Method and computer program product for processing signed applets

US 6,910,128 B1
Filed: 11/21/2000
Issued: 06/21/2005
Est. Priority Date: 11/21/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for executing a signed applet packaged in a given file, comprising:

upon loading a class, determining whether a signature in the given file type applies to the class;

if so, executing a verification procedure to verify the signature and the identity of a signer that generated the signature;

following a successful verification, determining whether the signer is identified in a policy entry;

if the signer is identified in the policy entry, populating a permission set for the class;

wherein the signature is verified using a given algorithm used to sign the applet; and

wherein the step of populating the permission set for the class awards the class a permission as specified in the policy entry.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework for processing signed applets that are distributed over the Internet. Using the framework, an applet that is packaged as a Netscape- or JDK-signed jar file, or as an Internet Explorer-signed cab file, is processed within the same Java runtime environment irrespective of the browser type (i.e. Netscape Communicator, Internet Explorer or JDK) used to execute the applet. When the applet is executed, the framework verifies one or more applet signatures using the same algorithm that was used to sign the applet, verifies the signer(s) of the applet, and stores information about the signers so that they can be honored by a security policy when permissions for the applet are determined.

59 Citations

View as Search Results

21 Claims

1. A method for executing a signed applet packaged in a given file, comprising:
- upon loading a class, determining whether a signature in the given file type applies to the class;
  
  if so, executing a verification procedure to verify the signature and the identity of a signer that generated the signature;
  
  following a successful verification, determining whether the signer is identified in a policy entry;
  
  if the signer is identified in the policy entry, populating a permission set for the class;
  
  wherein the signature is verified using a given algorithm used to sign the applet; and
  
  wherein the step of populating the permission set for the class awards the class a permission as specified in the policy entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the given algorithm is selected from the set of algorithms consisting ofDSA/SHA1, RSA/MD5 and RSA/SHA1.
  - 3. The method as described in claim 1 further including the steps of:
    - determining whether the applet has made a request that requires permission; and
      
      if so, using the permission set of the class to determine whether the class has the permission.
  - 4. The method as described in claim 3 further including the step of:
    - responding to the request if the class has the permission.
  - 5. The method as described in claim 1 wherein the step of verifying the identity of the signer verifies that the signer is in a default certificate database and that a certificate of the signer has not expired.
  - 6. The method as described in claim 1 wherein the step of verifying the identity of the signer verifies that the signer contains a certificate chain to a trusted certificate authority, that each certificate in the certificate chain contains a signature that can be verified by a given key, and that each certificate in the certification chain has not expired.
  - 7. The method as described in claim 1 wherein the given file is selected from the set of file types consisting of a first signed jar file, a second signed jar file, and a signed cab file.
  - 8. The method as described in claim 1 wherein the signed applet is executable in a given one of a set of different browser types.

9. A method for executing a signed applet packaged in a given file, comprising:
- upon loading each class, determining whether any signatures in the given file applies to the class;
  
  if so, executing a verification procedure to verify the signature and the identity of a signer that generated the signature;
  
  following a successful verification, determining whether the signer is identified in a policy entry;
  
  if the signer is identified in the policy entry, awarding the class a permission as identified in the policy entry;
  
  responsive to a request that requires a permission, using the permission set for the class to determine whether the class has the permission; and
  
  wherein the signature is verified using a given algorithm used to sign the applet.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method as described in claim 9 further including the step of responding to the request if the class has the permission.
  - 11. The method as described in claim 9 wherein the step of verifying the identity of the signer verifies that the signer is in a default certificate database and that a certificate of the signer has not expired.
  - 12. The method as described in claim 9 wherein the step of verifying the identity of the signer verifies that the signer contains a certificate chain to a trusted certificate authority, that each certificate certificate in the certificate chain contains a signature that can be verified by a given key, and that each certificate in the certification chain has not expired.
  - 13. The method as described in claim 9 wherein the given file is selected from the set of file types consisting of a first signed jar file, a second signed jar file, and a signed cab file.
  - 14. The method as described in claim 9 wherein the signed applet is executable in a given one of a set of different browser types.

15. A computer program product on a computer readable media including computer usable code for use in a Java runtime environment (JRE), comprising:
- an applet class loader for loading a set of applet classes archived in a signed file;
  
  a set of signature engine classes for verifying applet class signatures;
  
  a security manager class callable by the applet class loader upon receipt of an initial request that requires a given permission and, in response thereto invoking a policy file class that verifies a signer based on the existence of a matching certificate in a set of keystores;
  
  wherein at least one signature engine verifies signatures using a given algorithm used to sign the applet classes archived in a signed file; and
  
  wherein for populating a permission set for the class, wherein the class is awarded a permission as specified in the policy file class managed by the security manager class.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product as described in claim 15 wherein the set of signature engine classes includes a DSA/SHA1 class, an RSA/MD5 class, and a RSA/SHA1 class.
  - 17. The computer program product as described claim 15 wherein the applet class loader is invoked by a Java Plug-in of the Java runtime environment.
  - 18. The computer program product as described in claim 15 wherein the applet classes are archived in a jar file.
  - 19. The computer program product as described in claim 15 wherein the applet classes are archived in a cab file.

20. A system, comprising:
- a browser;
  
  a Java runtime environment;
  
  a set of keystores;
  
  an applet class loader for loading a set of applet classes archived in a signed file;
  
  a set of signature engine classes for verifying applet class signatures;
  
  a security manager class callable by the applet class loader upon receipt of an initial request that requires a given permission and, in response thereto, invoking a policy file class that verifies a signer based on the existence of a matching certificate in the set of keystores;
  
  a means for populating a permission set for the class, wherein the class is awarded a permission as specified in a policy entry in a database managed by the security manager class; and
  
  wherein at least one signature engine verifies signatures using a given algorithm used to sign the applet.
- View Dependent Claims (21)
- - 21. The system as described in claim 20 wherein the signed file is selected from the set of file types consisting of a first signed jar file, a second signed jar file, and a signed cab file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Rich, Bruce Arland, Skibbie, Donna, Nadalin, Anthony Joseph, Shrader, Theodore Jack London, Yarsa, Julianne
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/717,524
Time in Patent Office

1,673 Days
Field of Search

713167-170, 713200-201, 713187-189, 717/107, 717/177
US Class Current

713/170
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Method and computer program product for processing signed applets

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and computer program product for processing signed applets

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links