Signed Java Applet for IE and Netscape

M. Gallant 05/09/2002

This page demonstrates how to deploy a privileged Java applet which will run in either Internet Explorer or Netscape Communciator using the browser's own internal Java Virtual Machine. Privileged Java code is any code which executes beyond the JVM "security sandbox", for example accessing the client's local file system, executing native applications, making arbitrary network connections to servers other than the host sourcing the original applet. For basic demonstration purposes here, this signed Java applet will attempt to launch the standard Win32 notepad.exe application (if present at the default install paths). If the application is not found, an exception is caught and status is displayed to the Java console System.out PrintStream:

                C:\windows\notepad.exe  (Win95)
                C:\winnt\notepad.exe    (WinNT, Win2000, WinXP)

Java Applet Source Code

The code can be easily extended to launch any Win32 native application providing a very powerful web-programming paradigm, with desktop continuity. The applet is signed using an enterprise code-signing certificate and, for the applet to start properly with the appropriate security dialog, the associated WebConnector root CA certificate must be imported into the Netscape Communicator or IE4+ browser CA certificate store.

The html code for this page enables either browser (IE or Netscape) to use its corresponding archive, as described in Microsoft Java Documentation:

<applet archive="runappNN.jar" code="RunApp.class" width=120 height=35> <PARAM NAME=cabbase VALUE=runappIE.cab> </applet> This is the simplest form of tag supporting both browsers. For IE, versioning control and client-installation is also possible using Distribution Units and the Java Package Manager technology.
[Another approach which enables running fully privileged code uniformly in both browsers with Java 2 functionality uses the JavaPlugin approach with RSA-signing.]

Details of Compiling and Code-Signing:
There is one Java class file, with multiple try/catch blocks to handle the security classes relevant to either Netscape or Microsoft browser JVMs; the Microsoft Visual J++ compiler jvc.exe Version 6.00.8424 was used with the Microsoft SDK for Java V4. The classpath must include the Netscape security classes (either Java40.jar from Netscape install directory, or the Netscape Capabilities classes (capsapi_classes.zip archive). There are security statements in the init() method, which force the Netscape security dialog to display on first loading the page. The security statements for IE are included, but are only required if some privileged code runs in the init() method ("call-stack tracing"), as described in detail in the interesting KB article SecurityExceptionEx Exception Running a Java Applet

For Microsoft IE browser (IE4+), the following batch file was used with Microsoft SDK for Java 4.0 tools to compile, archive, sign and time-stamp the java class file into a .cab archive:
```
   jvc /cp:p capsapi_classes.zip RunApp.java
   cabarc -p n runappIE.cab RunApp.class
   signcode -j javasign.dll -jp LOW -cn "Michel I. Gallant" -n "Native Application Launcher" -t "http://timestamp.verisign.com/scripts/timstamp.dll"  runappIE.cab
```
The signature in the cab file can be verified/viewed by right-clicking the cab file and selecting Properties CAB archive. Contents of the cab file can also be displayed using the cabarc.exe utility.
For Netscape Communicator 4.5+, the Netscape Signtool1.3 utility was used with the following command:
```
   signtool -k "keynickname" -d cacertdb -Z runappNN.jar signdir
```
Any standard archiving tool will display the contents of the JAR archive showing the signature file (sf) and signature block (rsa) components. The unusual "nickname" for the code-signing certificate is a result of importing the pkcs#12 certificate object from the Win32 cryptoAPI cert database into the Netscape certificate database file as discussed by a certificate vendor.