90
<n>
:= a number equal to 1 for first certification path in the descriptor, or 1 greater than
the previous number for additional certification paths. This defines the sequence in which
the certificates are tested to see if the corresponding root certificate is on the device.
<m>
:= a number equal to 1 for the signer’s certificate in a certification path or 1 greater
than the previous number for any subsequent intermediate certificates.
Creating the RSA SHA-1 signature of the JAR
The signature of the JAR is created with the signer’s private key according to the EMSA-
PKCS1 –v1_5 encoding method of PKCS #1 version 2.0 standard from RFC 2437. The
signature is base64 encoded and formatted as a single MIDlet-Jar-RSA-SHA1 attribute
without line breaks and inserted into the JAD.
It will be noted that the signer of the MIDlet suite is responsible to its protection domain
root certificate owner for protecting the domain’s APIs and protected functions; therefore,
the signer will check the MIDlet suite before signing it. Protection domain root certificate
owners can delegate signing MIDlet suites to a third party and in some instances, the
author of the MIDlet.
Authenticating a MIDlet Suite
When a MIDlet suite is downloaded, the handset will check the JAD attribute MIDlet-Jar-
RSA-SHA1. If this attribute is present, the JAR will be authenticated by verifying the
signer certificates and JAR signature as described. MIDlet suites with application
descriptors that do not have the attributes previously stated will be installed and invoked
as untrusted. For additional information, refer to the MIDP 2.0 specification.
Verifying the Signer Certificate
The signer certificate will be found in the application descriptor of the MIDlet suite. The
process for verifying a Signer Certificate is outlined in the steps below:
1.
Get the certification path for the signer certificate from the JAD attributes MIDlet-
Certificate-1<m>, where <m> starts a 1 and is incremented by 1 until there is no
attribute with this name. The value of each attribute is abase64 encoded
certificate that will need to be decoded and parsed.
2.
Validate the certification path using the basic validation process as described in
RFC2459 using the protection domains as the source of the protection domain
root certificates.
3.
Bind the MIDlet suite to the corresponding protection domain that contains the
protection domain root certificate that validated the first chain from signer to root.
4.
Begin installation of MIDlet suite.