|
Developer World
 |
||||||||||||||||
Java™ ME Signing GuidelinesCreated on: Mar 14, 2008 1:28 PM by Sony Ericsson Developer Support - Last Modified: Jul 17, 2009 8:42 AM by Sony Ericsson Developer SupportThis article describes how Java TM ME MIDlets can be signed for Sony Ericsson mobile phones, which certificates to use and how to avoid any pitfalls.
BackgroundCommonly Java ME application signing is just used to remove the system prompts that are displayed for the user when the application does access different protected APIs like the Internet, file system or the camera and so on. It's true that signing of the application can do this but signing is not only about better user experience and usability of the application it is also about security and credibility.
Signing keeps the integrity of the application
Developer - Knows that no one can make any changes to the application without ruin the signature in the Jad file. Sales channel - Can trust the submitted content and knows that the content is the original one distributed from the developer. Customer - User can see that the application is signed and what company has signed it which brings credibility.
CertificatesWhen signing a MIDlet it must be signed against any of the Java root certificates available in the Sony Ericsson phones. It is not possible to install a self made root certificate.
On Sony Ericsson phones the most common third-party certificates that should be used when signing are:
Note that the only one that always will be available in all Sony Ericsson MIDP2 phones is the GeoTrust CA for UTI certificate, this is the certificate used by Java VerifiedTM
In all Sony Ericsson phones it is possible to see which Java root certificates are available. Commonly seen in the Security -> Certificates menu.
Certificate life spanA Thawte or VeriSign certificate is commonly purchased with a validity period of 1-3 years. When using Java Verified the certificate signature will be valid for 10 years.
This has caused the Thawte and VeriSign certificate to be popular for signing during the development process.
It's important to know that the signing of the application will have the same expiration date as the certificate the application was signed with. If the certificate has expired it will not be possible to install the application. The expiration date is only checked at install time so an install application will not expire.
Java VerifiedJava Verified is an industry driven testing and signing program supported by Sony Ericsson.
Using Java Verified the application will go though testing and if the testing is successful the MIDlet will be signed with the UTI certificate. The UTI certificate is the only certificate for Java ME applications available in all Sony Ericsson phones.
Test Labs use in the Java Verified program are:
Read more here >>> http://developer.sonyericsson.com/javaverified Register and submit application for testing here >>> http://www.javaverified.com/
Certificate Authority (CA)A certificate authority is the legal entity managing root certificates. Before purchasing any code signing certificates from the CA make sure the corresponding root certificate is available in the phone.
VeriSign
Thawte
Tools
keytool.exeThe keytool is a command based tool used to manage keystores. The keystore is used to sign the MIDlet. The keytool is included in the Java SE development kit.
Sign MIDlet utilityIn the Sony Ericsson WTK the Sign MIDlet tool is used to mange keystores and sign MIDlets.
Acquire a code signing certificate - An example1) Use the keytool.exe or the Sign MIDlet Suite tool to generate a new private and public key. keytool -genkey -alias mykey -keyalg RSA -keystore mykeystore.sks
Note. Only registered companies can request certificates and make sure to write the full company name in the Organization field.
The third-party security domain should be used.
2) Create the certificate request. keytool -certreq -alias mykey -keystore mykeystore.sks -file mykey.csr
3) Select Certificate Authority VeriSign: http://www.verisign.com/ Thawte: http://www.thawte.com/ The UTI certificate is only available though Java Verified.
Find where to apply for a Java Code signing certificate.
During the registration process the certificate request should be submitted.
- BEGIN NEW CERTIFICATE REQUEST---- MIIB0jCCATsCAQAwgZExCzAJBgNVBAYTAlNFMQ8wDQYDVQQIEwZTd2VkZW4xDjAMBgNVBAcTBUtp c3RhMS8wLQYDVQQKEyZTb255IEVyaWNzc29uIE1vYmlsZSBDb21tdW5pY2F0aW9ucyBBQjEYMBYG......................................n - END NEW CERTIFICATE REQUEST----
4) One the certificate request has been approved by the CA the certificate will be available for download. The certificate should be downloaded in PKCS #7 format. The certificate can be saved using notepad and stored as mycert.txt
- BEGIN PKCS #7 SIGNED DATA---- DjAMBgNVBAcTBUtp c3RhMS8wLQYDVQQKEyZTb255IEVyaWNzc29uIE1vYmlsZSBDb21tdW5pY2F0aW9ucyBBQjEYMBYG......................................n - END PKCS #7 SIGNED DATA----
5) Import the certificate in the keystore.
keytool -import -file mycert.txt -alias mykey -keystore mykey.sks
If a key pair is located in another keystore the keys can be imported to the keystore used by the Sign MIDlet Utility by selecting the Import Key Pair button. Can be used if the key pairs was created using the keytool but rather using the Sign MIDlet Utility to sign the MIDlet.
6) Once the key pair and the certificate are located in the key store the key store can be used to sign a MIDlet suite.
IMPORTANT - Before signing the MIDlet make sure to add the appropriate permissions to the JAD file and MANIFEST file.
Use the Sign MIDlet Utility simply by pressing Sign MIDlet Suite button and select the JAD file.
The Java JadTool can also be used to sign the MIDlet simply by using the two commands to first add the certificate to the JAD file and after that add the signature to the JAD file.
Note that the certificate and signature is located in the JAD file so a signed application must be installed using the JAD file, other wise it will be installed as unsigned.
On Sony Ericsson phones there are a few ways to install an application using the JAD file.
Over The Air (OTA) - Put the application, JAD and JAR, on a web server and use the browser in the phone to download the MIDlet.
Local - Copy the JAD and JAR to the phones file system. On the phone, select the JAD file to install the application.
Device Explorer - In the Sony Ericsson SDK for the Java ME Platform a tool called Device Explorer can be used to install the application to the phone.
In all these cases make sure to select the JAD file.
Permission SettingsFind a list of permission settings used on Sony Ericsson phones here >>> http://developer.sonyericsson.com/getDocument.do?docId=99421
It is not possible to specify the default setting for a MIDlet before the MIDlet is installed. The permission setting can be changed for each application once it is installed. This is done in the settings menu for each MIDlet.
From Sony Ericsson JP8 phones it is possible to specify default permission levels, specifying the Trusted permission level will sett all available security settings to the least restritcted available.
|
On the newest Sony Ericsson JavaTM ME phones the permission setting can be changed at runtime when the user is prompted for permission to use the API.
Permission AttributesSome APIs do require permission to execute, for a signed MIDlet the permission should be entered in the JAD and MANIFEST file before signing. This can commonly be done by the IDE.
Jad / MANIFEST attribute: MIDlet-Permissions: javax.microedition.io.PushRegistry, javax.microedition.io.Connector.sms
Find a list of permission attributes here >>> http://developer.sonyericsson.com/community/docs/DOC-1049
FAQMy MIDlet is Signed but the installation fails? 1) Make sure the correct date is set in the phone; the certificate is only valid for a certain period of time. 2) Make sure the used certificate is available in the phone. -
After my signed MIDlet is installed I can't connect to the Internet using an HttpConnection. For an API requiring permission the permission should be added to the JAD and MANIFEST file before the MIDlet is signed. MIDlet-Permissions: javax.microedition.io.Connector.http -
My MIDlet is signed and I have added the permission to use a socket connection but I still get a security exception? Some operators do now allow third-party signed applications to use all APIs. Check if you are using an operator branded phone. -
I have a signed MIDlet but the installation fails? Make sure the certificate the MIDlet is signed with is available in the phone.
Find out what certificate is used to sign the MIDlet in the JAD file. MIDlet-Certificate-1-1: MIIDSjCCAjKgAwIBAg...........................n 1) Copy the MIDlet-Certificate attribute value. 2) Create a text file using notepad and copy the value into that file. 3) Rename the text file to be a .cer file 4) Open the .cer file to be able to read the certificate information. -
Further Reading Have questions? Look in the forum. You can browse other articles on this subject using the tags below. 
jviggen
says
in response to JWtheCoolOne:
Hi We don't have any info on operator customizations unfortunatly. I think though that this info should be availble on the different operator. I you are able to digg out some info on that there are probably lots of people interested in this.
/Johan 
amitaggarwal
says
in response to JWtheCoolOne:
Dear JWTheCoolOne,
We have used Thawte also..It works fine as third party and works fine on Sony Ericsson device. But manufacturer certificate is the best for development purposes. We acquired the developer (Bound) cert for motorola and life has become very simple. I hope Sony Ericsson also launches the Dev certificates with no prompts ..! 
Sony Ericsson Developer Support
says
in response to amitaggarwal:
Hi, Manufacturer domain signed MIDlets are indeed able to get rid of prompting. But it's a good thing to be able to get the same behaviour upon execution as the actual real world user will be experiencing. Manufacturer or Operator domain signing is usually only possible to obtain in a commercial situation in case the operator or Manufacturer has gained ownership of the application and is willing to sign and thus endorse such an application. In the vast majority of cases MIDlets on the market will be signed to the Third Party Trusted domain. So for development that are going to result in commercial deployment a good investment for a MIDlet vendor that is going to do something commercial is to aquire a signing certificate from a CA which allows Third Party Trusted signing. An alternative is to submit the MIDlet through a certification programme (JavaVerified) which also results in Third Party Trusted domain placement.
njsiew
says:
Hi, can someone pls enlighten me on these :
1) are there many SE devices which do NOT contain the Verisign & Thawte root certs? (the statement "Note that the only one that always will be available in all Sony Ericsson MIDP2 phones is the GeoTrust CA for UTI certificate" worries me since we do use Verisign & Thawte in some midlets)
2) is SE moving towards a regime of "Java Verisign only"? (that is, trusted 3rd party domain can only be done if midlet has gone through Java Verified)
3) are there any Wiki entries for "Operator domain signing"?
Thanks !!
Sony Ericsson Developer Support
says
in response to njsiew:
Hi Answers: 1. The Verisign and Thawte certificates can be custmoized away by operators, the UTI certificate can not. AFAIK there is no plans of abanding either the Verisign or Thawthe certificates. 2. No 3. No, operator domain is for operators only and I think if there is any documentation on that area it is handled by the people responsible for operator customization/developer support.
You are Welcome
scf
says
in response to Sony Ericsson Developer Support:
Dear Sony Ericsson Support Team: We would like to know if after signing our MIDlet application through Verisign, the application will be able to get full access to the camera, taking pictures with "never ask" permission or at least "ask once" permission.
1) Will this work with any Sony Ericsson device after signing? 2) For now we are testing with Sony Ericsson Z520 phone, this model will allow at least "ask once" permission to the signed MIDlet for camera video capture? 3) Is the following link what we need to sign our MIDlet through Verisign Class 3 Certificate? http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/
Hope you can help because it wouldn't be nice to spend money in vain for a Verisign Certificate.
Thanks!
Sony Ericsson Developer Support
says
in response to scf:
Hi,
You can find a list of what permission settings in the phones here >>> http://developer.sonyericsson.com/getDocument.do?docId=99421 The Z520 is a Sony Ericsson Java Platform 5 phone and can get "blanket" permission for the camera apis in the 3rd party Trusted Domain. It is the Multimedia Recording permission. See permission settings and permission attributes in this wiki article. (Note that some operators do change the permission settings in the Operator branded phones.)
1) The Verisign certificate must be installed in the phone. Some operators do change what certificates are available in the phones. The UTI certificate from Java Verified will always be available. 2) Unsigned midlets can have "Ask once" (session) permission. 3) Yes, select "Sun Java Signing Digital ID"
Find more information here: Application Signing with Verisign certificate: http://developer.sonyericsson.com/docs/DOC-1667
/Oscar Sony Ericsson Developer World
vlk_
says:
Hi, Is possible (or exist any way) to obtain java certificate for free ? My application is free and distributed with source codes, but it using some features which request higher rights (like access to location service, internet access, or messaging) Thanks.
Sony Ericsson Developer Support
says
in response to vlk_:
Hi vlk,
An unsigned application can access Location apis, Net Access apis and Messaging apis but by signing the application the end user may have less system prompts asking for the rights to use the apis.
Is possible (or exist any way) to obtain java certificate for free ? You can actually create your own certificate and use that to sign your applications but unfortunately that wont do much good.
The application must be signed with any of the Java certificates that are available in the phones and that is commonly the UTI, Verisign and Thawte certificates. To get your application signed with the UTI certificate you must use Java Verified to get the application tested and signed. The Verisign and Thawte can be purchased and looking at the Thawte website that will cost US$299 for a one year certificate.
So, to sign your application will cost you some money unless you can find some company that is willing to do this for free.
/Oscar Sony Ericsson Developer World 
vpaoli
says:
Hi Can I sign two different midlet sites by means of one certificate (mycert.txt) ?
Thanks. 
tiny2
says:
Thank you for this very detailed article on midlet signing. However, i think the need for signed midlets to gain (permanent) access to some phone features kind of stuns the growth of more powerful midlet applications...especially for free and open source developers...
imagine if i wanted to write a file or contact manager and distribute it for free. the number of 'are you sure? (permission check)' popups will totally kill the usability unless it pay to get it signed. solution, don't do it as a midlet - and Java ME loses...
i really hope this can change as i do feel current Java ME (MSA, JP-8) platform can be used to write really powerful applications.
Alex - Guide To Paris Hotels
Sony Ericsson Developer Support
says
in response to tiny2:
Hi Tiny2,
For read/write user data it is actually possible in the Sony Ericsson JP8 phones for unsigned applications to get blanket permission (never ask permission). In the JP8 phones the user can at runtime change the permission settings when prompted by the system.
Here is a document with the Sony Ericsson permission settings: http://developer.sonyericsson.com/getDocument.do?docId=99421
/Oscar Sony Ericsson Developer World. 
srirampani
says
in response to Sony Ericsson Developer Support:
Hi Oscar,
I tried to install a simple MIDlet i.e. "Hello World" using push registry as a server socket with permission "javax.microedition.io.Connector.serversocket" on "SonyEricsson C902". I am getting error message while installing it self "Operation failed" error. If I remove "socket://:9002" with "sms://:9002" it is getting installed. Below is the “.jad” file text: MIDlet-1: PushServerSocket, ,midlet.HelloServerSocketMIDlet MIDlet-Jar-Size: 738483 MIDlet-Jar-URL: PushServerSocket.jar MIDlet-Name: Storefront MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.receive, javax.microedition.io.Connector.serversocket, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.socket MIDlet-Push-1: sms://:6844, midlet.HelloServerSocketMIDlet,* MIDlet-Push-2: socket://:9002, midlet.HelloServerSocketMIDlet,* MIDlet-Vendor: ABCD MIDlet-Version: 0.0.38 MicroEdition-Configuration: CLDC-1.1 MicroEdition-Profile: MIDP-2.0 Socket-port: 9002
My product is in the final phase of development. I need your help, please help me.
Regards, Sriram 
nicsoft
says
in response to Sony Ericsson Developer Support:
Hi Dev Support,
When running the application on the phone from Device Explorer, I am getting SecurityException. Is this due to that the application is not signed? I have managed to get it working some times when running it directly from the phone, but I have never signed it. Using it for LBS service.
Thanks!
Regards, Niklas 
ms_signhelp
says
in response to nicsoft:
Hi Dev Support,
I'm having issues with downloading and installing a signed app with the VeriSign Class 3 certificate. Is there any way to find out what root certificates/intermidiate certificates are installed on OEM devices? I realize it'd be hard to find out the same for MO devices since they tend to change what certs are on the device. I'm specifically interested in certificates that are on these devices:
Is there a specific set of certificates included with OEM devices running JP7 vs JP8? If so, would you be able to provide me with such list please? Also, in terns of the SE trust model, is vaidation happening against the interediate or the root cert? |
||||||||||||||||
|
||||||||||||||||
Corporate Home
Hi,
can I find somewhere a list that has the following information:
device | operator | supported certificates
Does anybody have some realworld experience with a certificate other than the GeoTrust CA for UTI / Java Verified?
THX!