Java
  GuestBook
  Security
     Explorer
     Netscape

Netscape Object Signing - Java Applets

This page describes the steps to extend your applet and sign it so that Netscape 4.0 (and higher) will allow you more access than usual. If you are very impatient try the Short Version

During Development

First it is worth noting that while you are in the development then you can bypass actual the applet signing by using the following

You need to add the following line
to the file prefs.js/preferences.js (as specified below)
    user_pref("signed.applets.codebase_prinicipal_support", true);
NOTE THIS IS DANGEROUS! - 
Windows  c:\program files\netscape\users\$USER\prefs.js
Unix     $HOME/.netscape/preferences.js
You should make this change when netscape is not running.

Netscape has a tech note describing this, and the dangers associated with it. I recommend you read it.

Privileges

To access privileged routines (ones that would normally cause a security exception), you need to ask netscape for the privilege to access that routine. This is done with the netscape.security.PriviligeManager. If you have a correctly signed applet, then the Manager will display a dialog box to the user, asking them if they would like to grant this request to you. This happens only once for every privilege that you ask for, but if you restart netscape, it will ask again. The user may select a box so that they are never asked again (and similarly they can go into the security preferences and disallow the privilege at any time).

There are many Privilege's. The code for priv.java given below shows an example of you to access System properties that are not normally available. The priv.java file has more comments etc..

import java.applet.*;
import java.awt.*;
import netscape.security.*;

public class priv extends Applet
{
	public void init()
	{
	  try {
	    PrivilegeManager.enablePrivilege("UniversalPropertyRead");
	    } catch (netscape.security.ForbiddenTargetException e) {
	      System.out.println("FAILED UniversalPropertyRead Priv");
	      }
	  try {
	    String value = System.getProperty("user.home");
	    System.out.println("user.home = "+value);
	    } catch (netscape.security.AppletSecurityException e) {
	      System.out.println("Violation getting Property - user.home");
	      }
	}
}

Netscape has the complete (LARGE!) list of possibilities

Compile It!

It doesn't matter much in this case what compiler you use, but don't forget to have the netscape classes in your CLASSPATH (you specifically need java40.jar)

  javac priv.java

Sign It

Okay, The *real* problem is signing... Most people wants to do it for free. And last time I looked at the newsgroups and mailing groups, every second applet signing question was about signing applets. My suggestion is buy one It costs $20 from verisign, you can do it on-line and it takes about 10 minutes, and works perfectly (although I did it at 5 in the morning!). I have some pointers you want to do it yourself.

Step 1. Get an object signing certificate.
- Verisign - $20 (must be class 2)
- get one from an independant source
  - go to one of the other vendors
  - get a certificate server ($500)
  - try to do it yourself

Signing the applet

Sign the applet. You need Zigbert or Zigship. since the certificate should already be imported into your browser, I recommend Zig ship. Use this to create a .jar file and the click "sign" select your class 2 (or higher) object signing certificate. Click New. Click Add .. Select your class files, Add. Done. Sign. Save.

Step 4. Create your HTML FILE. here is what you will need.

    <table border=3><tr><td>
    <applet ARCHIVE=priv.jar code=priv width=100 height=100>
    </applet></td></tr></table>

View the java Console to see the output. This does not work in MS IE.

you can see a working example at http://www.olabs.com/java/security/netscape/priv.html

Other Items of Interest

Is RSA Parented?

Yes. Till the year 2000. Please refer to Is RSA Patented and for non-commerical use check What is RSAREF?.

You need RSA to create a certicate to be a certifying authority.

Why would they base a standard on Patented technology?

Seems like a strange thing to do! I would think partly because in three years (year 2000) the patent runs out, and then the standard is truely open. It's also been beat on pretty heavily, since the code is available to the public.

List of primitive Targets

UniversalAccept, UniversalConnect, UniversalExecAccess, UniversalExitAccess, UniversalFileDelete, UniversalFileRead, UniversalFileWrite, UniversalLinkAccess, UniversalListen, UniversalMulticast, UniversalPropertyRead, UniversalPropertyWrite, UniversalSetFactory, UniversalThreadAccess, UniversalThreadGroupAccess, UniversalTopLevelWindow.

jdk1.2

http://java.sun.com/products/jdk/preview/docs/guide/security/index.html contains information about x.509v3 extensions to jdk 1.2

Bits and Pieces

The Netscape export format for a certificate is PFX. MSIE 4.0 export/import format is PKCS#12, but it is said that it will understand an netscape exported certificate. (I did this once it worked, the second time, it failed) actually, let me quote a user group message.

From owner-ssl-users@mincom.com Tue Oct 14 14:22 EDT 1997
Message-ID: <3443B3FB.B55C28A2@bigfoot.com>
Date: Tue, 14 Oct 1997 19:03:39 +0100
From: Dr Stephen Henson <shenson@bigfoot.com>
Reply-To: shenson@bigfoot.com
Subject: Re: Transferring Certs and Private keys between MSIE and Netscape
Sender: owner-ssl-users@mincom.com

Hall Juan Andres wrote:
>
> The "import" format to import public key certificates, together with the
> secret pass-phrase encrypted private key, for both Netscape Navigator
> 4.0 and MSIE 4.0 is known.
>
> It is the PKCS-12 object format, specified in ASN.1.
>

Well Netscape uses a PFX variant. PFX is a pre-release PKCS#12 which it
erroneously refers to PKCS#12 it also uses some quirky key generation so
it isn't 100% compatible with the PFX 0.020 spec (which it is based
upon). Can't comment on MSIE final until I get a chance to look at it.
However the PKCS#12 in use is not specified in ASN.1 as far as I know,
it is currently in a draft-but-nearly-finalised form: the spec has been
distributed on the pkcs-tng mailing list (see www.rsa.com for info).

NB the draft PKCS#12 documentation on www.rsa.com is *not* compatible
with the 'current' PKCS#12.
To summarise there are three "PKCS#12" versions. "PFX" which is
pre-draft PKCS#12 which Netscape Communicator uses (with some quirks).
PKCS#12 draft on www.rsa.com which no one uses (as far as I know) and
"current" PKCS#12 which MSIE may be using (can anyone confirm this ?)
and a future version of Netscape Communicator. All very confusing!

> Now, given a certificate and associated private key in PKCS-12 format,
> I have no clue whether or not the export version MSIE and Netscape
> browsers will:
> 
> a)      successfuly import the certificate, and
> b)      actually use the certificate for authentication and email
>         signing and signature verification.
> 

Netscape will accept and use longer keys imported by this method. I've
tried 1K keys. Apparently you can go up to 2K which is where you hit on
a security library implementation limit.

There is another reason for doing this. If you don't trust Netscape
internal key generation.

I have written code that will access pfx and PKCS#12.

pfx is pretty well tested and seems to work OK. It is on
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/pfx-0.1.1.tar.gz

The PKCS#12 patch is very pre-alpha. I've tested it on a few sample
interop files. I'll make any changes necessary when I get something more
concrete to test it on. The current patch is on:
http://www.nyx.net/~shenson/pkcs12-patch-0.0.tar.gz

Steve.

References

http://www.netscape.com/eng/security/certs.html - Netscape Certificate Specifications.
http://www.apache.org/ - APACHE
http://www.algroup.co.uk/Apache-SSL/ - APACHE-SSL
http://remus.prakinf.tu-ilmenau.de/ssl-users/ - SSL Mailing list archive
http://www.psy.uq.oz.au/~ftp/Crypto/ - SSLeay and SSLapps FAQ
http://www.cryptsoft.com/ - Crypysoft (authors of SSLeay)
http://developer.netscape.com/software/signedobj/filesecdemo/FileSecDemo.html - Netscape Java Security Demo
http://developer.netscape.com/library/documenation/ - General Netscape Developer Documentation - not a bad starting point for offical things.
http://developer.netscape.com/library/documentation/signedobj/trust/index.htm - Establishing Trust for downloaded software - netscape object signing
http://java.sun.com/products/jdk/preview/ - Preview JDK1.2 features
https://certs.netscape.com/client.html - Sources for certificates
RSA - the people who own the patent.
http://developer.netscape.com/library/documentation/signedobj/javadoc/Package-netscape_security.html - netscape.security API
http://developer.netscape.com/library/documentation/signedobj/targets/index.htm - List of all capabilities eg UniversalPropertyRead
http://x.509.com/ - Xcert software inc, they have demo software up that will give you a CA cert (last 10 days) etc.. cool!
http://java.sun.com/security/ - Java Security Info .. JCE, JavaKey, specs, etc..
http://www.geocities.com/SiliconValley/Park/9841/ - Bill Billow's Java Page, has some examples of Signed applets. (required jdk 1.1 patch)
http://www.opengroup.org/RI/prism/wwwj/ - Introducing SSL and Certificates using SSLeay
http://vzone.virgin.net/samuel.liddicott/x509/x509.html - supposidly a cookbook for MSIE 4 email certificates. I didn't check it out.
http://www.easterngraphics.com/certs/morestuff/ms3-ca.html Holger Reif's stuff. This guy knows what he is talking about!

The information on these pages are provided on an "AS IS" basis, and may be used freely at your own risk. Addition usage information found on each particular page.
olabs@olabs.com