Applet security: a blast from the past

A was asked to solve a little problem the other day (a website that can detect if processes are running on the underlining operating system in a major corporation).

It presented a bit of a quandary, we are so used to the power of modern UI frameworks supplanting the rich client frameworks of the previous web generation, that when you come across something that cant be done in the browser sandbox you have to sit back and have a scratch.

In the end the only practical solution was a Java applet (the client has internal root certificates on their machines that would grant the power necessary to run the commands). not a problem I have written tons of them ….. years ago

When it came to signing everything to do the testing my mind came up a blank and google was not much help, so when I figured it out, I thought perhaps a little aide memoire would not hurt in case I need it again

So the security is quite rightly heavy on the applet sandbox for browsers and you have to sign Jar files that you use in applets (you cant just sign class files you have to export them into a Jar), if they are unsigned then you CANT get them to run, if they are self signed then you can get them to run after the browser has warned you.

The following is me building my self cert so you can do internal testing

1) First I want to build my self a keystore (which will name appletkey), for that I will need a copy of the java JDK installed

D:MyAppletProjectWebContent>"C:Program FilesJavajdk1.7.0_25binkeytool" -genkey -keystore appletkey
Enter keystore password: password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Jo Bloggs
What is the name of your organizational unit?
  [Unknown]:  stickfight
What is the name of your organization?
  [Unknown]:  stickfight
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:  London
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Jo Blogs, OU=stickfight, O=stickfight, L=London, ST=London, C=GB correct?
  [no]:  yes
Enter key password for <mykey>
        (RETURN if same as keystore password):

2) Now I have a keystore ( you will see a file called ‘appletkey’ created in the directory you ran the last command in, now I want to generate a self cert.

D:MyAppletProjectWebContent>"C:Program FilesJavajdk1.7.0_25binkeytool" -selfcert -keystore appletkey
Enter keystore password: password

3) Hooray we now have a certificate, you can check its OK (if you want) by entering

D:MyAppletProjectWebContent>"C:Program FilesJavajdk1.7.0_25binkeytool" -list -v -keystore appletkey

4) Now let’s sign the jar files we are using in our applet (yes you have to sign them all not just the one that contains the initial class you are calling)

D:MyAppletProjectWebContent>"C:Program FilesJavajdk1.6.0_45binjarsigner" -keystore appletkey process.jar mykey
Enter Passphrase for keystore: password
The signer certificate will expire within six months.

Now you can see that I’m using jdk1.6 for this as the 1.7 goes mad about the alias (the mykey in the previous command), its been driving people and me potty on the internet and the safest way seem to just use the last version of 1.6 to do the sign.
Once this is done you will just be able to run the applet on any web server and as long as you agree to the warnings you can run any code you want.
I think I’ll go and listen to some 80’s rock now.

Leave a Reply

Your email address will not be published.