31
MIDP
2.0 Security Model
119
Inserting Certificates into JAD
When inserting a certificate into a JAD, the certificate path includes the signer certificate
and any necessary certificates while omitting the root certificate. Root certificates will be
found on the device only.
Each certificate is encoded using base 64 without line breaks, and inserted into the
application descriptor as outlined below per MIDP 2.0.
MIDlet-Certificate-<n>-<m>: <base64 encoding of a certificate>
Note the following:
<n>
:=
a number equal to 1 for first certification path in the descriptor, or 1 greater than
the previous number for additional certification paths. This defines the sequence in which
the certificates are tested to see if the corresponding root certificate is on the device.
<m
>:= a number equal to 1 for the signer’s certificate in a certification path or 1 greater
than the previous number for any subsequent intermediate certificates.
Creating the RSA SHA-1 signature of the JAR
The signature of the JAR is created with the signer’s private key according to the EMSA-
PKCS1 –v1_5 encoding method of PKCS #1 version 2.0 standard from RFC 2437. The
signature is base64 encoded and formatted as a single MIDlet-Jar-RSA-SHA1 attribute
without line breaks and inserted into the JAD.
It will be noted that the signer of the MIDlet suite is responsible to its protection domain
root certificate owner for protecting the domain’s APIs and protected functions; therefore,
the signer will check the MIDlet suite before signing it. Protection domain root certificate
owners can delegate signing MIDlet suites to a third party and in some instances, the
author of the MIDlet.
Authenticating a MIDlet Suite
When a MIDlet suite is downloaded, the handset will check the JAD attribute MIDlet-Jar-
RSA-SHA1. If this attribute is present, the JAR will be authenticated by verifying the
signer certificates and JAR signature as described. MIDlet suites with application
descriptors that do not have the attributes previously stated will be installed and invoked
as untrusted. For additional information, refer to the MIDP 2.0 specification.
Verifying the Signer Certificate
The signer certificate will be found in the application descriptor of the MIDlet suite. The
process for verifying a Signer Certificate is outlined in the steps below:
1.
Get the certification path for the signer certificate from the JAD attributes MIDlet-
Certificate-1<m>, where <m> starts a 1 and is incremented by 1 until there is no