Saturday, November 12, 2011

Java code signing setup with keytool

Here's a funny little process that needs some code and documentation.

The Certificate Authority (CA) that I like is StartCom. They want a 2048 bit RSA key with SHA1 hashing. The java keytool won't generate such a key, so the following process is necessary to create a code signing key via StartCom.

Create new key

The process 

openssl req -newkey rsa:2048 -new -out somename.csr
will create "prikey.pem" and "somename.csr" after asking for X.500 DName info.

Send CSR

Send your CSR to a CA for signing. This process is fairly involved as the CA goes through its identity resolution process for issuing a Code Signing Certificate.

Received Signed

Receive your signed certificate from the CA, for example "signed.pem".

Convert PEM files to DER files

openssl pkcs8 -topk8 -nocrypt -in prikey.pem -out prikey.der
openssl x509 -in singed.pem -out signed.der
These forms depend on the filename extensions "pem" and "der" on these files. Otherwise employ the "-inform pem" and "-outform der" options.

Import Key and Signed

The source file is ImportKey.java, with a binary alongside it at ImportKey.class. Drop the binary into your key processing folder, open a command line terminal, change into that folder, and run 

java ImportKey --help
to test your environment.

To perform the import into your key store (for jar signing), run the following in the folder containing all of these files, including ImportKey.class. 

java ImportKey -prikey prikey.der -signed signed.der -alias prikey -storepass ${keystorepass}
Refer to the ImportKey "help" for additional options like key pass or store file.

Test Installation

Then to check the code signing operation, create a JAR to sign, then sign and verify. 

jarsigner -storepass ${storepass} -keypass ${keypass} test.jar ${alias}
jarsigner -verify -storepass ${storepass} -keypass ${keypass} test.jar

Caveats

This tool supports JKS key stores. Additional support is easy enough to code in.

Credits

Other articles similar to this one are out and about. I wrote this one because I wanted to import into an existing key store and wanted to be certain of the process (measure twice, cut once).

Posted by John Pritchard at 6:50 PM
Labels: ,
Reactions: 

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)