Wednesday, April 25, 2007

How to sign a J2ME midlet with a Verisign code signing certificate using EclipseME

Get a code signing certificate
This can be from Verisign. The certificates issued by Verisign have the special "feature" that they are issued by an intermediate certificate authority. The certificate of the intermediate CA is unknown to your phone and thus the signature verification fails :-(
The following steps describe one way to make it suceed.

Configuring Eclipse to sign your midlet

See also: http://eclipseme.org/docs/refSigning.html

- Open the project properties and select j2meCheck the box "sign midlet" and enter the path to your keystore and the alias of the key.

Up to here everything is well documented in various places in the web.
MIDP_2_0_Signed_MIDlet_Developers_Guide_v2_0_en.pdf.html
Chapter 4.3 talks about intermediate certificates.

Now for the not so well documented issues

- Open the jad file in Eclipse

Select the "optional properties" tab to enter the "midlet permissions".
In my example these are "javax.microedition.io.Connector.serversocket"

Now the essential bit. Open the user defined tab and create a new entry named "MIDlet-Certificate-1-2". The value is the intermediate certificate (in one line and without the "-----BEGIN CERTIFICATE-----" and the "-----END CERTIFICATE-----").


-----BEGIN CERTIFICATE-----
MIIEvzCCBCigAwIBAgIQQZGhWjl4389JZWY4HUx1wjANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDQwNzE2MDAwMDAwWhcNMTQwNzE1MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg
MyBDb2RlIFNpZ25pbmcgMjAwNCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL687rx+74Pr4DdP+wMQOL4I0ox9nfqSfxkMwmvuQlKM3tMcSBMl6sFj
evlRZe7Tqjv18JScK/vyZtQk2vf1n24ZOTa80KN2CB4iJyRsOJEn4oRJrhuKof0l
giwQMOhxqyjod0pR8ezN+PBU1G/A420Kj9nYZI1jsi1OJ/aFDv5t4ymZ4oVHfC2G
f+hXj61nwjMykRMg/KkjFJptwoRLdmgE1XEsXSH6iA0m/R8tkSvnAVVN8m01KILf
2WtcttbZqoH9X82DumOd0CL8qTtCabKOOrW8tJ4PXsTqLIKLKP1TCJbdtQEg0fml
GOfA7lFwN+G2BUhSSG846sPobHtEhLsCAwEAAaOCAaAwggGcMBIGA1UdEwEB/wQI
MAYBAf8CAQAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDEGA1UdHwQqMCgwJqAkoCKG
IGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD
AgABMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00MzAd
BgNVHQ4EFgQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwgYAGA1UdIwR5MHehY6RhMF8x
CzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMu
Q2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQ
cLrkHRDZKTS2OMp7A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCuOhe4SntV+mRV7ECk
7UlBkJmcibyvLh3KeCP5HBkPf+tovDLZiDje3D/TibQ/sYKW8aRauu0uJtPefAFu
AAoApAaSEUgJQPkcGHlnIyTgu9XhUK4b9Q7d4C6BzYCjbFJPkXVViroi8tLqQXWI
L2NVfR5UWpVZytk0gcBfXvZ6tQ==
-----END CERTIFICATE-----


In the Verisign case you can obtain the intermediate certificate from here: http://www.verisign.com/support/verisign-intermediate-ca/
code-signing-intermediate/index.html



The resulting jad file should look something like this:
MIDlet-1: ServerSocket,,ServerSocketTest
MIDlet-Certificate-1-1: MIIE1jCCA76gAwIBAgIQG5t/GM10hgvEMeYewFYfOzANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNzAzMTYwMDAwMDBaFw0wODAzMTUyMzU5NTlaMIGnMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xKzApBgNVBAoUIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHDAaBgNVBAsUE1N5c3RlbXMgSW50ZWdyYXRpb24xKzApBgNVBAMUIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0FJv9g3xIFUFYMSZ7wfrX3N+X4UHlrWVDsdKQ3DJ2tXdnY9OaocSMp4lb5UqjPZxQvHUo5ogJs8jgSB2yp5OWH6DCYfIR6rxxuKI5evNhOwX3nuoyd5L/S2NmPHLig384XdPKjFBSjZUbOpWvofHMwcRvs380LdUe2K99hnuEHAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMHUGCCsGAQUFBwEBBGkwZzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD8GCCsGAQUFBzAChjNodHRwOi8vQ1NDMy0yMDA0LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LWFpYS5jZXIwHwYDVR0jBBgwFoAUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBBQUAA4IBAQBGd+ZCppyQvEPvedj7FMl/nwUa/alEsr8XdOP1MzaueUsZeUAykg1uGow9Cey4pbw7NNTg1C8nKHvf652gSixMJjsESpfXqbkSRnPNZl/bu4zm8yWcg1G89ZaxndKqLdr+ww5jmHCsQyRh6Nurj6bTZNtXGdo2VMFpUWqZbCZjD0PsQa4ObZuyoIC4UTy2oTl3paKJhsaoBZLD/P2v6X6+R34GU/dz0QaT1ChlrwMrWJXYCLb4eL1YSIu44r7u5yKhLZBCWFGgDpZjh8tWJihOrq93tWE+yoO9c4eabNT8d3T4stxUo82pN140om64bgVU6Y8A6ZhrLJ5C/Fzqfdf+
MIDlet-Certificate-1-2: MIIEvzCCBCigAwIBAgIQQZGhWjl4389JZWY4HUx1wjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNzE2MDAwMDAwWhcNMTQwNzE1MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL687rx+74Pr4DdP+wMQOL4I0ox9nfqSfxkMwmvuQlKM3tMcSBMl6sFjevlRZe7Tqjv18JScK/vyZtQk2vf1n24ZOTa80KN2CB4iJyRsOJEn4oRJrhuKof0lgiwQMOhxqyjod0pR8ezN+PBU1G/A420Kj9nYZI1jsi1OJ/aFDv5t4ymZ4oVHfC2Gf+hXj61nwjMykRMg/KkjFJptwoRLdmgE1XEsXSH6iA0m/R8tkSvnAVVN8m01KILf2WtcttbZqoH9X82DumOd0CL8qTtCabKOOrW8tJ4PXsTqLIKLKP1TCJbdtQEg0fmlGOfA7lFwN+G2BUhSSG846sPobHtEhLsCAwEAAaOCAaAwggGcMBIGA1UdEwEB/wQIMAYBAf8CAQAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgABMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00MzAdBgNVHQ4EFgQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCuOhe4SntV+mRV7ECk7UlBkJmcibyvLh3KeCP5HBkPf+tovDLZiDje3D/TibQ/sYKW8aRauu0uJtPefAFuAAoApAaSEUgJQPkcGHlnIyTgu9XhUK4b9Q7d4C6BzYCjbFJPkXVViroi8tLqQXWIL2NVfR5UWpVZytk0gcBfXvZ6tQ==
MIDlet-Jar-RSA-SHA1: kR0z1GiL6cZ7D+cQSjVYpI2zT5IGpOGZ6FVEF2VnVOwwVm+aQywWZkKDxKB6IgoiCcnqCqD7fTAAyHhrMvcqzW5CHpJ3uvmwvXhTdKRhBRWtra4C0e+lzBSzmD6ET+8bZaweFjmp4uxzGzH/0YMFnJFzrzLcYa0R1jDz01xANG4=
MIDlet-Jar-Size: 4334
MIDlet-Jar-URL: ServerSocketTest.jar
MIDlet-Name: ServerSocket
MIDlet-Permissions: javax.microedition.io.Connector.serversocket
MIDlet-Vendor: T-Systems Enterprise Services GmbH
MIDlet-Version: 1.0.9
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.0




Now signing your midlet should work and the phone should be able to verify the signature.