31
MIDP 2.0 Security Model
Inserting Certificates into JAD
When inserting a certificate into a JAD, the certificate path includes the signer certificate and any necessary certificates while omitting the root certificate. Root certificates will be found on the device only.
Each certificate is encoded using base 64 without line breaks, and inserted into the application descriptor as outlined below per MIDP 2.0.
MIDlet-Certificate-<n>-<m>: <base64 encoding of a certificate>
Note the following:
<n>:= a number equal to 1 for first certification path in the descriptor, or 1 greater than the previous number for additional certification paths. This defines the sequence in which the certificates are tested to see if the corresponding root certificate is on the device.
<m>:= a number equal to 1 for the signer’s certificate in a certification path or 1 greater than the previous number for any subsequent intermediate certificates.
Creating the RSA SHA-1 signature of the JAR
The signature of the JAR is created with the signer’s private key according to the EMSA- PKCS1
It will be noted that the signer of the MIDlet suite is responsible to its protection domain root certificate owner for protecting the domain’s APIs and protected functions; therefore, the signer will check the MIDlet suite before signing it. Protection domain root certificate owners can delegate signing MIDlet suites to a third party and in some instances, the author of the MIDlet.
Authenticating a MIDlet Suite
When a MIDlet suite is downloaded, the handset will check the JAD attribute
Verifying the Signer Certificate
The signer certificate will be found in the application descriptor of the MIDlet suite. The process for verifying a Signer Certificate is outlined in the steps below:
1.Get the certification path for the signer certificate from the JAD attributes MIDlet-
119
