Date: Wed, 4 Jun 1997 10:45:28 -0700
Message-Id: <199706041745.KAA28439@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: lepperb@diebold.com
Subject: Re: Individual Signed Class files
Hi Brad,
I don't answer personal mail but I try to answer some questions that
come to the java-security alias, for the purpose of builing of the Q&A
archive at
http://jserv.javasoft.com/hypermail/java-security-archive/index.html
to answer your questions:
1.
Yes, in JDK 1.1, JDK 1.1.1 and JDK 1.1.2, to distribute
a signed class, you should put it into a JAR file, and
then sign the JAR file.
This is clearly something that everyone in the industry
is working on a lot, and, so, expect that this will
evolve over time.
2.
I don't know how to help you debug your particular problem
with RMI. Unfortunately I have not played with RMI a lot
yet myself so I am not familiar with the ins and outs of
that. It sounds like you should be able to do what you
are trying to do (let your class listen on a port that
ordinarily it is not allowed to listen on.)
Marianne
> Date: Tue, 3 Jun 97 16:45:18 EDT
> X-Priority: 3 (Normal)
> From: "Brad Lepper" <lepperb@diebold.com>
> X-Incognito-Sn: 1376
> X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO
>
> Hi,
>
> If mailing you directly is a huge inconvenience, please tell me (and forgive
> me) and I will post this question to the security users-list. I have been
> reading the the FAQ's and you seem to know everything there is to know about
> applet signing.
>
> >From: Marianne Mueller mrm@eng.sun.com
> >To: eich@wor.de
> >Subject: Re: JAR: Archive Signing Scheme
> >
> >> Is it correct, that the Java virtual machine (of the browser) checks
> >>every class, before executin any network loaded code?
> >
> >No, the JVM is not presently checking for signature of objects. That
> >is, the JVM is not dynamically checking for signatures of classes,
> >when it loads a class.
> >
> >Instead, what happens now is this. You create a signed archive, and
> >distribute it as a jar file.
>
> Does this mean that any trusted classes used by an applet MUST be in
> a JAR file?
>
> That is my simple question. Following is a reason why I am asking this
> question. It is kind of a long story so you may want to ignore it.
>
> I am writing an applet that creates RMI Server classes. These RMI Server
> classes listen for connections from an application on the host machine.
> This means that these RMI Server classes must listen to a local port on
> the host machine. Since listening to a local port is an "out of the sandbox"
> operation, I want these RMI Server classes to be signed.
>
> When I download the unsigned version of my applet to the host machine
> with the HotJava Browser it gives me a warning when my RMI Server
> classes start listening to the port, but everything else works fine after I
> manually OK permission for the applet to listen to that port.
>
> When I put all of the applet classes into a JAR file and sign it, I get a
> class not found exception on my RMI Server Stub classes when the
> applet tries to create the RMI Server classes. I have submitted this
> problem to the RMI-users list but haven't received any help.
>
> If you have read this far I Greatly appreciate the time you have spent,
> and I hope that you would be kind enough to help me with my problem.
> Any suggestions or clues would be very helpful.
>
> Thank you again,
>
> ------------------------------------------------------------------------------
> --------------------------------
> Brad Q. Lepper work e-mail: lepperb@diebold.com
> (330)496-5964 home e-mail: brad@2-cool.com, or lepper@cannet.com
> ------------------------------------------------------------------------------
> --------------------------------
>