Adding certificate to trusted certificates using an applet?

2 Message(s) by 2 Author(s) originally posted in java security

From: john.burton

Date: Wednesday, November 22, 2006

I've a question about using a signed applet

<World-Wide Web> A {Java} program which can be distributed as
	an attachment in a {World-Wide Web} document and executed by a
	Java-enabled {web browser} such as Sun's {HotJava},
	{Netscape Navigator} version 2.0, or {Internet Explorer}.

	Navigator severely restricts the applet's file system and
	network access in order to prevent accidental or deliberate
	security violations.  Full Java applications, which run
	outside of the browser, do not have these restrictions.

	Web browsers can also be extended with {plug-ins} though these
	differ from applets in that they usually require manual
	installation and are {platform}-specific.  Various other
	languages can now be embedded within {HTML} documents, the
	most common being {JavaScript}.

	Despite Java's aim to be a "write once, run anywhere"
	language, the difficulty of accomodating the variety of
	browsers in use on the Internet has led many to abandon
	client-side processing in favour of {server}-side Java
	programs for which the term {servlet} was coined.

	Merriam Webster "Collegiate Edition" gives a 1990 definition:
	a short application program especially for performing a simple
	specific task.

	(2002-07-12)

. I've a specific
solution in mind I will ask about but any other ideas for other
approaches'd be welcome of course.

I've an applet which provides some information for putting on a web
page. It needs to be an applet as it's whole purpose is to obtain some
information from the local machine

Common term for "computer", usually when considered at the
	hardware level.  The {Turing Machine}, an early example of
	this usage, was however neither hardware nor software, but
	only an idea.

	[Earlier use?]

	(1995-02-15)

and put it on a web page with other
information. The information I need is on file

<file system> An element of data storage in a {file system}.

	The history of computing is rich in varied kinds of files and
	{file systems}, whether ornate (e.g., {Macintosh file system}
	for a well-known case) or deficient (e.g., many simple
	pre-1980s file systems don't allow {directories}).

	However, the prototypical file has these characteristics:

	* It is a single sequence of bytes (but consider {Macintosh}
	{resource forks}).

	* It has a finite length, unlike, e.g. a {Unix} {device}.

	* It is stored in a {non-volatile storage} medium (but see
	{ramdrive}).

	* It exists (nominally) in a {directory}.

	* It has a name that it can be referred to by in file
	operations, possibly in combination with its {path}.

	Additionally, a file system may associate other information
	with a file, such as {permission} bits or other {file
	attributes}; timestamps for file creation, last revision, and
	last access; revision numbers (a` la VMS), and other kinds of
	{magic}.

	Compare: {document}.

	(1997-04-08)

s on the user's machines
so in order to read them this needs to be a signed applet. Now, this is
just a private web page thing for a close group

A group G is a non-empty {set} upon which a {binary} operator
	* is defined with the following properties for all a,b,c in G:

	  Closure:     G is closed under *,  a*b in G
	  Associative: * is associative on G, (a*b)*c = a*(b*c)
	  Identity:    There is an identity element  e  such that
		       a*e = e*a = a.
	  Inverse:     Every element has a unique inverse a' such that
		       a * a' = a' * a = e.  The inverse is usually
		       written with a superscript -1.

	(1998-10-03)

of users who are known
to me. They were previously happy run

<operating system, programming> The process of carrying out
	the {instructions} in a computer program by a computer.

	See also {dry run}.

	(1996-05-13)

ning an .exe supplied by me so the
security implications of running a signed applet aren't really
relevent - they will be happy to do so.

But because this is a private thing I do not have any money to spend on
it so getting a "real" code

<software> Instructions for a computer in some programming
	language, often {machine language}.  The word "code" is often
	used to distinguish instructions from {data} (e.g. "The code
	is marked 'read-only'") whereas "{software}" is used in
	contrast with "{hardware}" and may consist of more than just
	code.

	(2000-04-08)

siging certificate is out of the question
(Unless someone knows where I can get one for much less that the cost
that verisign etc charge...) so I'm using a self signed certificate. I
do not see this as a problem in itself in any way except that the applet
is supposed to blend into the web page and when it's run the dialog
saying it's a signed applet, and questioning the signers identity comes
up. Fair enough.. I can tell the users to check the certificate and
click

<hardware> To press and release a {button} on a {mouse} or
	other {pointing device}.  This generates an {event}, also
	specifying the screen position, which is processed by the
	{window manager} or {application program}.  On a mouse with
	more than one button, the unqualified term usually implies
	pressing the left-most button (with the right index finger),
	other buttons would be qualified, e.g. "{right-click}".
	{Keyboard} modifiers may also be used, e.g. "shift-click",
	meaning to hold down the shift key on the keyboard while
	clicking the mouse button.

	If the mouse moves while the button is pressed then this is a
	{drag}.

	(1995-03-14)

the accept

<library, networking> {Berkeley} {Unix} networking {socket}
	library routine to satisfy a connection request from a remote
	{host}.  A specified socket on the local host (which must be
	capable of accepting the connection) is connected to the
	requesting socket on the remote host.  The remote socket's
	socket address is returned.

	{Unix manual pages}: accept(2), connect(2).

	(1994-11-08)

anyway button. But it destroys the look of the website
with a dialog box. I can tell the users to click on the always accept
this certificate checkbox and then everyone is happy, it'll no longer
ask them when they run the application

1. {application program}.

	2. {function application}.

in future.

Okay, so my question - I'd like to be able to do one of two things...
1) Write an applet which installs the certificate into the trusted
certificates list. It'd very clearly prompt the user and tell them
what it was doing and of course would've to be signed in the first
place to make this possible I image.
2) Detect if the certificate is already trusted. I'd ideally like to be
able to do this from an unsigned applet so that I can redirect the user
to a page of instructions if the certificate is not trusted without
exposing them to a whole lot of popup warnings.

The first option

<software> (Or "option", "flag", "switch", "option switch") An
	argument to a command that modifies its function rather than
	providing data.  Options generally start with "-" in {Unix} or
	"/" in {MS-DOS}.  This is usually followed by a single letter
	or occasionally a digit.

	Some commands require each option to be a separate argument,
	introduced by a new "-" or "/", others allow multiple option
	letters to be concatenated into a single argument with a
	single "-" or "/", e.g. "ls -al".  A few Unix commands
	(e.g. {ar}, {tar}) allow the "-" to be omitted.  Some options
	may or must be followed by a value, e.g. "cc prog.c -o prog",
	sometimes with and sometimes without an intervening space.

	{getopt} and {getopts} are commands for parsing command line
	options.  There is also a {C} library routine called getopt
	for the same purpose.

	(1996-12-11)

I'm sure is possible - but I can not seem to find any
java API

<programming> (API, or "application programming interface")
	The interface (calling conventions) by which an {application
	program} accesses {operating system} and other services.  An
	API is defined at {source code} level and provides a level of
	{abstraction} between the application and the {kernel} (or
	other privileged utilities) to ensure the {portability} of the
	code.

	An API can also provide an interface between a {high level
	language} and lower level utilities and services which were
	written without consideration for the {calling conventions}
	supported by compiled languages.  In this case, the API's main
	task may be the translation of parameter lists from one format
	to another and the interpretation of {call-by-value} and
	{call-by-reference} arguments in one or both directions.

	(1995-02-15)

(application programming

1. The art of debugging a blank sheet of paper (or, in these
	days of on-line editing, the art of debugging an empty file).

	2. A pastime similar to banging one's head against a wall, but
	with fewer opportunities for reward.

	3. The most fun you can have with your clothes on (although
	clothes are not mandatory).

	[{Jargon File}]

	(2003-02-12)

interface)to add a trusted certificate to the store

[probably from "main store"] In some varieties of Commonwealth
	hackish, the preferred synonym for {core}.  Thus, "bringing a
	program into store" means not that one is returning
	shrink-wrapped software but that a program is being {swap}ped
	in.

	[{Jargon File}]

that the browser
uses. Can someone point

1. <unit, text> (Sometimes abbreviated "pt") The unit of
	length used in {typography} to specify text character height,
	{rule} width, and other small measurements.

	There are six slightly different definitions: {Truchet point},
	{Didot point}, {ATA point}, {TeX point}, {Postscript point},
	and {IN point}.

	In Europe, the most commonly used is Didot and in the US, the
	formerly standard ATA point has essentially been replaced by
	the PostScript point due to the demise of traditional
	typesetting systems and rise of desktop computer based systems
	running software such as {QuarkXPress}, {Adobe InDesign} and
	{Adobe Pagemaker}.

	There are 20 {twips} in a point and 12 points in a {pica}
	(known as a "Cicero" in the Didot system).

	{Different point systems
	(http://www.vakcer.com/oberon/dtp/fonts/point.htm)}.

	(2004-12-23)

	2. <hardware> To move a {pointing device} so that the
	on-screen pointer is positioned over a certain object on the
	screen such as a {button} in a {graphical user interface}.  In
	most {window systems} it is then necessary to {click} a
	(physical) button on the pointing device to activate or select
	the object.  In some systems, just pointing to an object is
	known as "mouse-over" {event} which may cause some help text
	(called a "tool tip" in {Windows}) to be displayed.

	(2001-05-21)

me in the right direction, if there is such an
API.
The second one I do not really think is possible, I'd almost hope that
an unsigned applet would not be able to find out what cewrtificates the
user trusts, but it'd make life easier for me.

Sorry for the long question, I hope someone can help, or suggest an
alternative approach.
Thank you for reading :)

From: sgoo

Date: Friday, November 24, 2006

I do not exactly know which keystore in JAVA is used to store the
trusted certificate. It may be the cacerts file inside lib/securty of
the JRE

<language> (JRE) The part of the {Java Development Kit}
	required to run Java programs.  The JRE consists of the {Java
	Virtual Machine}, the {Java} platform core {classes} and
	supporting files.  It does not include the compiler, debugger
	or other tools present in the JDK.  The JRE is the smallest
	set of executables and files that constitute the standard Java
	platform.

	(1998-11-30)

, or somewhere inside the .JAVA directory

<file system> A node in a hierarchical {file system} which
	contains zero or more other nodes - generally, {files} or
	other directories.

	Compare {folder}.

	(1997-04-10)

in your home
directory. You may find it out through some experiments.

When you locate the file. I believe you can use the KeyStore API (application programming interface)to
open it and insert you cert and save it back. In order to load

1. To copy {data} (often {program} {code} to be {run}) into
	{memory}, possibly {parsing} it somehow in the process.
	E.g. "{WordPerfect} can't load this {RTF} file - are you sure
	it didn't get corrupted in the {download}?"  Opposite of
	{save}.

	2. The degree to which a computer, {network}, or other
	resource is used, sometimes expressed as a percentage of the
	maximum available.  E.g. "What kind of CPU load does that
	program give?", "The network's constantly running at 100%
	load".  Sometimes used, by extension, to mean "to increase the
	level of use of a resource".  E.g. "Loading a spreadsheet
	really loads the CPU".  See also: {load balancing}.

	3. To {install} a piece of {software} onto a system.
	E.g. "The computer guy is gonna come load Excel on my laptop
	for me".  This usage is widely considered to be incorrect.

	(2002-07-02)

the
certificate, I think you can create a CertificateFactory and load the
cert from a stream. Read
http://JAVAalmanac.com/egs/JAVA.security.cert/ImportCert.html for
details.

Most keystores inside JRE have either an empty password

<security> An arbitrary string of characters chosen by a user
	or {system administrator} and used to authenticate the user
	when he attempts to log on, in order to prevent unauthorised
	access to his account.

	A favourite activity among unimaginative {computer nerds} and
	{crackers} is writing programs which attempt to discover
	passwords by using lists of commonly chosen passwords such as
	people's names (spelled forward or backward).  It is
	recommended that to defeat such methods passwords use a
	mixture of upper and lower case letters or digits and avoid
	proper names and real words.  If you have trouble remembering
	random strings of characters, make up an acronym like
	"ihGr8trmP" ("I have great trouble remembering my password").

	(1994-10-27)

or something
like "changeit".

Goo

Next Message: Unique JVM / system_specific number

Blogs related to Adding certificate to trusted certificates using an applet?

Citrix and Mac OS X, go together like... well, not so great at first
So here, if you are in Bermuda and using Citrix with a Quo Vadis certificate, and your Mac Citrix client is talking smack, try this (oh yeah, and it has to be in FireFox): 1) Go to http://www.quovadis.bm/root/ and scroll to the part ...

ActivCard Debuts Enterprise Access Solutions for Single Sign-On ...
oLeverages existing digital identity infrastructures through open standards support of leading directories, certificate authorities, building access systems, and provisioning systems oProvides unparalleled security for trusted, ...

Setting up Apache Tomcat and a Simple Apache SOAP Client for SSL ...
Importing your new certificate from the CA's Using Keytool. (after importing server's cert as trusted CA cert) keytool -import {-alias alias} {-file cert_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass ...

Carriers Abuse Java ME Signing
In summary, signing a single application with one certificate costs hundreds of dollars per year. There's no one certificate that works on all phones and carriers. To get the certificate required for some phones the app must also be ...

RE: Charting Plugin Pending feature (updated)
Bug, JDB-108, Can't connect to jira over https with self signed certificate, Eugene Kuleshov, Resolved. Bug, JDB-107, JiraServerFacade.validateServerAndCredentials() does not allow to see error details, Eugene Kuleshov, Resolved ...

Re: LDAP login problem
For SSL to work, > the name you use must match the in the certificate issued ... installed under Personal Certificates and Trusted Root Certification ... Need to mention that this > >> >> > was > >> >> > tested using JXplorer java app. ...