advertisement

Jar signing

60 %
40 %
advertisement
Information about Jar signing
Technology

Published on March 14, 2014

Author: ltcrd

Source: slideshare.net

advertisement

Java jar signer Jason

Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。

Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager

Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。

Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK

Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries

Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output

Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com

Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):

Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014

Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----

Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial

Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot

Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015

Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client

Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295

Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client

Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.

Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file

Certificate detail

Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Signing JAR Files (The Java™ Tutorials > Deployment ...

This deployment Java tutorial describes development and deployment of applets, Java Web Start applications, rich Internet applications, and JAR related tools
Read more

JAR Signing - Eclipsepedia

Other signing links. Pack200#Jar_Processor documents the JarProcessor tool that performs JAR signing; JarProcessor_Options documents the options available ...
Read more

Signing and Verifying JAR Files (The Java™ Tutorials ...

This deployment Java tutorial describes development and deployment of applets, Java Web Start applications, rich Internet applications, and JAR related tools
Read more

Java Applet & .jar Code Signing Zertifikate

Code Signing für Java.jar-Dateien und Java-Apps digital signieren. GlobalSign Code Signing Zertifikate für Java werden verwendet, um .jar-Dateien und ...
Read more

JAR Signing - Introduction to Programming in Java: An ...

JAR Signing. In Java version 1.2, users can prevent Java programs from accessing the filesystems of their local computers. This would include tasks like ...
Read more

applet - Signing .Jar file - Stack Overflow

Im sitting with a bit of a problem. Im busy creating a php/html website (intranet) for our support team to make life a bit easier when support linux machines.
Read more

JAR signing - Tutorials - Servoy Wiki

Library signing "Signing" a library (.jar file) means the manifest.mf file (which is contained in the .jar file) will contain MD5 hashes for the contained ...
Read more

Java Code Signing Certificate Guide | DigiCert.com

Generate a CSR for Code Signing Certificates in Java and Install the Returned File to a Java Keystore, Setup and Use of Certificates for Java Code Signing.
Read more

Apache Maven Jarsigner Plugin – Introduction

Apache Maven Jarsigner Plugin. This plugin provides the capability to sign or verify a project artifact and attachments using jarsigner.
Read more

Java Applet & Web Start - Code Signing - Oracle

Java Applet & Web Start - Code Signing Starting with Java SE 7 Update 21 in April 2013 all Java Applets and Web Start Applications are encouraged to be ...
Read more