July 02, 2007

Code signing J2ME apps

I do a range of diverse things, so its a bit cool that I can talk about Kerberos and LDAP one day and talk about ASP shell scripts and J2ME code signing the next. There are a few good websites that talk about J2ME code signing. I know because I read them and followed their advice. That said, I still had work to do on my own J2ME project because some things just aren't documented. Perhaps an expert takes these things for granted and so the problem never occurs to the expert and as such, the expert doesn't document that. Anyway enough talk.

First step is to create a keystore. You can do this via command line using keytool which is distributed with the JDK. I used netbeans because sometimes I make typo errors. Typo errors are easier to correct via GUI than CLI. You will create a keystore, which is protected by a keystore password and a key-pair which is given an alias (a friendly name) and a key-pair password. Remember these passwords well.

Lets call our keystore file keystorefile.ks and our key-pair mykey. This makes examples easier to understand. Once the keystore is created you can do little things to them using keytool.
For example:


  • View keys in the keystore

    • keytool.exe -list -keystore keystorefile.ks

  • Export keys into a file

    • keytool.exe -export -alias mykey -keystore keystorefile.ks -file mykey.crt

  • Export keys into a readable format

    • keytool.exe -export -alias mykey -keystore keystorefile.ks -rfc -file mykey.crt

  • Print a key from the file to the screen

    • keytool.exe -printcert -file vtoken.crt



Note: Once you export your key to a file, we start calling that a certificate. Who knows why?

Now that you're done playing with yourself, you probably want to get a Certificate Authority (CA) to sign the cert. So you have to create a certificate signing request (CSR) and send it to the CA.

keytool.exe -certreq -alias mykey-keystore keystorefile.ks –file mykey.csr

mykey.csr is a text which starts with
----BEGIN NEW CERTIFICATE REQUEST-----
and ends with
-----END NEW CERTIFICATE REQUEST-----

You will send this to the CA, through their website. I used Verisign because apparently they are supported by the most number of phones. After Verisign has signed the cert, they will send it back to you. You will need to import it back into the SAME keystore file and the SAME alias. I told you those passwords are important. Its a good thing you didn't flipflop on your decision to buy the cert and prolong a 1 day process into a 3 month nightmare complaining that making online purchases is against company policy and that its terribly difficult faxing things overseas, and making international phone calls as well as arm-twisting your vendor to give you the certificate for free. Yes its a good thing you didn't do that.

Now that you've found your keystore file and certificate alias and the passwords to your keystore and key-pair, its time to import the signed cert.

keytool -import -file c:\casigned.cert -keystore keystorefile.ks -alias mykey

Done. Now you can sign J2ME applications by unlocking the keystore and key-pair.

Written by Sock

Categories , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)