Wednesday, April 25, 2007

How to sign a J2ME midlet with a Verisign code signing certificate using EclipseME

Get a code signing certificate
This can be from Verisign. The certificates issued by Verisign have the special "feature" that they are issued by an intermediate certificate authority. The certificate of the intermediate CA is unknown to your phone and thus the signature verification fails :-(
The following steps describe one way to make it suceed.

Configuring Eclipse to sign your midlet

See also: http://eclipseme.org/docs/refSigning.html

- Open the project properties and select j2meCheck the box "sign midlet" and enter the path to your keystore and the alias of the key.

Up to here everything is well documented in various places in the web.
MIDP_2_0_Signed_MIDlet_Developers_Guide_v2_0_en.pdf.html
Chapter 4.3 talks about intermediate certificates.

Now for the not so well documented issues

- Open the jad file in Eclipse

Select the "optional properties" tab to enter the "midlet permissions".
In my example these are "javax.microedition.io.Connector.serversocket"

Now the essential bit. Open the user defined tab and create a new entry named "MIDlet-Certificate-1-2". The value is the intermediate certificate (in one line and without the "-----BEGIN CERTIFICATE-----" and the "-----END CERTIFICATE-----").


-----BEGIN CERTIFICATE-----
MIIEvzCCBCigAwIBAgIQQZGhWjl4389JZWY4HUx1wjANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDQwNzE2MDAwMDAwWhcNMTQwNzE1MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg
MyBDb2RlIFNpZ25pbmcgMjAwNCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL687rx+74Pr4DdP+wMQOL4I0ox9nfqSfxkMwmvuQlKM3tMcSBMl6sFj
evlRZe7Tqjv18JScK/vyZtQk2vf1n24ZOTa80KN2CB4iJyRsOJEn4oRJrhuKof0l
giwQMOhxqyjod0pR8ezN+PBU1G/A420Kj9nYZI1jsi1OJ/aFDv5t4ymZ4oVHfC2G
f+hXj61nwjMykRMg/KkjFJptwoRLdmgE1XEsXSH6iA0m/R8tkSvnAVVN8m01KILf
2WtcttbZqoH9X82DumOd0CL8qTtCabKOOrW8tJ4PXsTqLIKLKP1TCJbdtQEg0fml
GOfA7lFwN+G2BUhSSG846sPobHtEhLsCAwEAAaOCAaAwggGcMBIGA1UdEwEB/wQI
MAYBAf8CAQAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDEGA1UdHwQqMCgwJqAkoCKG
IGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD
AgABMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00MzAd
BgNVHQ4EFgQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwgYAGA1UdIwR5MHehY6RhMF8x
CzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMu
Q2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQ
cLrkHRDZKTS2OMp7A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCuOhe4SntV+mRV7ECk
7UlBkJmcibyvLh3KeCP5HBkPf+tovDLZiDje3D/TibQ/sYKW8aRauu0uJtPefAFu
AAoApAaSEUgJQPkcGHlnIyTgu9XhUK4b9Q7d4C6BzYCjbFJPkXVViroi8tLqQXWI
L2NVfR5UWpVZytk0gcBfXvZ6tQ==
-----END CERTIFICATE-----


In the Verisign case you can obtain the intermediate certificate from here: http://www.verisign.com/support/verisign-intermediate-ca/
code-signing-intermediate/index.html



The resulting jad file should look something like this:
MIDlet-1: ServerSocket,,ServerSocketTest
MIDlet-Certificate-1-1: MIIE1jCCA76gAwIBAgIQG5t/GM10hgvEMeYewFYfOzANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNzAzMTYwMDAwMDBaFw0wODAzMTUyMzU5NTlaMIGnMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xKzApBgNVBAoUIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHDAaBgNVBAsUE1N5c3RlbXMgSW50ZWdyYXRpb24xKzApBgNVBAMUIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0FJv9g3xIFUFYMSZ7wfrX3N+X4UHlrWVDsdKQ3DJ2tXdnY9OaocSMp4lb5UqjPZxQvHUo5ogJs8jgSB2yp5OWH6DCYfIR6rxxuKI5evNhOwX3nuoyd5L/S2NmPHLig384XdPKjFBSjZUbOpWvofHMwcRvs380LdUe2K99hnuEHAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMHUGCCsGAQUFBwEBBGkwZzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD8GCCsGAQUFBzAChjNodHRwOi8vQ1NDMy0yMDA0LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LWFpYS5jZXIwHwYDVR0jBBgwFoAUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBBQUAA4IBAQBGd+ZCppyQvEPvedj7FMl/nwUa/alEsr8XdOP1MzaueUsZeUAykg1uGow9Cey4pbw7NNTg1C8nKHvf652gSixMJjsESpfXqbkSRnPNZl/bu4zm8yWcg1G89ZaxndKqLdr+ww5jmHCsQyRh6Nurj6bTZNtXGdo2VMFpUWqZbCZjD0PsQa4ObZuyoIC4UTy2oTl3paKJhsaoBZLD/P2v6X6+R34GU/dz0QaT1ChlrwMrWJXYCLb4eL1YSIu44r7u5yKhLZBCWFGgDpZjh8tWJihOrq93tWE+yoO9c4eabNT8d3T4stxUo82pN140om64bgVU6Y8A6ZhrLJ5C/Fzqfdf+
MIDlet-Certificate-1-2: MIIEvzCCBCigAwIBAgIQQZGhWjl4389JZWY4HUx1wjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNzE2MDAwMDAwWhcNMTQwNzE1MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL687rx+74Pr4DdP+wMQOL4I0ox9nfqSfxkMwmvuQlKM3tMcSBMl6sFjevlRZe7Tqjv18JScK/vyZtQk2vf1n24ZOTa80KN2CB4iJyRsOJEn4oRJrhuKof0lgiwQMOhxqyjod0pR8ezN+PBU1G/A420Kj9nYZI1jsi1OJ/aFDv5t4ymZ4oVHfC2Gf+hXj61nwjMykRMg/KkjFJptwoRLdmgE1XEsXSH6iA0m/R8tkSvnAVVN8m01KILf2WtcttbZqoH9X82DumOd0CL8qTtCabKOOrW8tJ4PXsTqLIKLKP1TCJbdtQEg0fmlGOfA7lFwN+G2BUhSSG846sPobHtEhLsCAwEAAaOCAaAwggGcMBIGA1UdEwEB/wQIMAYBAf8CAQAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgABMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00MzAdBgNVHQ4EFgQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCuOhe4SntV+mRV7ECk7UlBkJmcibyvLh3KeCP5HBkPf+tovDLZiDje3D/TibQ/sYKW8aRauu0uJtPefAFuAAoApAaSEUgJQPkcGHlnIyTgu9XhUK4b9Q7d4C6BzYCjbFJPkXVViroi8tLqQXWIL2NVfR5UWpVZytk0gcBfXvZ6tQ==
MIDlet-Jar-RSA-SHA1: kR0z1GiL6cZ7D+cQSjVYpI2zT5IGpOGZ6FVEF2VnVOwwVm+aQywWZkKDxKB6IgoiCcnqCqD7fTAAyHhrMvcqzW5CHpJ3uvmwvXhTdKRhBRWtra4C0e+lzBSzmD6ET+8bZaweFjmp4uxzGzH/0YMFnJFzrzLcYa0R1jDz01xANG4=
MIDlet-Jar-Size: 4334
MIDlet-Jar-URL: ServerSocketTest.jar
MIDlet-Name: ServerSocket
MIDlet-Permissions: javax.microedition.io.Connector.serversocket
MIDlet-Vendor: T-Systems Enterprise Services GmbH
MIDlet-Version: 1.0.9
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.0




Now signing your midlet should work and the phone should be able to verify the signature.

9 comments:

David said...

would u mind to send me the cerf of Versign? Since I am a poor university student in Hong Kong, and I am currently working for the final year project about J2ME

my email address:wichan@cs.hku.hk

Andre Pinto said...

Hy, this tutorial did not work for me. When I try to install the jad file (placed in the same folder jar file is) the phone launches a message "Operation failed".

Axel Nennker said...

Hi Andre, please send more details to me by email.
a x e l @ n e n n k e r . d e
have fun,
Axel

Francis said...

I need a cert too T___T
my email is francispang@hotmail.com.

Can i have it also please. So expensive the certificate.

Harsh said...

Hi, me too require certificate, i have done the self-signed midlet. please send me the more info.

My Email: harshalpatil007@gmail.com

signal3 said...

dude... post your private key! ;-)

artemius said...

Are you guys crazy or what ? Author wrote an article to help you all and you better say "thank you", instead of asking him to send you a Verisign certificate which is not free ! Such kind of people just pisses me off ......... Are you from another planet or what ?

gyan said...

Hey artemius

I would like to know the procedure to get a certificate
could u pls tell me.. and what is the cost to get that?

Br Gyan

Axel Nennker said...

http://www.thawte.com/code-signing/index.html
http://www.verisign.com/code-signing/index.html

Certum offered FREE certs to opensource projects in the past. I do not know whether they still do that: http://www.certum.eu/certum/cert,offer_code_signing.xml