform the MIDP 3.0 JSR team not to introduce the same issue. Please, file a comment there…
    Quote Originally Posted by pig30n
    I don't think that the phone's Certificates List is closed.
    For code signing certificates this list is closed, as no new certificates can be added. However, you are able to delete certificates (that is a user interface bug from my point of view) and you are able to add certificates for TLS/SSL.
    Quote Originally Posted by pig30n
    I rather … throw out the window my 6233 than paying for this.
    First open that window, please.

    Do not get me wrong. I would love to believe you and love to see a („easy“) solution like this to use my own certificate for code signing as I do not like nor understand the current situation either. Nevertheless, I only believe this when I see it myself. The pictures above are no proof. Please make a screenshot of the permission list:
    Nokia > Menu > Settings > Security > Authority certificates > Certificate list > Razvan > Options > Select use > Applications siging.
    In the mean time, in the Nokia Series 40 Platform SDKs, there you are able to use and test this signing procedures, too, as those allow self-signed root certificates.
    Last edited by traud; 2006-12-17 at 16:05.

  13. #13
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Quote Originally Posted by traud
    We would have to check whether this is a Feature Pack 1 issue
    Nokia 6233/04.52: My RSA SHA-1 root certificate is not allowed for application signing.
    Quote Originally Posted by traud
    or something special about your firmware.
    Nokia 6233/04.91: My RSA SHA-1 root certificate is not allowed for application signing. I tried with 1 KBit, 2 KBit and 4 KBit key lengths.

    pig30n, please give us more details.

  14. #14
    Registered User
    Join Date
    Feb 2005
    Posts
    10

    Unhappy verisign class 3 NOKIA problem

    Hi Everybody,

    I got a certificate from verisign class 3(I think it is RSA with SHA algorithm) and sign the application then install it on sony-ericsson phones it worked fine and didn't ask any question for pim .

    Now the problem is that when I tried it with nokia phones(model 6681, N70), the midlet signed properly and installed on the phone with no error. After that I have set the permission "always allowed" for read user data, and edit user data.
    But when the application tries to edit or read the PIM data it ask questions everytime.

    So please clarify me on this.
    1)Is the verisign certificates are working for nokia phones???
    2)If yes then what root certificates is required to sign the midlet???
    3)My midlet is signed with RSA-SHA algorithm but on the phone when I checked the verisign class 3, it has used the RSAMD2 algorithm is it going to create a problem while accessing the security apis???

    Please help me

  15. #15
    Regular Contributor
    Join Date
    Dec 2004
    Posts
    231

    Re: Midlet signing process

    Hei Kirtimisha,
    in http://discussion.forum.nokia.com/fo...ad.php?t=97890
    I said I had the same problem.
    Solved by upgrading firmware of my phone !
    I hope for you is the same
    ps. why didn't you start a new thread?

    bye

Similar Threads

  1. MIDlet signing with Thawte cert for 6600
    By kersing in forum Mobile Java General
    Replies: 3
    Last Post: 2008-03-07, 05:41
  2. Pushregistry, Security Alert after signing the midlet?
    By juppi in forum Mobile Java Networking & Messaging & Security
    Replies: 15
    Last Post: 2007-08-08, 11:04
  3. MIDlet signing for Nokia 6682(on Cingular ) to access the JSR-75(FileConnection API)
    By rmontrose in forum Mobile Java Networking & Messaging & Security
    Replies: 0
    Last Post: 2006-01-31, 02:59
  4. MIDlet Signing (URGENT -- PLEASE HELP ME NOKIA EXPERTS)
    By earamsey in forum Mobile Java General
    Replies: 0
    Last Post: 2004-10-25, 23:57
  5. Midlet Signing Questions
    By kcarlino in forum Mobile Java General
    Replies: 0
    Last Post: 2004-05-12, 18:17

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×