Are Java code signing certificates the same as SSL certificates?

I'm looking around for a Java code signing certificate so my Java applets don't throw up such scary security warnings. However, all the places I've found offering them charge (in my opinion) way too much, like over USD200 per year. While doing research, a code signing certificate seems almost exactly the same as an SSL certificate.

The main question I have: is it possible to buy an SSL certificate, but use it to sign Java applets?

Answers


Short answer: No, they're different.

Long answer: It's the same sort of certificate and it uses the same crypto software, but the certificate has flags indicating what it is allowed to be used for. Code signing and web server are different uses.


When I import a new CA certificate in Firefox (etc.) I have the option of choosing which certificate uses I trust:

  • Sign servers
  • Sign code (like your applet)
  • Sign email certificates

So to me the answer is: Yes, they're the same. Furthermore, why not generate your own with OpenSSL (man openssl, man x509, man req, etc. on Unix)? Do you want to just quiet down the warnings or do you want other people whom you've never met to trust your code? If you don't need other users to chain trust to the anchor CA's bundled with their browser, OS, etc., then use OpenSSL to generate your own.

And ask "How do I use OpenSSL to generate my own certificates?" if the latter is your choice.


Thawte offers code signing certificates here. I imagine other Certificate Authorities offer this service as well. You can also create self-signed certificates, with Java keytool.


X.509 certificates may include key usage fields (KU's) and extended key usage fields (EKU's). The Oracle tech note describing how to create sign your RIA's creates a certificate without any key usage flags, which works just fine (if you can get a trusted CA to sign it)

But more and more, CA's issue certificates with these key usage fields. When present, these fields restrict the usage of the certificate. The java plugin checks for the presence of these fields in the EndEntityChecker:

/**
 * Check whether this certificate can be used for code signing.
 * @throws CertificateException if not.
 */
private void checkCodeSigning(X509Certificate cert)
        throws CertificateException {
    Set<String> exts = getCriticalExtensions(cert);

    if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
        throw new ValidatorException
           ("KeyUsage does not allow digital signatures",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (checkEKU(cert, exts, OID_EKU_CODE_SIGNING) == false) {
        throw new ValidatorException
            ("Extended key usage does not permit use for code signing",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_SSL_CLIENT)) {
        throw new ValidatorException
            ("Netscape cert type does not permit use for SSL client",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    // do not check Netscape cert type for JCE code signing checks
    // (some certs were issued with incorrect extensions)
    if (variant.equals(Validator.VAR_JCE_SIGNING) == false) {
        if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING)) {
            throw new ValidatorException
                ("Netscape cert type does not permit use for code signing",
                ValidatorException.T_EE_EXTENSIONS, cert);
        }
        exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
    }

    // remove extensions we checked
    exts.remove(SimpleValidator.OID_KEY_USAGE);
    exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);

    checkRemainingExtensions(exts);
}

The check methods look as follows:

/**
 * Utility method checking if the extended key usage extension in
 * certificate cert allows use for expectedEKU.
 */
private boolean checkEKU(X509Certificate cert, Set<String> exts,
        String expectedEKU) throws CertificateException {
    List<String> eku = cert.getExtendedKeyUsage();
    if (eku == null) {
        return true;
    }
    return eku.contains(expectedEKU) || eku.contains(OID_EKU_ANY_USAGE);
}

So if no KU or EKU is specified, the KU or EKU checker happily returns true.

But

  • if KU's are specified, the digital signature KU should be one of them.
  • if any EKU's are specified, either the EKU code signing (identified by oid 1.3.6.1.5.5.7.3.3) or the EKU any usage (identified by oid 2.5.29.37.0) should be specified as well.

Finally, the checkRemainingExtensions method checks the remaining critical EKU's. The only other critical EKU's allowed to be present are

  • basic constraints (oid "2.5.29.19") and
  • subject alt name (oid 2.5.29.17)

If it finds any other critical EKU, it returns false.


Need Your Help

First App Update, User Data Lost (was stored in Documents directory)

ios file-io filesystems

My first app update just went live last night and I've gotten a complaint that the update caused the user-created data (some of it) to disappear. I have been able to reproduce the problem, but can't

Alter column length in Schema builder?

database schema builder laravel alter

I have two fields i need to increment the character limit on. I're read through the documentation and to my surprise i found no option for it. Is it possible to do? If not, how should i go about so...