Sign of the Times

JDK 1.0 had an inflexible policy with regard to applets. An applet lived in the “sandbox” and was therefore prevented from doing anything really useful, like writing to the hard disk or making arbitrary socket connections. In JDK 1.1, it’s possible to create signed applets. This means that a client who has the signer’s certificate and trusts it can allow signed applets to run without the usual security restrictions. Two conditions must be met for this to happen:

  • The client needs to have installed the signer’s certificate using javakey.

  • The client software that hosts the applet needs to be JDK 1.1 compliant; it must be savvy about JAR files, and it must understand the new security features. As of this writing, only HotJava and appletviewer know anything about signed applets. Netscape and Microsoft will follow suit shortly.

You can use javakey to sign Java Archive (JAR) files. A JAR can contain many files. For example, you could bundle up all of the files needed for a particular applet, classes, graphics, and sound, into a JAR. When you sign an applet JAR, javakey adds a signature and one of the signer’s certificates to the JAR. See Appendix C, for a description of the jar utility, which creates JAR files.

As with certificate generation, applet signing requires a directive file. First, we need to specify who is signing the file:


Next, we tell javakey which of the signer’s certificates we want to include in the JAR. You also need to specify the chain depth, ...

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.