Hi,
Could you explain the work-around of Haripriya Kanduri for the Java2
plug-in ?
Thank you.
Michael.
Christophe Muller <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
10/04/2001 12:52
To: Catalin Scintei <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [OCF] OCF Applet with Netscape4.7
Hello,
Catalin Scintei wrote:
>
> Hi everybody!
> I'm trying to make an applet working with readers in OCF.
I'll try to summarize what I know on this (difficult :-) subject..
which can of course be completed by other readers as I haven't tried
all the possibilities, especially PC/SC.
> I understood that with IE it's not possible because of the JNI
> which is not supported, but only with JNI-enabled VM that can be
> downloaded from MS web-site.
That's right, not only you have to download a recent VM:
http://www.microsoft.com/java/download/dl_sdk40.htm
but you also have to learn how to use MS security scheme:
http://www.microsoft.com/java/security/default.htm
Note that for the three VMs, the three security schemes are
all different (for MS, Sun's Plugin, and Netscape). :-(
To my knowledge, an IE's VM that is JNI-enabled should work with
both the Comm API and the PC/SC wrapper, as far as the applet is
signed and the necessary authorizations have been granted. I haven't
tested that much, though.. (being working on Linux).
> Also with the Java2 plug-in, there is a problem with the mismatch
> between the two security models: the Java2 one and the CommAPI one.
> OK, there is the work-around of Haripriya Kanduri. But it's bot so
> easy.
Note that version 2.0.2 of the javax.comm API fixes this problem
and works "out-of-the-box". So it should work w/o much harm but
only for Solaris and Linux OSes, as for Windows version is still 2.0.
(they say "will be made available soon".. write to your deputy.. ;-).
Note also that future release of Mozilla browser will include the
official plug-in instead of a special VM, and that MS might not
support Java a lot in the future, so it's a good bet (IMHO) to learn
security scheme "the official way". A good URL to start is:
http://java.sun.com/security/signExample12/
> The last, with Netscape, it's a problem with setting the rights only
> for current thread and that's why CommAPI will not work, that is the
> reader will be inaccesible.
That's right. IBM has filled a bug to Sun concerning this problem
with the javax.comm API but it was in.. 1998 :-(.
I know of no solution for using OCF with the Netscape VM because
of this. Note that, since then, IBM has developed an implementation
of javax.comm for Linux so we *could* probably make it work if we had
the sources.. Also the RXTX people are trying to re-implement the Comm
API on top of their C API (http://www.rxtx.org/) which would offer a
free software implementation that is portable (although it still needs
some work on Windows, they are working on it). Last time I checked,
the javax.comm classes would not work for me.. anybody had more luck?
> My question is: if I would use a PC/SC reader, with the PC/SC
> wrapper, and trying to to speak with it from an applet within
> Netscape, should I get an error or something??
Still to my knowledge, because I haven't tried that on Windows (I just
went to the point of the security problem under Linux), it *should*
work ok if you have set the right security authorizations. See:
http://developer.netscape.com/docs/manuals/signedobj/signtool/index.htm
for more details on them.
There is a good white-paper of Xavier Lorphelin (written for a GDC :-)
in which he said he succeeded using the Netscape VM. The paper is
available at:
http://www.smartcardcentral.com/technical/articles/jsource/jsource_080999.asp
> Thank you!
>
You are welcome. I am writting a FAQ on the subject but I still have
some "missing spots" so if anybody has some experience and code to
share, please post to the list. I will incorporate them.
PS: I have attached 'netscape-steps.txt' in which I list the steps
needed to use a signed applet in the Netscape security model.
Hope it'll help. Please let us know how it goes..
Cheers,
Christophe.
= In order to request a change to the forms management form change =
= form, submit a forms change request form or the forms management =
= form change form to the forms management supervisor. Do not use =
= the request for forms change form, or the forms management form =
= change form itself, as these will be forwarded to the forms man- =
= agement supervisor through the forms management form alteration =
= process, resulting in additional paperwork. =
= -- Virginia Form DMHMR 562-11A-38revA =
--
-------------------------------------------------------------
[EMAIL PROTECTED] - Gemplus Research Lab
Phone: +33 4-42-36-57-83 | Disclaimer: I don't speak for Gemplus
Gemplus doesn't speak for me... it is better that way!
-------------------------------------------------------------
---------------------------------------------------------------------------
Steps for using OCF1.2 under Netscape Communicator 4.x VM
---------------------------------------------------------------------------
1) create a password (security icon / passwords)
2) in the applet add to "init":
opencard.core.util.SystemAccess sys =
new opencard.opt.netscape.NetscapeSystemAccess();
opencard.core.util.SystemAccess.setSystemAccess(sys);
3) sign the applet
$ signtool -G cm
... Test Applet Signing Certificate
... Gemplus
... Research Lab
... France
... FR
... cmuller
... [EMAIL PROTECTED]
... zzzzzz
$ signtool -l
using certificate directory: /root/.netscape
Object signing certificates
---------------------------------------
cm
Issued by: cm (Test Applet Signing Certificate)
Expires: Sat Aug 12, 2000
---------------------------------------
For a list including CA's, use "signtool -L"
$ mkdir signing
$ cp -i Dir.class signing
$ cp -i NetscapeSystemAccess.class signing
$ signtool -k cm -Z NetDir.jar signing
using certificate directory: /root/.netscape
Generating signing/META-INF/manifest.mf file..
--> Dir.class
adding signing/Dir.class to NetDir.jar...(deflated 48%)
--> NetscapeSystemAccess.class
adding signing/NetscapeSystemAccess.class to NetDir.jar...(deflated 52%)
Generating zigbert.sf file..
Enter Password or Pin for "Communicator Certificate DB":
adding signing/META-INF/manifest.mf to NetDir.jar...(deflated 29%)
adding signing/META-INF/zigbert.sf to NetDir.jar...(deflated 36%)
adding signing/META-INF/zigbert.rsa to NetDir.jar...(deflated 14%)
tree "signing" signed successfully
$ signtool -v NetDir.jar
using certificate directory: /root/.netscape
archive "NetDir.jar" has passed crypto verification.
status path
------------ -------------------
verified Dir.class
verified NetscapeSystemAccess.class
4) use it in an HTML file with <APPLET> tag:
<applet codebase="." code="Dir" archive=NetDir.jar width=251
height=125>
</applet>
---------------------------------------------------------------------------
---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/
! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
! [EMAIL PROTECTED]
! containing the word
! unsubscribe
! in the body.
