Jar signing

21
Java jar signer Jason

Transcript of Jar signing

Page 1: Jar signing

Java jar signer Jason

Page 2: Jar signing

Java Security Manager

為何有 Secuirty Manager 機制 ?

 Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。

Page 3: Jar signing

Java Security Manager

Java Applet 在執行時有兩種模式

有啟動 Secuirty Manager

沒有啟動 Secuirty Manager

Page 4: Jar signing

Java Security Manager

Jar Signing

Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。

Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。

目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。

Page 5: Jar signing

Jar signing

如何對 Jar (Applet) 檔進行 signing ?

OpenSSL : 是套開放原始碼的 SSL 套件 Keytool : Install JRE Jarsigner : Install JDK

Page 6: Jar signing

Java keytool

Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore

keystore Key entity Trusted certificate entries

Page 7: Jar signing

Java keytool

Keytool Command

-keystore The file named .keystore in the user's home directory -alias Create alias. Defalut : "mykey" -genkey Creating or Adding Data to the Keystore -keyalg key algorithm name. Defalut : "DSA" -keysize key bit size. Defalut : 1024 -certreq Generate the Certificate Signing Request (CSR) -import Imports a certificate or a certificate chain -list Lists entries in a keystore -v verbose output

Page 8: Jar signing

Jar signing - Step1 Creating a Sample CA Certificate

openssl req -config c:\openssl\bin\openssl.cnf -new -x509

-keyout ca-key.pem -out ca-certificate.pem -days 365

Using properties from c:\openssl\bin\openssl.cnfLoading ’screen’ into random state: doneGenerating a 1024 bit RSA private key.................++++++.....................++++++writing new private key to ’ca-key.pem.txt’Enter PEM pass phrase:Verifying password: Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ’.’, the field will be left blank.-----Country Name (2 letter code) []:USState or Province Name (full name) []:CaliforniaLocality Name (eg, city) []:MonroviaOrganization Name (eg, company) []:SunOrganizational Unit Name (eg, section) []:DevelopmentCommon Name (eg, your websites domain name) [] :development.sun.comEmail Address []:[email protected]

Page 9: Jar signing

Jar signing - Step2

Create java keystore keytool –keystore clientkeystore –genkey –alias client

Enter keystore password: What is your first and last name?[Unknown]: JasonWhat is the name of your organizational unit?[Unknown]: JasonWhat is the name of your organization?[Unknown]: JasonWhat is the name of your City or Locality?[Unknown]: JasonWhat is the name of your State or Province?[Unknown]: JasonWhat is the two-letter country code for this unit?[Unknown]: USIs <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct?[no]: yes

Enter key password for <client>(RETURN if same as keystore password):

Page 10: Jar signing

Jar signing

Keystore verbose output keytool -list -v -keystore clientkeystore

Keystore type: JKSKeystore provider: SUN

Your keystore contains 1 entry

Alias name: clientCreation date: 2014/3/7Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USIssuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USSerial number: 3277605Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014

Page 11: Jar signing

Jar signing - Step3

Generate the Certificate Signing Request

keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr

-----BEGIN NEW CERTIFICATE REQUEST-----MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNvbjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEoS7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXfYoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4=-----END NEW CERTIFICATE REQUEST-----

Page 12: Jar signing

Jar signing - Step4

Generate a signed certificate for the associated Certificate Signing Request.

openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial

Page 13: Jar signing

Jar signing - Step5

Use the keytool to import the CA certificate into the client keystore

keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot

Page 14: Jar signing

Jar signing

Keystore verbose output

Alias name: thecarootCreation date: 2014/3/7Entry type: trustedCertEntry

Owner: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: cd1836b5bb6f8295Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015

Page 15: Jar signing

Jar signing - Step6

Use the keytool to import the signed certificate for the associated client alias in the keystore.

keytool –import –keystore clientkeystore –file client.cer –alias client

Page 16: Jar signing

Jar signing

Keystore verbose output

Keystore type: JKSKeystore provider: SUNYour keystore contains 2 entriesAlias name: clientCreation date: 2014/3/7Entry type: PrivateKeyEntryCertificate chain length: 2

Certificate[1]:Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: 86848dcdcc6a2971Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015

Certificate[2]:Owner: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USIssuer: [email protected], CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=USSerial number: cd1836b5bb6f8295Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015

Page 17: Jar signing

Jar signing - Step7

Generates signatures for Java ARchive (JAR) files

jarsigner -keystore clientkeystore SignedApplet.jar client

Page 18: Jar signing

Jar signing

Verifying a Signed JAR File

jarsigner -verify -verbose SignedApplet.jar

s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class

s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope

jar verified.

Page 19: Jar signing

Jar signing - Step8

Go to 「 Java Control Panel 」→「 Security Tab 」→ 「 Manage Certificates 」

Import ca-certificate.pem file

Page 20: Jar signing

Certificate detail