Skip to main content

Questions on online cert signing procedure

2 replies [Last post]
vinaykagarwal
Offline
Joined: 2006-01-14
Points: 0

Hello,

I am trying to understand the exact procedure for signing a Blu-ray disc image and a VFS update bumf jar with online cert received from BDA.

1. Are certs still need to be generated by these? If not, are app.discroot.crt and bu.discroot.crt no longer needed?

2. When online certificate is used, is BDSigner used only for generating online.sig and not for signing jars?
3. In the command for generating online.sig, is the app.discroot.crt same as that generated in item 1?
java net.java.bd.tools.security.BDSigner -debug -onlinekey bda/keyfile.bin -onlinecrt bda/online.crt app.discroot.crt
4. Do these command sign the jar that goes on disc?
net.java.bd.tools.security.BDCredentialSigner -gencred -gecert grantee.discroot.crt bluray.MyXlet.perm
net.java.bd.tools.security.BDCredentialSigner -updatecert -gacerts grantorchain.crt bluray.MyXlet.perm 00000.jar
5. Are the steps for signing VFS update bumf jar something like these? Does this perm file is the one that goes in bumf jar?
net.java.bd.tools.security.BDCredentialSigner -gencert -buda discroot.crt bluray.MyXlet.perm
net.java.bd.tools.security.BDCredentialSigner -updatecert -gacerts grantorchain.crt bluray.MyXlet.perm bumf.jar
6. Where does online.sig go on disc?
7. Is there an example that does all the steps for signing with online cert?

Thanks in advance.

Regards,
Vinay Agarwal

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Jaya Hangal

Hi Vinay,

Would you mind telling us about your company (at least the name)?
It definitely helps us to know little bit about hdcookbook users.

You can mail me directly to my Sun email address.

Thanks,
Jaya

On Dec 9, 2009, at 3:35 PM, bd-j-dev@mobileandembedded.org wrote:

> Hello,
>
> I am trying to understand the exact procedure for signing a Blu-ray
> disc image and a VFS update with online cert received from BDA.
>
> 1. Are certs still need to be generated by these? If not, are
> app.discroot.crt and bu.discroot.crt no longer needed?
> > classname="net.java.bd.tools.security.BDCertGenerator">
>
>
>
>
> > classname="net.java.bd.tools.security.BDCertGenerator">
>
>
>
>
> > classname="net.java.bd.tools.security.BDCertGenerator">
>
>
>
>
> 2. When online certificate is used, is BDSigner used only for
> generating online.sig and not for signing jars?
> 3. In the command for generating online.sig, is the app.discroot.crt
> same as that generated in item 1?
> java net.java.bd.tools.security.BDSigner -debug -onlinekey bda/
> keyfile.bin -onlinecrt bda/online.crt app.discroot.crt
> 4. Do these command sign the jar that goes on disc?
> net.java.bd.tools.security.BDCredentialSigner -gencred -gecert
> grantee.discroot.crt bluray.MyXlet.perm
> net.java.bd.tools.security.BDCredentialSigner -updatecert -gacerts
> grantorchain.crt bluray.MyXlet.perm 00000.jar
> 5. Are the steps for signing VFS update bumf jar something like
> these? Does this perm file is the one that goes in bumf jar?
> net.java.bd.tools.security.BDCredentialSigner -gencert -buda
> discroot.crt bluray.MyXlet.perm
> net.java.bd.tools.security.BDCredentialSigner -updatecert -gacerts
> grantorchain.crt bluray.MyXlet.perm bumf.jar
> 6. Where does online.sig go on disc?
> 7. Is there an example that does all the steps for signing with
> online cert?
>
> Thanks in advance.
>
> Regards,
> Vinay Agarwal
> [Message sent by forum member 'vinaykagarwal' ]
>
> http://forums.java.net/jive/thread.jspa?messageID=375667
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: bd-j-dev-unsubscribe@hdcookbook.dev.java.net
> For additional commands, e-mail: bd-j-dev-help@hdcookbook.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: bd-j-dev-unsubscribe@hdcookbook.dev.java.net
For additional commands, e-mail: bd-j-dev-help@hdcookbook.dev.java.net

jaya_h
Offline
Joined: 2005-07-11
Points: 0

> Hello,
>
> I am trying to understand the exact procedure for
> signing a Blu-ray disc image and a VFS update bumf
> jar with online cert received from BDA.
>
> 1. Are certs still need to be generated by these? If
> not, are app.discroot.crt and bu.discroot.crt no
> longer needed?

The short answer is all certs are needed. Each cert has a specific usage.

app.discroot.crt: needed for verifying the signed application jar file
bu.discroot.crt: needed for verifying BUMF signature (bumf.sf)
online.crt: needed for certified online connection

The certifcate format may vary depending on the usage. There is no
guarantee that interchanging the certificates/keys will work if it's used
for purposes other than its main usage.

> 2. When online certificate is used, is BDSigner used
> only for generating online.sig and not for signing
> jars?

Yes.

> 3. In the command for generating online.sig, is the
> app.discroot.crt same as that generated in item 1?

Yes. It must be the same.

> 4. Do these command sign the jar that goes on disc?
> net.java.bd.tools.security.BDCredentialSigner
> r -gencred -gecert grantee.discroot.crt
> bluray.MyXlet.perm
> net.java.bd.tools.security.BDCredentialSigner
> r -updatecert -gacerts grantorchain.crt
> bluray.MyXlet.perm 00000.jar

Read comment for 5) first.
The first command results in a PRF with signed credentials added to it.
The second command results in a signed jar along with grantor's certificates bundled in it as per the BD-J spec.
Yes, you don't sign again using BDSigner after running the second command though.

I highly recommend referring to the build scripts for the tests under xlets/tests/functional/BudaCredentials for using credential signing.

> 5. Are the steps for signing VFS update bumf jar
> something like these? Does this perm file is the one
> that goes in bumf jar?
> net.java.bd.tools.security.BDCredentialSigner
> r -gencert -buda discroot.crt bluray.MyXlet.perm
> net.java.bd.tools.security.BDCredentialSigner
> r -updatecert -gacerts grantorchain.crt
> bluray.MyXlet.perm bumf.jar

The CredentialSigner is required if you've two discs with different OrgIDs and one of them needs
to access the organization dependent directory of the other.
You don't need it for a VFS update.
For the VFS update you need the bumf.sf (which is signed file of bumf.xml). you can use BDSigner for generating bumf.sf

> 6. Where does online.sig go on disc?
> 7. Is there an example that does all the steps for
> signing with online cert?

I think all online.* files go to CERTIFICATE directory.
We don't have a test, our best bet is the documentation of the security tools.
We haven't tested one on the actual player ourselves as we don't have a BDA provided certificate. But, we have worked closely with some authors who own BDA key/certificate and confirmed that it works as expected.

-Jaya