Saturday, November 12, 2011

Java code signing setup with keytool

Here's a funny little process that needs some code and documentation.

The Certificate Authority (CA) that I like is StartCom. They want a 2048 bit RSA key with SHA1 hashing. The java keytool won't generate such a key, so the following process is necessary to create a code signing key via StartCom.

Create new key

The process

openssl req -newkey rsa:2048 -new -out somename.csr
will create "prikey.pem" and "somename.csr" after asking for X.500 DName info.

Send CSR

Send your CSR to a CA for signing. This process is fairly involved as the CA goes through its identity resolution process for issuing a Code Signing Certificate.

Received Signed

Receive your signed certificate from the CA, for example "signed.pem".

Convert PEM files to DER files

openssl pkcs8 -topk8 -nocrypt -in prikey.pem -out prikey.der
openssl x509 -in singed.pem -out signed.der
These forms depend on the filename extensions "pem" and "der" on these files. Otherwise employ the "-inform pem" and "-outform der" options.

Import Key and Signed

The source file is ImportKey.java, with a binary alongside it at ImportKey.class. Drop the binary into your key processing folder, open a command line terminal, change into that folder, and run

java ImportKey --help
to test your environment.

To perform the import into your key store (for jar signing), run the following in the folder containing all of these files, including ImportKey.class.

java ImportKey -prikey prikey.der -signed signed.der -alias prikey -storepass ${keystorepass}
Refer to the ImportKey "help" for additional options like key pass or store file.

Test Installation

Then to check the code signing operation, create a JAR to sign, then sign and verify.

jarsigner -storepass ${storepass} -keypass ${keypass} test.jar ${alias}
jarsigner -verify -storepass ${storepass} -keypass ${keypass} test.jar 

Caveats

This tool supports JKS key stores. Additional support is easy enough to code in.

Credits

Other articles similar to this one are out and about. I wrote this one because I wanted to import into an existing key store and wanted to be certain of the process (measure twice, cut once).

18 comments:

Pascal said...

Hi,

so it is possible to sign a java application with a certificate from start com AND this certificate is trusted for the JRE.

I need a certificate for Java Webstart and think Thawte and Verisign are to expensive...

Thanks and best regards,
Pascal

John Pritchard said...

Yes, check the cacerts file
/usr/java/jre/lib/security/cacerts
(or equivalent)
with KeyTool to list the CA's that are known by default.

NePe said...

I followed your steps, created prikey.der, signed.der, but the ImportKey shows the fallowing errors:

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key fo
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
at ImportKey.main(ImportKey.java:239)
Caused by: java.security.InvalidKeyException: invalid key format
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:341)
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:367)
at sun.security.rsa.RSAPrivateCrtKeyImpl.(RSAPrivateCrtKeyImpl.java:91)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
... 2 more

Whats the problem ?:(

NePe said...

Hi i found the solution

Use the followin command to generate the pkcs8 der file

openssl pkcs8 -in prikey.pem -topk8 -nocrypt -out prikey.der -outform DER

John Pritchard said...

Glad you found it..

Levan Tsurtsumia said...

I have this error ((

Exception in thread "main" java.lang.NoClassDefFoundError: ImportKey$1
at ImportKey.main(ImportKey.java:150)
Caused by: java.lang.ClassNotFoundException: ImportKey$1
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
... 1 more

John Pritchard said...

Sounds like a classpath problem, try "java -cp . ImportKey ..." ?

Levan Tsurtsumia said...

nope (

I'm trying to run it on Synology NAS.

Command:

java ImportKey -prikey privkey.der -signed signed.der -alias prikey -storepass pass

and it gives this error. all files are in same place. Perhaps it needs something else?

John Pritchard said...
This comment has been removed by the author.
John Pritchard said...

Try command:

java -classpath directory-with-class-files ImportKey -prikey privkey.der -signed signed.der -alias prikey -storepass pass

Levan Tsurtsumia said...

Strange is that it finds this class but gives error anyway. Because if I set classpath to different directory then it says:

Could not find the main class: ImportKey. Program will exit.

John Pritchard said...

Yea, see also..

http://stackoverflow.com/questions/5976563/java-lang-noclassdeffounderror-in-anonymous-inner-class

Nathaniel Parris said...

So far, the number of points and ideas given here are actually what I was looking for from the last few hours, hopefully this would proved to be the best guide, if further information taken out from the same platform to assist in more efficient way. Visit college paper for best papers.

Dominick Jarmon said...

Thanks for your article. I would also love to comment that the very first thing you will need to perform is check if you really need repairing credit. To do that you will need to get your hands on a duplicate of your credit report. credit card processor

Randy Greenfield said...

You really make it seem so easy with your presentation but I find this topic to be actually something which I think I would never understand. It seems too complex and very broad for me. I am looking forward for your next post, I will try to get the
hang of it! Visit here pre filled party bags for best Bags.

Steve Hawks said...

Hey there, you have done a great job by giving a better explanation about the latest technology. Thanks for sharing. You are running a great blog. Once again thanks for sharing your experience.


Best java institute in chennai

Susan Jone said...

Key code and further the processes has been mentioned are quite considerable which is been more exciting part of it, it certainly becomes more easy to understand and act like that. assignment help melbourne

Aman Yadav said...

Although They can non been it condition through we as a person may obtain entirely priceless operating free psn codes via applying their internet PSP exchange genset.