Ask a Question

How to digitally sign a J2ME MIDlet for use with mobile devices

Problem

When trying to access signed application on Nokia 6303 Classic and Nokia 5130 Express Music handsets, basically on those handset which are based on S40 & S60 OS:

S40
Error : No Valid Certificate ( or ) Certificate not on phone or SIM
S60
Error: Certificate Error : Contact the Application supplier

 

 

Solution

Before proceeding, its assumed you have already prepared a keystore containing the private key, code signing certificate and CA chain.

Your Java MIDlet consists of two files: a JAR file and a JAD file. The JAD file is a descriptor file that specifies information about your JAR file. The JAD file is the file that has to be signed with the certificate and distributed for installation, not the JAR file. When the Application is run, the JAR file is called automatically using the web location specified in MANIFEST attribute later described in this article.

Step 1: Add certificate the JAD file:

java -jar JadTool.jar -addcert -keystore <keystorename> -alias <aliasname> -storepass <password> -inputjad <input_jadfile> -outputjad <output_jadfile>


There is a lot going on here. We need to review each field value carefully:

  • <keystorename> - Specify its full path i.e. "C:\Program Files (x86)\Java\jdk1.6.0_18\bin\keystore.jks".
  • <aliasname> - The alias you specified during the creation of the keystore.
  • <password> - The password to your trust store.
  • <input_jadfile> - The location of your JAD ("C:\Users\moe\Desktop\App.jad").
  • <output_jadfile> - Tells the tool where to output the new JAD file, gives it a name slightly different to the name you are using now ("C:\Users\moe\Desktop\App 0.jad").


You should eventually end up with something that looks like this:

java -jar JadTool.jar -addcert -keystore "C:\Program Files (x86)\Java\jdk1.6.0_18\bin\keystore.jks" -alias testapp -storepass password -inputjad "C:\Users\moe\Desktop\App.jad" -outputjad "C:\Users\moe\Desktop\App 0.jad"


Step 2: Add signature of the JAR to JAD file:

Now that you have added the certificate to the JAD, you must add the signature to the JAD. The command is similar to the previous, the main difference is the change of the "-addcert" command to "-addjarsign" command.

Note: Ensure when specifying the <input_jadfile> parameter that you point to the JAD file you just created ("C:\Users\moe\Desktop\App 0.jad") rather than the original. Give the <output_jadfile> parameter a new name, such as "C:\Users\moe\Desktop\App 1.jad".

java -jar jadtool.jar -addjarsig -jarfile "C:\Users\moe\Desktop\App.jar" -keystore "C:\Program Files (x86)\Java\jdk1.6.0_18\bin\keystore.jks" -alias testapp -storepass password -keypass password -inputjad "C:\Users\moe\Desktop\App 0.jad" -outputjad "C:\Users\moe\Desktop\App 1.jad"


Step 3: Verify that JAD is signed

You can verify that the JAD file was correctly signed by issuing the following command:

java -jar jadtool.jar -showcert -all -inputjad "C:\Users\moe\Desktop\App 1.jad"


Now that your application is signed, delete "App.jad" and "App 0.jad". Now rename "App 1.jad" to "App.jad".

Step 4: Compare MANIFEST entries

Check that the MANIFEST entries of JAD/JAR are the same.

  • To view the MANIFEST of JAD, open the JAD file in text editor such as Notepad or Notepad++
  • Find the MANIFEST of the JAR file in the JAR archive "META-INF" directory (META-INF/MANIFEST.MF).


There is a predefined set of attributes to be used in every application descriptor, here is an example:

MIDlet-1: MyMIDlet, MyMIDlet.png, MyMIDlet
MIDlet-Jar-Size: 24601
MIDlet-Jar-URL: App.jar
MIDlet-Name: MyMIDlet
MIDlet-Vendor: My Organization
MIDlet-Version: 1.0
MIDlet-Info-URL: http://www.domain.com/App.jar
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.1


What your looking to do here is make sure the MANIFEST attributes match exactly for the JAD and the JAR.

Other things to note:

  1. For MIFlet-Jar-URL - be sure to include the complete internet path to the jar file
  2. For MIDlet-Jar-Size - be sure the size is specified in bytes


Step 5: MANIFEST permissions

It is not required for signing a MIDlet, however for your code to function properly you may have permissions added in your MANIFEST, be sure to verify the permissions with the device vendor to ensure compatibility or any mis-configuration.

Again, any changes made need to be consistent on both JAD and MANIFEST.MF files, see below sample of MANIFEST with permissions:

MIDlet-1: MyMIDlet, MyMIDlet.png, MyMIDlet
MIDlet-Jar-Size: 24601
MIDlet-Jar-URL: App.jar
MIDlet-Name: MyMIDlet
MIDlet-Vendor: My Organization
MIDlet-Version: 1.0
MIDlet-Info-URL: http://www.domain.com/App.jar
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.1
MIDlet-Permissions: javax.microedition.io.Connector.file.read, javax.microedition.io.Connector.http,
javax.microedition.io.Connector.file.write, javax.microedition.io.Connector.https
MIDlet-Permissions-Opt: javax.wireless.messaging.sms.receive, javax.wireless.messaging.sms.send,
javax.microedition.io.Connector.sms, javax.microedition.io.Connector.socket

 


If you see strange errors when trying to run the application it may be due to a misconfig in your MANIFEST/JAD. Isolate your MANIFEST file by removing one attribute at a time, including MIDlet-Permissions as these are not require as part of the digital signing process.

Troubleshooting Chaining issues

In some cases, depending on the mobile device make/model when trying to run your application you may encounter a certificate error. You will run into this issue if the phone does not have the Root certificate to which the Code Signing certificate chains. Having the code signed correctly is not enough, the top level Root certificate must be installed on the device in order for the chain to pass on the device.

There is no best method as workaround as not all devices will be impacted.

#1 Update the device with the root certificate

The Root certificate must be downloaded and installed from a web source, such as:
id=INFO1553

Once the Root certificate is installed/saved on to the device, restart the device and retry the installation of Application.

#2 Removing the Root certificate from the chain

In the case your device does not contain the Root certificate specified in your signed code then you can remove the Root certificate from the chain of the JAD file, doing so will allow the code to chain to any available Root certificate on the device.

If signed correctly, your JAD should contain a total of 4 certificates in the chain. In the JAD file, remove the following certificate entry:

MIDlet-Certificate-1-4:
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAV
BgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme
8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3In
zPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUu
gWhFpwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khV
dWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ


#3 Consult the device vendor

If the above still did not resolve your solution, please contact the device vendor for further assistance/insight to this issue.