Java jar signer Jason
Java Security Manager
為何有 Secuirty Manager 機制 ?
Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
Java Security Manager
Java Applet 在執行時有兩種模式
有啟動 Secuirty Manager
沒有啟動 Secuirty Manager
Java Security Manager
Jar Signing
Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。
Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。
目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
Jar signing
如何對 Jar (Applet) 檔進行 signing ?
OpenSSL : 是套開放原始碼的 SSL 套件 Keytool : Install JRE Jarsigner : Install JDK
Java keytool
Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore
keystore Key entity Trusted certificate entries
Java keytool
Keytool Command
-keystore The file named .keystore in the user's home directory -alias Create alias. Defalut : "mykey" -genkey Creating or Adding Data to the Keystore -keyalg key algorithm name. Defalut : "DSA" -keysize key bit size. Defalut : 1024 -certreq Generate the Certificate Signing Request (CSR) -import Imports a certificate or a certificate chain -list Lists entries in a keystore -v verbose output
Jar signing - Step1 Creating a Sample CA Certificate
openssl req -config c:\openssl\bin\openssl.cnf -new -x509
-keyout ca-key.pem -out ca-certificate.pem -days 365
Using properties from c:\openssl\bin\openssl.cnfLoading ’screen’ into random state: doneGenerating a 1024 bit RSA private key.................++++++.....................++++++writing new private key to ’ca-key.pem.txt’Enter PEM pass phrase:Verifying password: Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ’.’, the field will be left blank.-----Country Name (2 letter code) []:USState or Province Name (full name) []:CaliforniaLocality Name (eg, city) []:MonroviaOrganization Name (eg, company) []:SunOrganizational Unit Name (eg, section) []:DevelopmentCommon Name (eg, your websites domain name) [] :development.sun.comEmail Address []:[email protected]
Jar signing - Step2
Create java keystore keytool –keystore clientkeystore –genkey –alias client
Enter keystore password: What is your first and last name?[Unknown]: JasonWhat is the name of your organizational unit?[Unknown]: JasonWhat is the name of your organization?[Unknown]: JasonWhat is the name of your City or Locality?[Unknown]: JasonWhat is the name of your State or Province?[Unknown]: JasonWhat is the two-letter country code for this unit?[Unknown]: USIs <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct?[no]: yes
Enter key password for <client>(RETURN if same as keystore password):
Jar signing
Keystore verbose output keytool -list -v -keystore clientkeystore
Keystore type: JKSKeystore provider: SUN
Your keystore contains 1 entry
Alias name: clientCreation date: 2014/3/7Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USIssuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USSerial number: 3277605Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
Jar signing - Step3
Generate the Certificate Signing Request
keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr
-----BEGIN NEW CERTIFICATE REQUEST-----MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNvbjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEoS7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXfYoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4=-----END NEW CERTIFICATE REQUEST-----
Jar signing - Step4
Generate a signed certificate for the associated Certificate Signing Request.
openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
Jar signing - Step5
Use the keytool to import the CA certificate into the client keystore
keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
Jar signing
Keystore verbose output
Alias name: thecarootCreation date: 2014/3/7Entry type: trustedCertEntry
Owner: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: cd1836b5bb6f8295Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
Jar signing - Step6
Use the keytool to import the signed certificate for the associated client alias in the keystore.
keytool –import –keystore clientkeystore –file client.cer –alias client
Jar signing
Keystore verbose output
Keystore type: JKSKeystore provider: SUNYour keystore contains 2 entriesAlias name: clientCreation date: 2014/3/7Entry type: PrivateKeyEntryCertificate chain length: 2
Certificate[1]:Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: 86848dcdcc6a2971Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015
Certificate[2]:Owner: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: cd1836b5bb6f8295Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
Jar signing - Step7
Generates signatures for Java ARchive (JAR) files
jarsigner -keystore clientkeystore SignedApplet.jar client
Jar signing
Verifying a Signed JAR File
jarsigner -verify -verbose SignedApplet.jar
s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class
s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope
jar verified.
Jar signing - Step8
Go to 「 Java Control Panel 」→「 Security Tab 」→ 「 Manage Certificates 」
Import ca-certificate.pem file
Certificate detail
Reference
Java SE Decumentation
http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
Configuring Java CAPS for SSL Support
http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html
Top Related