Please note that as of October 24, 2014, the Nokia Developer Wiki will no longer be accepting user contributions, including new entries, edits and comments, as we begin transitioning to our new home, in the Windows Phone Development Wiki. We plan to move over the majority of the existing entries. Thanks for all your past and future contributions.

Signing process in Java ME

From Wiki
Jump to: navigation, search
Article Metadata
Created: senthilkumar05 (21 Dec 2007)
Last edited: hamishwillee (25 Jul 2013)

Signing Process:

Java Verified™ Program is a standards-based  application testing and signing program accepted by multiple operators and device manufacturers for third party applications.


     Private and Public Key the Basics:

• Private key is used to sign the application

• Public key is used to verify that the signature is authentic
• Embedded in the phone by the manufacturer
• “Root certificate”


Example :

JAD file




after signing the JAD file

JAD file

MIDlet-Name: SigningDemo

MIDlet-Certificate-1-1: MIIE6DCCA9CgAwIBAgIQc0PNrxYODJ/WiFY14......

MIDlet-Certificate-1-2: VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1Bg....

MIDlet-Certificate-1-3: 5p/AfbdynMk2OmufTqj/ZA1k........

Installation time:
• Does the device have the corresponding root certificate?
Is the information correct?
No: Installation fails
Yes: Installation succeeds



Digital Signatures and Domains
• Access restrictions in Java™ Platform, Micro Edition (Java ME platform) fall into domains
• A signed application installs to the domain which has the corresponding root certificate in the device
• The access restrictions on APIs and permission types vary between domains

Unidentified 3rd party
protection domain
Identified 3rd party
protection domain
Operator domain
Manufacturer domain

Permission Types
• Not allowed
• Ask every time
• Ask first time
• Always allowed

MIDP 2.0—Network Access
• Unidentified third-party protection domain: = Application is not signed
• Not allowed, Ask every time, Ask first time
• Identified third-party protection domain: = Java Verified Program signed application
• Not allowed, Ask every time, Ask first time, Always allowed

Signing in Java Verified Program
• Done after the application has passed the testing
• GeoTrust CA for UTI
• Result:
• The application cannot be altered
     • Application is installed to the Identified third-party protection domain of the device
• Better user experience:
    • The application is trusted by the device, no installation errors
    • The user has more options to control the application behaviour
• Access to certain APIs

Application Quality
• The test criteria has the main considerations for mobile applications
  • Use it at the application specification phase
• Use it at the application acceptance testing phase
• The criteria can easily be integrated as part of  your application development process

Make sure the application works:
• Use it yourself!
• Get an independent test done (not by the coder)
• Exploit the available information
• Your operator/carriers and manufacturers developer program and tools they may provide

'Why the Application Does Not''''Install?
• No “GeoTrust CA for UTI” in the certificate store, remove from JAD:
• MIDlet-Certificate-1-1
• MIDlet-Jar-RSA-SHA1
• “MIDlet-” in Java Application Descriptor (JAD) file = “MIDlet-” in Java Archive (JAR) file manifest
• Exceptions: MIDlet-Jar-Size and MIDlet-Jar-URL
• MIDlet-Permissions are correct?
• Date and Time settings on the device must match the certificate validity period

This page was last modified on 25 July 2013, at 02:50.
22 page views in the last 30 days.