Java Reference
In-Depth Information
whose validity can be traced back to a root certification authority, the
uppermost CA in the hierarchy, also known as the trust anchor. In this
case the root certificate on the device (the trust root) belongs to the root
certification authority in the hierarchy (the trust anchor) which directly
or indirectly validates all the other CAs in the certification path. The
certificate supplied with the signed JAR file does not need to be validated
(signed) by the trust anchor whose certificate is supplied with the device,
as long as a valid certification path can be established between the
certificate accompanying the signed JAR file and the root CA. It is not
actually necessary for a device to have various self-signed top-level
certificates from CAs, manufacturers and operators installed. In practice,
it only needs access to one or more certificates which are known to be
trustworthy, for example, because they are in ROM or secure storage on
a WIM/SIM, or because the user has decided that they are.
These certificates act as trust roots. If the authentication of an arbitrary
certificate chains back to a trust root known to the device, and the trust
root is also identified as being suitable for authenticating certificates
being used for a given purpose, for example, code-signing, website
identification, and so on, then the arbitrary certificate is considered to
have been authenticated.
2.5.3 Signing a MIDlet Suite
To sign a MIDlet suite, a supplier must create a public-private key
pair and sign the MIDlet JAR file with the private key. The JAR file is
signed using the RSA-SHA1 algorithm. The resulting signature is encoded
in Base64 format and inserted into the application descriptor as the
following attribute:
MIDlet-Jar-RSA-SHA1: <base64 encoding of JAR signature>
The supplier must obtain a suitable MIDlet suite code-signing certifi-
cate from an appropriate source, for example, the developer program of
a device manufacturer or network operator, containing the identity of the
supplier and the supplier's public key. The certificate is incorporated into
the MIDlet suite's application descriptor (JAD) file.
In the case of a certification path, we need to include all the necessary
certificates required to validate the JAR file. Furthermore, a MIDlet suite
may include several certification paths in the application descriptor file
(if, for example, the MIDlet suite supplier wishes to target several device
types, each with a different root certificate). In Figure 2.13, we need
to include certificates containing the public keys belonging to CA 1,
