Re: Multiple signing of applets

Jan Luehe (luehe@laguna.eng.sun.com)
Wed, 14 Oct 1998 17:34:19 -0700 (PDT)

Matt:

(All the following statements refer to JDK 1.2. I am pretty
sure they also apply to JDK 1.1.7, but I have not verified it
yet.)

> Is it possible to sign one jar-file with several different certificates/
> signatures?

Yes.

> Is the number of applied certificates/signatures limited per file?

No.

> For Example:
>
> 1. Sign it with a Certificate for use with the Java Plug-in (using Sun's
> signing tool "javakey").
>
> and...
>
> 2. Sign the SAME jar-file with a second Certificate for use with the
> Netscape Java VM (using Netscape's signing tool).
>
> Doing this, would it then be possible to switch between Java
> Plug-in or Netscape VM using the appropriate certificate
> (by creating two different Links using the different HTML-Tags
> "Applet" and "Embed")?
>
> Would the first certificate be overwritten? Or, can both coexist and
> therefore be recognised and read from the appropriate runtime
> environment (either JavaPlug-in or Netscape Communicator VM)?

All signers and their corresponding certificate chains coexist.

Here's an example of a JAR file (containg a single class file)
signed by 2 signers "susan" and "stella":

jar -tvf dummy.jar
145 Tue Oct 13 14:12:22 PDT 1998 META-INF/MANIFEST.MF
198 Wed Oct 14 17:26:46 PDT 1998 META-INF/STELLA.SF
554 Wed Oct 14 17:26:46 PDT 1998 META-INF/STELLA.DSA
198 Tue Oct 13 14:12:32 PDT 1998 META-INF/MYKEY.SF
552 Tue Oct 13 14:12:32 PDT 1998 META-INF/MYKEY.DSA
0 Tue Oct 13 14:09:56 PDT 1998 META-INF/
454 Fri Oct 09 16:52:22 PDT 1998 dummy.class

Note that we create a separate PKCS#7 (or ".DSA") file for each signer.
The standard allows to store all signers in the same PKCS#7 file.

After the dummy class has been loaded from the JAR file, both signers
and their certs are associated with it.


> How can I create an empty identitydb.obj file? Or, where can I get
> it?

I don't think you can create an empty one. It always creates
a signer or an identity:

laguna{luehe}392: javakey -create
legal options for create:
no arguments <name> {trusted} create a new identity.
s <name> {trusted} create a new signer.

illegal arguments to create

Jan