Skip to main content

network access

3 replies [Last post]
eelliott
Offline
Joined: 2007-05-07
Points: 0

I am new to OCAP development and I'm trying to understand how to access an http URL with a URLConnection in an unbound xlet, using OOB communication (as a starting point). I have two related groups of questions:

1 - How does the xlet signing process work for OCAP?
I understand that an xlet that attempts to access the network needs a .perm file that requests permission to connect to the network for a given host. How does one package and sign an OCAP application that includes a PRF?

Can anybody point me to documentation regarding application signing for an OCAP xlet?

What tools are available with the Reference Implementation and SDK, or elsewhere, that help with application signing? Is there something similar to the HDCookbook project's BDSigner tool for OCAP apps? Any chance the BDSigner tool might even be adaptable here?

2 - What certificates are necessary for signing?
The tips at the following link suggest that one must first request test certificates from CableLabs.
http://www.unisoft.com/ocap/signing-ocap-apps.html

Is this necessary in all development and testing cases for applications making network connections?

Thanks.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
greg80303
Offline
Joined: 2008-07-03
Points: 0

To disable permission checks, you need to modify the following file:

[b]/ocap-ri/ocap/bin/CableLabs/simulator/Win32/debug/env/mpeenv.ini[/b]

Add the following line to disable permission checks:

[b]OCAP.mgrmgr.OcapSecurity=org.cablelabs.impl.manager.security.NoAccessControl[/b]

App authentication is actually disabled by default. You can enabling it by modifying the following section in the mpeenv.ini file:

[b]
#### Authentication Support ####
MPE.ROOTCERTS=/syscwd/sys/certs/RC0_RC2.cert
#OCAP.mgrmgr.Auth=org.cablelabs.impl.manager.auth.AuthManagerImpl
OCAP.mgrmgr.Auth=org.cablelabs.impl.manager.auth.NoAuthentication
[/b]

As you can see, the real authentication manager is commented out. Switch these to enable authentication. Additionally, as per spec, the root certificates that were used to sign all applications must be present on the device. The [b]MPE.ROOTCERTS[/b] value allows you to specify the location of the root certificate file.

But please keep in mind, if you are trying to make your life as easy as possible, just give your application an AppID larger than 0x4000 (MHP1.0.3 10.5.1 Table 12) and keep authentication disabled -- the stack will consider your application signed and it will read your PRF so that you can grant network permissions.

Good luck!

G

eelliott
Offline
Joined: 2007-05-07
Points: 0

Thanks, Gregg.

I did find that I can run apps in the 0x4000+ range unsigned. It's good to know that the simulator can be configured to enable permission checks for testing that when we reach later stages of development.

Eddie

greg80303
Offline
Joined: 2008-07-03
Points: 0

First of all, the documentation on how app signing works is located in 2 sepcifications:

MHP1.0.3 (ETSI TS 101 812 v1.3.4) Chapter 12
OCAP1.1.1 Chapter 14

The permission you are trying to request only requires that the app be signed by a single authority. Once your app begins to request MonApp permissions, you will have to be dually signed and you must ensure that your XAIT contains a Privileged Certificate Descriptor that corresponds to the certificates that you used to sign your app (OCAP1.1.1 11.2.2.3.16).

As far as app signing tools, you can use any tool that will sign your application according to the rules designated by MHP and OCAP in the specs I listed above. Unfortunately, I am not very familiar with the availability and/or spec compliance of these tools. The RI project does not provide a signing tool with our source or binary distributions at this time.

However, I can tell you that there are very easy ways to disable both permission checks and app authentication within the stack which may allow you to get to the heart of your investigation (HTTP file access from an unbound app). Unfortunately, I am not very familiar with the SDK distribution, so I will need to contact our SDK guru so that I can give you instructions that will make sense for the SDK.

To be continued.....