HowTo sign the applet?

What should be signed?

Up to JUpload 5.0.x, there was several jar files in the distribution (wjhk.jupload.jar, plugin.jar...). All would need to be signed.

Since JUpload 5.1.0, all needed classes are together in one file: wjhk.jupload.jar. All other files should be removed from your web site.

Why do you need to sign the applet?

When running from a web site, within your browser, the applet needs to have access to the local filesystem, in order to choose then upload the files. Thanks to Java protection, this is impossible ... unless specific prerequisite:

  • The applet must be signed. Non-signed applet mat never access the local filesystem.
  • The user must accept the applet certificate. The user then has the option to accept it for ever, or just for the current session. If the user accepted 'for ever' the certificate, he/she can remove it by doing these actions:
    • (from Java 1.7u51) Go to the Java Control Panel / Security / Manage Certificates / Signing Certificates, and remove the relevant certificate. The UPload's CA is named ... "JUpload's CA"!
    • (before Java 1.7u51) Go to the Java Control Panel / Security / Certificates / Approved certificates, and remove the relevant certificate
    • Go to the Java Control Panel / General. In the temporary Internet Files, click on the Parameter button. Then, click on the Remove files... button to clean the Java cache.

Take care about this: before java 1.7u51, Once a certificate is permanently accepted on a browser, this browser may execute any applet signed by this certificate, without asking the user. This changed with the latest JRE versions, especially starting frol JRE 1.7u51. If you let the java default security configuration, you'll always get a warning message, asking you for confirmation, before launching the applet.

Good practices are:

  • The keystore and the storepass must remain secret.
  • The validity of the certificate must be not too long (1 year seems a maximum to me).
  • For commercial use, a good practice is to have a certificate signed by a known Certificate Autority. You'll need to pay, for that...

Who can sign the applet (or...find a CA)?

The easiest way is to by a Certificate. This is the recommanded way for most cases. You'll find the relevant documentation, from the CA your choose.

If you don't want to or can't pay, you can also check http://www.cacert.org, where you can get free Certificates. AFAIK, their CA is not deployed on browsers, so you'll still have to deploy it. But the whole process may be simpler.

For this opensource project, we don't have the money to do that. So we created our own CA ... and documented how to do this. See below.

How to generate a certificate, signed by you own CA, with openssl?

Since Java 1.7 u51, the auto-signed applets may no more run with the 'all-permission' flag, that is, with disk access.

You need to sign your applet with a certificate, which certificate being signed by an Certificate of Authority known by the local configuration. You can either: create a certificate, and make it be signed by a trusted CA, or create your own CA, and use it to sign the 'base' certificate, you'll sign the applet with.

This tutorial is based on these pages:

Here are the necessary steps :

  • Go to the folder where you'll create your certificates
  • Copy the original openssl.cfg (or openssl.cnf) file to ./jupload_openssl.cfg (or take our 'original', available in the /src/site/resources/scripts folder)
  • Update the file jupload_openssl.cfg file. It's location depends on your system.
    • [For Windows only] Update the RANDFILE parameter to ./jupload/a.rnd
    • Change the 'dir' value, around line 42 (first line of the CA_default section)
    • You may change the 'default_days' value, to another value than 365 (wich stand for one years).
    • You can change all default values (parameter ended by '_default'), to avoid typing them for each certificate.
    • Take care of the v3_ca section. It's a critical one for CA.
      • You may (or should? please give us report for this one) change "basicConstraints = CA:true" to "basicConstraints = critical,CA:true" as most existing CA has the 'critical' tag activated. It is currently not activitated for the JUpload CA.
      • You must uncomment the keyUsage = cRLSign, keyCertSign line, or your CA won't be recognized for signing other certificate.
    • Take care of the Certificate Revocation List part. You'll have to publish where the CRL will be available:
      • Add the crlDistributionPoints=crl_section line in the usr_cert and in the v3_ca sections.
      • Create a crl_section section:
        fullname=URI:http://yourdomaine.com/yourPath/crl.pem
        
  • Create these folders:
    • ./jupload
    • ./jupload/certs
    • ./jupload/private
    • ./jupload/newcerts
  • In the ./jupload folder, create these file:
    • echo 1000 > serial (that is, for windows users : a 'serial' file, containing just the '1000' string)
    • An empty 'index.txt' file
    • For windows only, you'll have to create a 'rnd' file. To have a valid name, I created a 'a.rnd' file, in ./jupload
  • Back to the . folder
  • Create the Certificate Authority. Important: the common name asked when creating this certificate is the name of the 'publisher' of the CA, when it signs other certificate. This name should identify your company (for instance). It may be a different value as the 'Organisation', as asked also by openssl.
    • To automize the CA creation, you can add this parameter: -subj "/CN=Your CA Common Name/OU=The CA's Organisation Unit/O=Your Organisation/ST=Your state/L=Your City/C=Your country (two letters in uppercase)"
    openssl req -new -x509 -days 3650 -keyform PEM -outform PEM -keyout jupload/private/cakey.pem -out jupload/cacert.pem
    
  • Copy this CA to a format, which can be managed by keytool (the Java keystore management tools) and the various browsers:
    openssl x509 -outform der -in jupload/cacert.pem -out jupload/cacert.crt
    
  • Create the jupload Certificate. This certificate will be signed by the CA you juste created. You'll use it to sign the applet. We'll use the keytool java command to create the certificate. You'll be asked for the organization, name (...) for this new certificate. Take care that the Organisation name
    • To automize the CA creation, you can add this parameter: -dname "CN=Your Certificate Common Name, OU=The certificate's Organisation Unit, O=Your Organisation, ST=Your state, L=Your City, C=Your country (two letters in uppercase)"
  • You can check the content of your keystore with this command:
    keytool -list -keystore YOUR_KEYSTORE.jks -storepass "secret"
    
  • To view the details for one certificate:
    keytool -list -keystore YOUR_KEYSTORE.jks -storepass "secret"
    
  • Generate the request to the CA, for certificate signing:
    keytool -certreq -v -file jupload/certs/juploadDemoCARequest.csr -alias "juploaddemo" -keystore YOUR_KEYSTORE.jks -storepass "secret" 
    
    • You can now sign the certificate with the CA. With the below command, your certificate will be signed for 1 year.
      [For windows only] set RANDFILE=./jupload/a.rnd
      openssl ca -days 365 -in jupload/certs/juploadDemoCARequest.csr -out jupload/newcerts/juploadDemoCARequest.pem  -policy policy_anything  
      
  • Seems like you need to 'purify' the generated pem file:
    openssl x509 -in jupload/newcerts/juploadDemoCARequest.pem -out jupload/newcerts/juploadDemoCARequest.pem -outform PEM
    
  • The crt format is more standard:
    openssl x509 -outform der -in jupload/newcerts/juploadDemoCARequest.pem -out jupload/newcerts/juploadDemoCARequest.crt
    
  • As you do all manually (instead of asking all this to a 'real' CA), we have to concatenate the certificate chain:
    [Windows] copy jupload\newcerts\juploadDemoCARequest.pem + .\jupload\cacert.pem jupload\newcerts\juploadDemoCARequest.chain
    [Unix] cat jupload/newcerts/juploadDemoCARequest.pem jupload/cacert.pem > jupload/newcerts/juploadDemoCARequest.chain
    
  • Before importing the signed certificate, you must indicate that you trust this CA:
    keytool -import -trustcacerts -file jupload/cacert.pem -alias juploadca -keystore YOUR_KEYSTORE.jks -storepass "secret" 
    
  • The chain of certificates is built. You can now import it into your keystore. You should precise an alias (e.g.: -alias juploademo) if you're importing it into another keystore.
    keytool -import -file jupload\newcerts\juploadDemoCARequest.chain -alias juploaddemo -keystore YOUR_KEYSTORE.jks -storepass "secret"
    
  • Now, you must generate the CRL:
    openssl ca -gencrl -out jupload/crl/crl.pem
    
  • Then publish this crl.pem file, to the URL you entered in the openssl configuration file (see above, in the crl_section section)

You can now sign the applet with your own certificate.

Caution: Before using this signed applet in your browser, you'll have to import the new CA certificate into your browser. Details are ... just below. ;-)

How to generate a certificate, with keytool?

[IMPORTANT NOTE : THIS PART IS OBSOLETE. IT WON'T WORK WITH JAVA VERSION, STARTING FROM THE 1.7u51, UNLESS YOU REDUCE THE JAVA SECURITY SETTING]

With maven compilation, signing the applet is native. See the HowTo compile the applet page. But you need to create a certificate, in order to sign the applet. Here are the java commands, to create a demo certificate for JUpload:

  • Generate Private/Public key set (180 days = 6 months) :
           keytool -genkey -alias "jupload" -validity 180 -dname "CN=JUpload, OU=Testing/Demo, O=JUpload.SourceForge.net, L=SourceForge, S=SourceForge, C=SG"
    
  • List key set.
           keytool -list
    
  • Sign the Applet with the private key. You must do that after each modification of the jar package. You can use the below command, if you want to do this manually, or use the given ant or maven compilation scripts. All details on the HowTo compile the applet page. The command below allows you to sign the applet with a 'test' certificate:
           jarsigner wjhk.jupload.jar jupload
    
  • Verify the jar file have being sign properly.
           jarsigner -verify -certs -verbose wjhk.jupload.jar
    

You can find more information, now obsolete, to sign the applet is provided by Martin Westin in this thread: https://sourceforge.net/forum/forum.php?thread_id=2991519&forum_id=199106