Difference between revisions of "Signing jar files with jarsigner"

From OWASP
Jump to: navigation, search
(Use of the Keytool Utility)
Line 76: Line 76:
 
=== Create a new DSA Key Pair for Bob ===
 
=== Create a new DSA Key Pair for Bob ===
  
 +
keytool -genkey -keystore refArchive/testkeystore -alias bob
 +
 
=== Visualize the content of the keystore ===
 
=== Visualize the content of the keystore ===
 +
 +
keytool -list -keystore refArchive/testkeystore 
  
 
=== Extract of the public key certificate of Bob for dissemination ===
 
=== Extract of the public key certificate of Bob for dissemination ===
Line 82: Line 86:
 
The certificate is stored in the <code>bob.cert</code> file.
 
The certificate is stored in the <code>bob.cert</code> file.
  
 +
keytool -export -keystore refArchive/testkeystore -alias bob > refArchive/bob.cert
 +
 
 
=== Visualize a certificate ===
 
=== Visualize a certificate ===
 +
 +
keytool -printcert -file refArchive/bob.cert
  
 
=== Import a certificate ===
 
=== Import a certificate ===
Line 88: Line 96:
 
Import 'e.g.'' the one of alice
 
Import 'e.g.'' the one of alice
  
 +
keytool -import -keystore refArchive/testkeystore -file refArchive/alice.cert -alias alice 
 +
password: password Trust this certificate? [no]: yes
 +
 
=== Visualize the content of the keystore ===
 
=== Visualize the content of the keystore ===
 +
 +
keytool -list -keystore refArchive/testkeystore
  
 
= References =
 
= References =

Revision as of 16:24, 8 February 2007

Most of the information in this note can be found in the `help' section of the jarsigner and keytool utilities:

jarsigner --help

keytool --help

Contents

Criteria for Signature Validity

The criteria of validity of a digital signature are the following:

  • No modification of the archive resources after the signature,
  • certificate not outdated (or not yet valid).

Moreover, the signer of the archive must be known, i.e. its public key certificate must be identified as trusted before the validation. Otherwise, any malicious third party can forge a similar certificate, potentially with the same signer name, and present a coherent signed archive.

Additional criteria of archive signature validity are defined in the context of the OSGi framework, that are specific to the deployment of components from third party repositories:

  • No resource removed from the archive after the signature,
  • No resource added from the archive after the signature,
  • The digital signature must immediately follow the Manifest file of the archive, to prevent caching malicious files.

This means that according to the security level you need, the Sun criteria of signature validity may not be sufficient.

Use of the JarSigner Tool

The Sun `Jarsigner' is a utility delivered along with Sun JDK. It has the ability to sign Java Archives (Jars), and to verify the validity their signature.

The use of the Sun Jarsigner tool is highlighted with an example of an OSGi test bundle called fridgebundle-1.1.jar. OSGi archives are a specific type of jar files.

So as to test the jarsigner tool, you need to have a public/private key pair. The example are given with Bob's key pair.

  • If you want to make the tests with Bob's key pair, download the keystore file named testkeystore. Store it in the refArchive directory.
  • If you want to create your own public/private key pair, see the paragraph relative to the keytool utility to learn about it.

Following operations can be performed with the jarsigner tool. Create a refArchive directory, and store each example bundle in it:

Sign a given jar archive

Sign the archive File:Fridgebundle-1.1.jar fridgebundle-1.1.jar with bob's private key:

jarsigner -keystore refArchive/testkeystore -signedjar  
    refArchive/fridgebundle-1.1.signed.jar refArchive/fridgebundle-1.1.jar bob
 Enter Passphrase for keystore: password
 Enter key password for bob: bobspwd

Check that a signed jar is valid

jarsigner -verify -keystore refArchive/testkeystore refArchive/fridgebundle-1.1.signed.jar

Verify a signed jar with unknown signer

jarsigner -verify -keystore refArchive/testkeystore   
refArchive/fridgebundle-1.1.unknownsigner.jar

Some test with an invalid archive signature

jarsigner -verify refArchive/bindex-manifestMainAttrsModified-1.0.jar
jarsigner: java.lang.SecurityException: Invalid signature file digest 
    for Manifest main attributes


Remark: No warning is issued by the Sun Jarsigner if the signer of the archive is unknow to you. No matter who has signed the archive, this latter will be considered as valid !

Use of the Keytool Utility

The Sun keytool utility supports the management of DSA and RSA asymetric key pairs, as well as the management of public key certificates of third party actors.

Requirements:

  • have a keystore file

Example: the keystore file is named <a href="docs_techNotes/refArchive/testkeystore">testkeystore</a>, and is accessible with the password password

If you specify a keystore that does not exist in the keytool options, it is automatically created and initialized with the given parameters (e.g. the password).

The default keystore in *nix systems is /home/user/.keystore. It is overridden by the -keystore option.

You can perform following tests so as to learn how to use the keytool:

Create a new DSA Key Pair for Bob

keytool -genkey -keystore refArchive/testkeystore -alias bob 

Visualize the content of the keystore

keytool -list -keystore refArchive/testkeystore  

Extract of the public key certificate of Bob for dissemination

The certificate is stored in the bob.cert file.

keytool -export -keystore refArchive/testkeystore -alias bob > refArchive/bob.cert
 

Visualize a certificate

keytool -printcert -file refArchive/bob.cert 

Import a certificate

Import 'e.g. the one of alice

keytool -import -keystore refArchive/testkeystore -file refArchive/alice.cert -alias alice  
password: password Trust this certificate? [no]: yes

Visualize the content of the keystore

keytool -list -keystore refArchive/testkeystore

References

You can find further informations here: