How to Sign a jar File

Posted on November 11, 2012. Filed under: java/j2EE |


based on oracle tutorial:

http://docs.oracle.com/javase/tutorial/deployment/jar/index.html

We can create a jar file with command jar.

We can create a signed jar file with command jarsigner.

The following is a video example of using signed jar on applet.

In How To Create New Java Permissions, we have created a customized permission file as well as a policy file, here we will create a jar file from it then sign it with a certificate:


jarsigner demo #mkdir jarsigner
jarsigner demo #cd jarsigner
jarsigner demo #echo "generate a self-siged keypair">/dev/null
jarsigner demo #keytool -genkeypair -alias keypair -keyalg RSA -keypass password -keystore keypair.jks -storepass password
What is your first and last name?
 [Unknown]: whatever
What is the name of your organizational unit?
 [Unknown]: kl2217org
What is the name of your organization?
 [Unknown]: kl2217
What is the name of your City or Locality?
 [Unknown]: bla
What is the name of your State or Province?
 [Unknown]: bla
What is the two-letter country code for this unit?
 [Unknown]: US
Is CN=whatever, OU=kl2217org, O=kl2217, L=bla, ST=bla, C=US correct?
 [no]: yes

jarsigner demo #keytool -exportcert -alias keypair -file pubkey.cer -keystore keypair.jks -storepass password
Certificate stored in file <pubkey.cer>
jarsigner demo #keytool -importcert -alias pubkey -file pubkey.cer -keystore pubkey.jks -storepass password
Owner: CN=whatever, OU=kl2217org, O=kl2217, L=bla, ST=bla, C=US
Issuer: CN=whatever, OU=kl2217org, O=kl2217, L=bla, ST=bla, C=US
Serial number: 50a073c3
Valid from: Sun Nov 11 22:57:55 EST 2012 until: Sat Feb 09 22:57:55 EST 2013
Certificate fingerprints:
 MD5: A3:1C:9C:E3:F7:E8:F2:97:E5:38:C4:0B:63:E1:49:32
 SHA1: A1:DC:0F:0C:95:AE:20:CA:E4:08:F9:6D:C8:F5:6D:30:80:B5:8B:AC
 Signature algorithm name: SHA1withRSA
 Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
jarsigner demo #vi HelloFile.java
jarsigner demo #vi CustomerPermission.java
jarsigner demo #vi HelloFile.java
jarsigner demo #cat HelloFile.java
import java.io.*;
import java.security.AccessController;
public class HelloFile {
 public static void main(String [] args) {
 if(System.getSecurityManager()==null){
 System.setSecurityManager(new SecurityManager());
 }
 CustomerPermission cp = new CustomerPermission("cust");
 AccessController.checkPermission(cp);
 try{
 BufferedReader br = new BufferedReader(new FileReader("/tmp/testfile.txt"));
 System.out.println(br.readLine());
 }catch(Exception e){
 e.printStackTrace();
 }
 }
}
jarsigner demo #cat CustomerPermission.java
import java.security.BasicPermission;

public class CustomerPermission extends BasicPermission{
 public CustomerPermission(String name){
 super(name);
 }

}
jarsigner demo #
jarsigner demo #cat /tmp/testfile.txt
test for signed jar
jarsigner demo #echo "create unsigned jar first">/dev/null
jarsigner demo #javac HelloFile.java CustomerPermission.java
jarsigner demo #jar cf HelloFile.jar HelloFile.class CustomerPermission.class
jarsigner demo #jar cfe HelloFile.jar HelloFile HelloFile.class
jarsigner demo #vi HelloFile.policy
jarsigner demo #cat HelloFile.policy
grant codeBase "file:./*" {
permission java.io.FilePermission "/tmp/*", "read";
permission CustomerPermission "cust";
};
jarsigner demo #
jarsigner demo #java -jar HelloFile.jar -Djava.security.policy="./HelloFile.policy"
Exception in thread "main" java.lang.NoClassDefFoundError: CustomerPermission
Caused by: java.lang.ClassNotFoundException: CustomerPermission
 at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
 at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
jarsigner demo #jar tf HelloFile.jar
META-INF/
META-INF/MANIFEST.MF
HelloFile.class
jarsigner demo #jar uf HelloFile.jar CustomerPermission.class
jarsigner demo #jar tf HelloFile.jar
META-INF/
META-INF/MANIFEST.MF
HelloFile.class
CustomerPermission.class
jarsigner demo #java -jar HelloFile.jar -Djava.security.policy="./HelloFile.policy"
Exception in thread "main" java.security.AccessControlException: access denied (CustomerPermission cust)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
 at java.security.AccessController.checkPermission(AccessController.java:549)
 at HelloFile.main(HelloFile.java:9)
jarsigner demo #vi HelloFile.policy
jarsigner demo #java -jar -Djava.security.policy="./HelloFile.policy" HelloFile.jar
test for signed jar
jarsigner demo #echo "sign the jar file with private key">/dev/null
jarsigner demo #jarsigner -keystore keypair.jks -sigfile SIGNATURE -signedjar HelloFileSigned.jar HelloFile.jar keypair
Enter Passphrase for keystore:

Warning:
The signer certificate will expire within six months.
jarsigner demo #jar tf HelloFileSigned.jar
META-INF/MANIFEST.MF
META-INF/SIGNATUR.SF
META-INF/SIGNATUR.RSA
META-INF/
HelloFile.class
CustomerPermission.class
jarsigner demo #jar xf HelloFileSigned.jar META-INF
jarsigner demo #vi META-INF/MANIFEST.MF
jarsigner demo #vi META-INF/SIGNATUR.SF
jarsigner demo #vi META-INF/SIGNATUR.RSA
jarsigner demo #vi HelloFileSigned.policy
jarsigner demo #ls
CustomerPermission.class HelloFile.jar HelloFileSigned.jar keypair.jks
CustomerPermission.java HelloFile.java HelloFileSigned.policy pubkey.cer
HelloFile.class HelloFile.policy META-INF pubkey.jks
jarsigner demo #cat HelloFileSigned.policy
keystore "file:./pubkey.jks";
grant signedBy "pubkey", codeBase "file:./HelloFileSigned.jar" {
 permission java.io.FilePermission "/tmp/*", "read";
 permission CustomerPermission "cust";
};

jarsigner demo #java -jar -Djava.security.policy="./HelloFileSigned.policy" HelloFileSigned.jar
test for signed jar
jarsigner demo #echo "the policy will prevent unsigned jar to run">/dev/null
jarsigner demo #java -jar -Djava.security.policy="./HelloFileSigned.policy" HelloFile.jar
Exception in thread "main" java.security.AccessControlException: access denied (CustomerPermission cust)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
 at java.security.AccessController.checkPermission(AccessController.java:549)
 at HelloFile.main(HelloFile.java:9)
jarsigner demo #echo "jarsigner can also be used to verify a signed jar">/dev/null</pre>
jarsigner demo #jarsigner -verify -verbose HelloFileSigned.jar

228 Sun Nov 11 23:23:36 EST 2012 META-INF/MANIFEST.MF
 326 Sun Nov 11 23:23:36 EST 2012 META-INF/SIGNATUR.SF
 904 Sun Nov 11 23:23:36 EST 2012 META-INF/SIGNATUR.RSA
 0 Sun Nov 11 23:06:00 EST 2012 META-INF/
sm 1088 Sun Nov 11 23:04:26 EST 2012 HelloFile.class
sm 246 Sun Nov 11 23:04:26 EST 2012 CustomerPermission.class

s = signature was verified
 m = entry is listed in manifest
 k = at least one certificate was found in keystore
 i = at least one certificate was found in identity scope

jar verified.

Warning:
This jar contains entries whose signer certificate will expire within six months.

Re-run with the -verbose and -certs options for more details.
jarsigner demo #jarsigner -verify -verbose HelloFile.jar

0 Sun Nov 11 23:06:00 EST 2012 META-INF/
 83 Sun Nov 11 23:06:00 EST 2012 META-INF/MANIFEST.MF
 1088 Sun Nov 11 23:04:26 EST 2012 HelloFile.class
 246 Sun Nov 11 23:04:26 EST 2012 CustomerPermission.class

s = signature was verified
 m = entry is listed in manifest
 k = at least one certificate was found in keystore
 i = at least one certificate was found in identity scope

jar is unsigned. (signatures missing or not parsable)
jarsigner demo #
Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: