Java Reference
In-Depth Information
CA 1's public key
1683975610743
CA 2's public key
2092657883565
Supplier's public key
096365829672
Signed:
Root CA
<793639120>
Signed:
CA 1
<135932516>
Signed:
CA 2
<803457622>
jar file
<169032678>
Figure 2.13
Certification path
CA 2 and the Supplier. The root certification authority's certificate (the
root certificate) is available on the device. Using the root certification
authority's public key, we can validate CA 1's public key. This is then
used to validate CA 2's public key, which is then used to validate the
Supplier's public key. The Supplier's public key is then used to verify the
origin and integrity of the JAR file. The MIDP specification defines an
application descriptor attribute of the following format:
MIDlet-Certificate-<n>-<m>: <base64 encoding of a certificate>
represents the certification path and has a value of 1 for the
first certification path, with each additional certification path adding 1 to
the previous value (i.e. 1, 2, 3,
Here
<
n
>
). There may be several certification
paths, each leading to a different root CA.
...
has a value of 1 for the cer-
tificate belonging to the signer of the JAR file and a value 1 greater than the
previous value for each intermediate certificate in the certification path.
For the example shown in Figure 2.13, with just one certification path,
the relevant descriptor attribute entries would have the following content:
<
m
>
MIDlet-Certificate-1-1: <base64 encoding of Supplier's certificate>
MIDlet-Certificate-1-2: <base64 encoding of CA 2's certificate>
MIDlet-Certificate-1-3: <base64 encoding of CA 1's certificate>
2.5.4 Authenticating a Signed MIDlet Suite
Before a MIDlet suite is installed, the Application Management Software
(AMS) checks for the presence of the
MIDlet-Jar-RSA-SHA1
attribute
in the application descriptor and, if it is present, attempts to authenticate
the JAR file by verifying the signer certificate. If it is not possible to
successfully authenticate a signed MIDlet suite, it is not installed. If the
MIDlet suite descriptor file does not include the
MIDlet-Jar-RSA-
SHA1
attribute, then the MIDlet can only be installed as untrusted.
