ebook13-4

4 J D K 1. 2 J a v a, I n t e r n e t J D K 1. 2 J V M 1. 2, J D K Java applet Java IE Navigator JVM Java 4.1 JDK1.2 Wi n 32 ( M S - Wi n d o w s Windows NT) Sun Solaris J D K 1. 2 h t t p :// j a v a. s u n. c o m / p r o d u c t s / j d k / 1. 2 /. Sun Microsystem J a v a, S o l a r i s Sun Sparc (1) We b S o l a r i s J D K 1. 2, j d k 12 - s o l a r i s 2 - s p a r c. s h (2), %chmod a+x jdk12-solaris2-sparc.sh %. / j d k 1 2 - s o l a r i s 2 - s p a r c. s h./ j d k 1. 2 / b i n (3)./ j d k 1. 2 / b i n %set path=($path./jdk1.2/bin) (4) UNIX J D K, : %set path=(./jdk1.2/bin $path) : %which java. / j d k 1. 2 / b i n / j a v a % (5), a p p l e t v i e w e r a p p l e t : %appletviewer http://java.sun.com/applets/other/tumblingduke/index.html 2 : %java Test Hello a p p l e t v i e w e r, J D K 1. 1 x p o l i c y t o o l ( ) J D K 1. 2, k e y t o o l, S o l a r i s M S - Wi n d o w s

4 71 J D K 1. 2, J D K 1. 2, J A R, A c c e s s C o n t r o l l e r, d o P r i v i l e g e 4.2, a p p l e t, J V M J D K 1. 2, a p p l e t a p p l e t, J a v a J D K 1. 2 A P I J a v a A P I, J D K J D K 4.2.1 P o l i c y P o l i c J D K 1. 2 p o l i c y t o o l p o l i c y t o o l < j a v a. h o m e > / l i b / s e c u r i t y / j a v a. p o l i c y j a v a. h o m e J D K : < u s e r. h o m e > /. j a v a. p o l i c y < u s e r. h o m e > P o l i c y g e t P e r m i s s i o n r e f r e s h P o l i c y P o l i c y < j a v a. h o m e > / l i b / s e c u r i t y / j a v a. s e c u r i t y p o l i c y. u r l. n p o l i c y. u r l. 1 = $ { j a v a. h o m e } / l i b / s e c u r i t y / j a v a. p o l i c y p o l i c y. u r l. 2 = $ { u s e r. h o m e } /. j a v a. p o l i c y $ { j a v a. h o m e }, U R L

72 Java 2 API P o l i c y u r l. n n n 1 p o l i c y p o l i c y. u r l. 1 p o l i c y. u r l. 2 p o l i c y. u r l. 1 p o l i c y. u r l. 3 p o l i c y. u r l. 2 p o l i c y. u r l. 3 4.2.2 a p p l e t - D j a v a. s e c u r i t y. p o l i c y j a v a. s e c u r i t y. p o l i c y : java-djava.security.manager-djava.security.policy=someurl someapp S o m e U R L U R, - D j a v a. s e c u r i t y. m a n a g e r, S o m e A p p, ( = = ) java -Djava.security.manager -Djava.security.policy==someURL someapp s o m e U R L : a p p l e t v i e w e r a p p l e t - D j a v a. s e c u r i t y. p o l i c y appletviewer -Djava.security.policy=someURL someapplet p o l i c y. a l l o w S y s t e m P r o p e r t y f a l s e, D j a v a. s e c u r i t y. p o l i c y j a v a a p p l e t v i e w e r, t r u e 4.2.3 Policy P o l i c y g e t P e r m i s s i o n ( ) J D K P o l i c y p o l i c y. p r o v i d e r j a v a. s e c u r i t y, : p o l i c y. p r o v i d e r = P o l i c y C l a s s N a m e : p o l i c y. p r o v i d e r = s u n. s e c u r i t y. p r o v i d e r. P o l i c y F i l e P o l i c y p o l i c y. p r o v i d e = c o m. m y c o m. M y P o l i c y P o l i c y,, Policy File P o l i c y P o l i c y com. sun. security. M y P o l i c y C l a s s 4.2.4 J D K (

4 73 ) a p p l e t ( ) P o l i c y g r a n t k e y s t o r e ( k e y s t o r e ) X. 509 J D K 1. 2 X. 509 4. 4 k e y t o o l keystore "some-keystore-url" " k e y s t o r e - t y p e " " s o m e - k e y s t o r e - u r l " U R L " k e y s t o r e - t y p e " p o l i c y. u r l. 1 = h t t p : / / f o o. b a r. c o m / f u m / s o m e. p o l i c y " k e y s t o r e " h t t p / / f o o. b a r. c o m / f u m /. k e y s t o r e U R L, keystore //http://foo.bar.com/fum/.keystore". J D K 1. 2 J K S ( C o d e S o u r e ) a p p l e t U R L C o d e S o u r e C o d e S o u r e g r a n t g r a n grant signedby"signer-name" codebase "URL"{ permission permission-class-name "target-name" " a c t i o n "... signedby "signer-names" permission permission-class-name "target-name"," action", } signedby "signer-names" g r a n t s i g n e d B y c o d e B a s e / C o d e S o u r c e C o d e S o u r c e

74 Java 2 API s i g n e d B y, ( ), " A d a m, E v e, C h a r l e s " A d a m E v e C h a r l e s c o d e B a s e B N F c o d e B a s e U R L / ( \ ) M S - Wi n d o w s M S - Wi n d o w s C :" s o m e p a t h " a p p " c o d e B a s e grant codebase "file:/c:/somepath/api/"{... } P e r m i s s i o n P e r m i s s i o n - c l a s s - n a m e j a v a. i o. F i l e P e r m i s s i o n java.lang.runtime Permission r e a d, w r i t e, a c c e s s, java. io. F i l e P e r m i s s i o n ( ), j a v a. l a n g. R u n t i m e P e r m i s s i o n p e r m i s s i o n - c l a s s - n a m e " t a rg e - n a m e " s i g n e d B y / P e r m i s s i o n g r a n t { } permission Foo"foobar",signedBy"FooSoft" F o o. c l a s s F o o S o f t F o o. c l a s s F o o j a v a c o m. a b c. T V P e r m i s s i o n J A R

4 75 c o m. a b c. T V P e r m i s s i o n We b P e r m i s s i o n ( p e r m i s s i o n p e r m i s s i o n - c l a s s - n a m e " t a r g e t - n a m e " " a c t i o n ", s i g n e d B y " s i g n e r - n a m e s " ) ( p e r m i s s i o n, s i g n e d B y, c o d e B a s e ) p e r m i s s i o n - c l a s s - n a m e j a v a. i o. F i l e P e r m i s s i o n " t a rg e - n a m e " M S - Wi n d o w s ( c o d e B a s e U R L ) \ \ g r a n t { permission java.io.filepermission " C : \ \ u s e r s \ \ c a t h y \ \ f o o. b a t ", " r e a d " ; } ; tokenizer(java. io. StreamTo k e n i z e r ) \ \ n t o k e n i z e r, " C : \ u s e r s \ c a t h y \ f o o. b a t " 4.2.5 J a v a //

76 Java 2 API a p p l e t / h o m e / s y a d m i n / J A R ( a p p l e t, s y s a d m i n ) a p p l e t S e c u r i t y c o d e B a s e s i g n e d B y ( ) s y s a d m i n J A R J A R / h o m e / s y s a d m i n / c o d e B a s e s i g n e d B y ( ) 4.2.6 J D K 1. 2 U N I X s o m e. p r o p e r t y permission java.io. FilePermission"$ u s e r. h o m e " " r e a d " " $ u s e r. h o m e " u s e r. h o m e " / h o m e / c a t h y " permission java.io. FilePermission"/home/cathy" " r e a d " J D K 1. 2 " $ / " " $ f i l e. s e p a r a t o r "

4 77 permission java.io.filepermission"$ u s e r. h o m e $ / * " " r e a d " S o l a r i s u s e r. h o m e "/ h o m e / c a t h y " permission java.io.filepermission " / u s e r / c a t h y /*" " r e a d " M S - Wi n d o w s u s e r. h o m e " C :\ h o m e \ c a t h y " permission java.io.filepermission " C :\ u s e r \ c a t h y \*" " r e a d " c o d e B a s e codebase "file: $ {java.home} / l i b / e x t /" U N I X ( ) ( ) "/" MS-Windows grant codebase"file:c:/jdk1.2/lib/ext/" j a v a. h o m e C :\ j d k 1. 2 c o d e B a s e $ {/} " s i g n e r- n a m e s " " U R L "," t a rg e t - n a m e " " a c t i o n " p o l i c y. e x p a n d P r o p e r t i e s f a l s e t r u " $ { u s e r. $ { f o o }}" $ { u s e r. h o m e } f o o " h o m e " $ { } ( $ { u s e r. $ f o o } ),, f o o, : grant codebase "${foo}" { } p e r m i s s i o n... ; p e r m i s s i o n... ; g r a n t { } permission Foo "${foo}" permission Bar permission Foo Permission Bar " $ { f o o }" f o o t o k e n i z e r t o k e n i z e " $ { u s e r. h o m e }\\ f o o. b a t ", " $ { u s e r. h o m e }\ f o o. b a t " u s e r. h o m e "C:\users\cathy", ${user. h o m e } " C :\ u s e r s \ c a t h y \ f o o. b a t " " $ {/}" " $ { u s e r. h o m e } $ f o o. b a t " 4.3 s i g n e d B y s i g n e d B y

78 Java 2 API (public-key certificate) ( ) 4-1 (root certificate) 1 2 3 4-1 ( T T P ) ( C A ) ( C A C A C Ve r i S i g n C A C C I T T X. 509 X.509 v3 We b ( N a v i g a t o r I E ) S S L ( ) S S L We b I E T F ( I n t e r n e t ) ( T L S ) ( PEM S/MIME) (SET) X.509 JAR X. 509 ( v e r s i o n ) X. 509 (serial number) (Certificate Revocation List C R L ) C R L C A (signature algorithm identifier) C A (issuer name) X. 500 C A (validity period) I E T F (PKIX) I n t e r n e t

4 79 ( ) (subject name) X. 500 I n t e r n e t ( D N ) CN=Java Duke OU=Java Software O=Sun Microsystems C = U S ( C N ) ( O U ) ( O ) ( C ) l o c a l i t y N a m e ( ) Palo Alto s t a t e N a m e ( ) C a l i f o r n i a (subject public key information) A S N. 1 / D E R ( A S N. 1 ) ( D E R ) Internet RFC 1421 B a s e 64 ( e - m a i l ) B a s e 64 -----BEGIN CERT I F I C AT E - - - - - -----END CERT I F I C AT E - - - - - X. 509 (1) X.509 v1 1 9 8 8 (2) X.509 v2 ( ) (3) X.509 v3 ( 1 996 ) (a) KeyUsage ( b ) A l t e r n a t i v e N a m e s D N S e - m a i l I P / k e y U s a g e k e y C e r t S i g n S S L S S L k e y t o o l ( ) C A C A ( C S P ) C A k e y t o o l ( C S R ) C A ( k e y t o o l )

80 Java 2 API C A J D K 1. 2 Java API A P I j a v a. s e c u r i t y. c e r t C e r t i f i c a t e F a c t o r y ( C R L ) C e r t i f i c a t e X. 509 Pretty Good Privacy(PGP) ( ) ( CRL: C R L X 509Certificate X. 509 X. X 509Extention X. 509 X.509 v3 X.509 v2 CRL C R L X 509CRL X. 5 0 9 C R L X 509CRLEntry C R L k e y t o o l X. 509 4.4 J D K 1. 2 k e y t o o l p o l i c y t o o l j a r s i g n e r 4.4.1 4. 2. 4 J D K 1. 2, 4-2 4-2

4 81 ( j a r s i g n e r ) J A R J A R ( ) j a r s i g n e r ( J A R ) J A R j a r s i g n e r J D K 1. 2 k e y t o o l j a r s i g n e r ( t r u s t e d c e r t i f i c a t e ) ( ) H u g o h u g o - g e n k e y ( ) - i m p o r t k e y t o o l d u k e / keytool -genkey -alias duke -keypass dukekeypasswd d u k e k e y p a s s w d d u k e d u k e d u k e k e y p a s w d n e w p a s s keytool -keypasswd -alias duke -keypass dukekeypasswd -newnewpass k e y t o o l - k e y s t o r e. k e y s t o r e, u s e r. h o m e S o l a r i s, u s e r. h o m e M S - Wi n d o w s u N a m e u s e r. h o m e C : \ W i n n t \ P r o f i l e s \ u N a m e C : \ W i n d o w s \ P r o f i l e s \ u N a m e C : \ W i n d o w s Windows NT Windows 95 Windows 95 c a t h y u s e r. h o m e C : \ W i n n t \ P r o f i l e s \ c a t h y C : \ W i n d o w s \ P r o f i l e s \ c a t h y Windows NT Windows 95 j a v a. s e c u r i t y K e y S t o r e k e y t o o l j a r s i g n e r J D K 1. 1 j a v a k e y j a v a k e y j a v a k e y K e y t o o l - i d e n t i t y d b

82 Java 2 API K e y S t o r e ( S P I ) ( p r o v i d e r ) J a v a A P I K e y s t o r e S p i j a v a. s e c u r i t y S P I K e y s t o r e S p i 7 K e y S t o r e g e t I n s t a n c e J D K 1. 2 J K S j k s J K S k e y t o o l F i l e I n p u t S t r e a m p k c s 12 k e y s t o r e. t y p e = p k c s 1 2 k e y t o o l k e y s t o r e. t y p e K e y S t o r e g e t D e f a u l t Ty p e keystore.type KeyStore KeyStore=KeyStore.getInstance(KeyStore.getDefault-Type()); 4.4.2 keytool k e y t o o l / k e y t o o l X. 509 v 1 v 2 v 3 v 1 k e y t o o l J a v a ( D S A ) D S A 512 1024 64 102 D S A D S A S H A 1 R S A R S A M D 5 k e y t o o l X. 509 D N "CN=Mark Smith,OU=JavaSoft,O=Sun, L=Palo Alto, S=CA,C=US" D N keytool -genkey -dname "CN=Mark Smith,OU=JavaSoft,O=Sun, L=Palo Alto, S=CA,C=US"alias mark C N C n c N C N O U O L S C D N X.509 v3 k e y t o o l X.509 v1 k e y t o o l v 3

4 83 : CN=Mark Smith,OU=JavaSoft,O=Sun, C=US D N D k e y t o o l / C S R C A C A C A C A C A C A C S R C A C A C A C A P K C S # 7 k e y t o o l C A D N C A / t m p / c e r t - p r i n t c e r t k e y t o o l k e y t o o l keytool --import--alias joe --file jcertfile.cer j c e r t f i l e. c e r j o e B a s e 64 - i m p o r t - p r i n t c e r t C A C C S R k e y t o o l - e x p o r t keytool --export -alias jane --file janecertfile.cer

84 Java 2 API j a n e j a n e c e r t f i l e. c e r t B a s e 64 - l i s t keytool -list -alias joe - l i s t M D 5 - v e r b o s e k e y t o o l - a l i a s " m y k e y " - k e y a l g " D S A " - k e y s i z e 1 0 2 4 - v a l i d i t y 9 0 - k e y s t o r e. k e y s t o r e - f i l e J D K 1. 2 k e y t o o l k e y t o o l keytool -help k e y t o o l / keytool -genkey -dname "cn=mark Smith,ou=JavaSoft,o=Sun, c=us" --alias business --keypass kpi135 --keystore /working/ mykeystore -storepass ab987c --validity 180 w o r k i n g m y k e y s t o r e ( ) ( s t o r e p a s s ) a b 987 c / D N ( d n a m e ) M a r k S m i t h J a v a S o f t S u n U S D S A 1024 ( D S A S H A 1 ) D N 180 b u s i n e s s k p i 135 keytool --genkey my key 90 - g e n k e y - g e n k e y C A C S R keystool --certreq --file MarkJ.csr CSR ( m y k e y ) M a r k J. c s r C A C A ( ) ( )

4 85 C A C A (1) ( C A C ) (2) C A C A J D K 1. 2 5 Ve r i S i g n C A Ve r i S i g n C A C A C A C A C ( C A ) A B C C A A B C C A. c e r A B C C A keytool --import --alias abc --file ABCCA.cer A B C C A. c e r a b c C A C A C S R C A C S R ( C A ) ( C A ) Ve r i S i g n C S R ( V S M a r k J. c e r ) keytool --import -trustcacerts --file VSMarkJ.cer j a r s i g n e r J A R M J. c e r ( m y k e y ) keytool --export --alias mykey --file MJ.cer J A R j a r s i g n e r D N D / SuSan Miller, s M i l l e r D N "cn=susan Miller, ou=finance Department,o=BlueSoft, c=us" / D N (1) keytool --keyclone --alias smiller --dest smillernew s t o r e p a s s (2) D N keytool --selfcert --alias smillernew -dname "cn=susan Miller, ou=accounting Department,o=BlueSoft c=us"

86 Java 2 API (3) C S R keytool --certreq --alias smillernew C A keytool --import --alias smillernew --file VSSMillerNew.cer (4) D N keytool --delete --alias smiller J D K 1. 2 M S - Wi n d o w s k e y t o o l S o l a r i s 4.4.3 p o l i c y t o o l p o l i c y t o o Policy To o l ( 4-3 ) 4-3 policytool P o l i c y To o l U R L c o d e B a s e s i g n e d B y. j a v a. p o l i c y p o l i c y t o o l, P o l i c y To o l ( p o l i c y t o o l ) / t e s t s / m y k e y s t o r e S o l a r i s (1) U R L New KeyStore URL f i l e / t e s t s / m y k e y s t o r e p o l i c y t o o l U R L (2) New KeyStoreTy p e Sun Microsystem JKS keystore p o l i c y t o o l k e y s t o r e. t y p e

4 87 (3) O K U R L (1) Policy To o l Add Policy Entry Policy Entry (2) c o d e B a s e U R L l o c a l / J a v a S o f t / T E S T S / C o d e B a s e f i l e / J a v a S o f t / T E S T S / (a) s i g n e d B y d u k e d u k e s i g n e d B y (b) c o d e B a s e s i g n e d B y ( ) (1) Policy Entry Add Permission P e r m i s s i o n (a) (permission type) P e r m i s s i o n (b) (permission target name) P e r m i s s i o n Ta rget Name ALL FILES File Permissions Ta rg e t N a m e (c) (one or more action) A c t i o n s ( ) F i l e P e r m i s s i o n ( ) (d) signedby (signedby alias) S i g n e d B y s i g n e d B y P e r m i s s i o n (2) O K Policy Entry Policy Entry D o n e Policy To o l c o d e B a s e s i g n e d B y Policy Entry c o d e B a s e < A L L > O K ( )

88 Java 2 API (1) Policy Entry Edit Permission ( ) P e r m i s s i o n (2) (3) O K Policy Entry Policy Entry R e m o v e P e r m i s s i o n p o l i c y t o o l Warning Log E d i t Vi e w Warning Log U R L U R M S - Wi n d o w s p o l i c y t o o l 4.4.4 jarsigner J D K 1. 2 j a r s i g n e r J A R j a r J A R j a r s i g n e r J A R J A R J A R J A J A R J A R J A R j a r s i g n e r J A R j a r s i g n e r J A R U R L, m y s t o r e d u k e J A R M y J A R F i l e. j a r, JAR MyJARFile.jar j a r s i g n e r k e y s t o r e. t y p e k e y s t o r e. t y p e J D K 1. 2 j a r s i g n e r JDK jartool Z I P J A R D S A S H A 1 R S A M D 5 J A R D S A S H A 1 S U N j a r s i g n e r J A R, J A R J A R J A R Z I P M E TA - I N F / M A N I F E S T. M F j a r s i g n e r Z I P

4 89 M E TA - I N F S F D S A ( S F ) J A R S H A S H A S F S F S F D S A D S A j a r s i g n e r J A R J A J A R (1) S F ( D S A ) ( ) D S A S F S F (2) S F S S F S F ( ) S F S F (3) S F j a r t o o l S F J A R j a r s i g n e r J A R j a r s i g n e r jarsigner mybundle.jar susan jarsigner mybundle.jar kevin J A R J A S F D S A S F D S A J A R S U S A N. S F S U S A N. D S A K E V I N. S F K E V I N. D S A J D K 1. 2 j a r s i g n e r jarsigner J D K 1. 1 J D K 1. 1 j a v a k e y J A R J a v e

90 Java 2 API J D K 1. 2 k e y t o o l j a r s i g n e r j a v a k e y k e y s t o r e j a v a k e y J D K 1. 2 J D K 1. 2 k e y t o o l - i d e n t i t y d b J D K 1. 2 jarsigner j a v a k e y J A R j a r s i g n e r j a v a k e y J A R J D K 1. 1 J D K 1. 2 J D K 1. 1 j a v a k e y J D k 1. 2 J V M J A R J V M J A R? 1 J A R 2 3 4? 4-1 J D K 1. 1 x J A R J D K 1. 2 /, 4-1, ( ) J D K 1. 1 J D K 1. 1 J D K 1. 2 k e y s t o r e J D K 1. 2 J A R J A R 4-1 j a v a k e y 1 2 3 4 / / / / + / / / / / / / / +

4 91 4.4.5 J A R J A b u n d l e. j a r w o r k i n g m y s t o r e j a n e m y p a s s j a n e j 638 k l m J A R J A R s b u n d l e. j a r jarsigner -keystore /working/mystore -storepass myspass -keypass j638klm -signedjar sbundle,jar bundle.jar JANE S F D S A J A N E. S F J A N E. D S A jarsigner -verify sbundle.jar "jar verified" - v e r b o s e jarsigner -verify -verbose sbundle.jar 198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF 199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF 1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA smk 2752 Fri Sep 26 16:12:30 PDT 1997 AclEx.class smk 849 Fri Sep 26 16:12:46 PDT 1997 test.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keysyore jar verified - c e r t s JAR D N ( X. 509 ) J A R

92 Java 2 API X. 509 D N P G P b o b PGP ( b o b ) J A R J D K 1. 1 j a v a k e y i J A R i k - c e r t s ( d u k e ) M S - Wi n d o w s j a r s i g n e r 4.5 J D K 1. 2 J a v a J D K 1. 2 J a v a I n t e r n e t ( I S P ) I S P I S I n t e r n e t

4 93 J D K 1. 2 J a v a J a v J a v a A O L I n t e r n e t J a v a e - m a i l I n t e r n e t