Public Servant | DSCI Security Leader | BITS Alumnus | Ethical Hacker & Skeptical Army Brat who demystifies FakeNews & preaches Logic.

" ABHINAV - A BLOG HOSTING INTERNET NUISANCES, ATTACKS & VULNERABILITIES "

Friday, April 17, 2015

Signing Java .jar Files with CLI Command Jarsigner using Hardware Token in Windows

How to Configure Java JDK to Use the eToken

  1. Download the JDK from Oracle.com.
    Note:    Even if you are using a 64-bit version of Windows, the 32-bit JDK is required.
  2. Open a text editor (such as Notepad) and do the following:
    1. Copy and paste the following 2 lines into the text (Notepad) document:
      name=eToken
      library=c:\WINDOWS\system32\eTPKCS11.dll
    2. Save this file as eToken.cfg in the appropriate directory for your version of the JDK, for example:
      • JDK 1.8
        C:\Program Files (x86)\Java\jdk1.8.0_20\bin
      Note:    If you are running a 32-bit version of Windows, the Java JDK is installed in C:\Program Files\Java\....
  3. Run WordPad (Start > Accessories > WordPad), open the java.security file from your Java Runtime Environment (JRE) installation (e.g. C:\Program Files\Java\jdk1.8_20\jre\lib\security), and then do the following:
    1. Search the file (Ctrl + F) for the following line:
      security.provider.10=sun.security.mscapi.SunMSCAPI
    2. If the following line isn't already present in the file, add it right after the line above:
      security.provider.11=sun.security.pkcs11.SunPKCS11 ./etoken.cfg
      Note:    ./etoken.cfg is the path to the etoken.cfg file, and cannot contain a drive letter (i.e., it must be on the same drive as the JDK installation).
    3. When WordPad asks if you want to save the file as a text-only document, select yes.
  4. Open Windows explorer and go to the JDK installation folder (i.e. C:\Program Files\Java\jdk1.8_20\).
  5. Hold shift down and right-click on the bin folder and select Open command window here.
    Open Command Prompt in Windows Explorer
  6. Run the following command to find out in which token slot your certificate is stored:
    keytool -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11
    Note:    This command displays a lot of information.
  7. Go to the top of the information display where the information starts, and search for a line similar to this:
    Slots with tokens:#
    Where # is a number such as 0 or 2.
    If the slot used is "0", skip to Step 9.
    Keytool command output showing the certificate slot number on the hardware token.
  8. Remove the eToken device from the USB drive for a few seconds and then plug it back since it only allows you to run one keytool command at a time.
  9. Open the file etoken.cfg you created in Step 2, and change the value after slot= to match the slot from the previous keytool command then save the file.
    name=eToken
    library=c:\WINDOWS\system32\eTPKCS11.dll
    slot=0
    Note:    0 is the default slot. If you have added additional certificates to the token or re-keyed/re-issued your certificate, you may have a different number than the default.



How To Sign .jar Files Using the CLI Command Jarsigner


  1. In Windows Explorer, navigate to the JDK folder.
  2. In the JDK folder, push and hold Shift, right-click on the bin folder, and select Open command window here.
    Open Command Prompt in Windows Explorer
  3. To view the Code Signing Certificate and the certificate alias on the token:
    1. Plug in your token.
    2. Run the following command from the command prompt:
      keytool -list -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11
      Enter keystore password: [enter password]
    3. Sample output:
      Keystore type: PKCS11
      Keystore provider: SunPKCS11-eToken
      Your keystore contains 1 entry
      le-a66a-21c4-b862-3c4345271551, PrivateKeyEntry,
      Certificate fingerprint (SHA2):
      XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    4. In this example, le-a66a-21c4-b862-3c4345271551 is the certificate alias that you use to sign .jar files.
  4. To use the code signing certificate on the token to sign file.jar, run the following command from the command prompt:
    jarsigner -verbose -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11 "C:\path\to\file.jar" "le-a66a-21c4-b862-3c4345271551"
  5. If the command executed successfully, you should see something similar to the following output:
    Sample output:
    Enter Passphrase for keystore:
     adding: META-INF/7800FA4C.SF
    jar signed.

    No comments:

    Post a Comment