Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
226
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://polinwei.blogspot.tw/2013/02/java-keytoolmicrosoft-active-directory.htmlhttp://cooking-java.blogspot.tw/2010/01/java-keytool.htmlhttp://fecbob.pixnet.net/blog/post/36050717-%5Bandroid%5D-keytool%E5%B7%A5%E5%85%B7%E4%BD%BF%E7%94%A8%E8%A9%B3%E8%A7%A3
  • http://www.openssl.org/docs/apps/x509.html
  • X.509 的目的為,證實這個已簽發憑證,確實為憑證上宣稱的那個人所發行的憑證。
  • http://www.frogjumpjump.com/2011/09/ssl-x509ssl.htmlhttp://www.imacat.idv.tw/tech/sslcerts.html.zh-tw#sslx509

Transcript

  • 1. Java jar signer Jason
  • 2. Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
  • 3. Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager
  • 4. Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
  • 5. Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
  • 6. Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
  • 7. Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
  • 8. Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
  • 9. Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
  • 10. Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
  • 11. Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
  • 12. Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
  • 13. Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
  • 14. Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
  • 15. Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
  • 16. Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
  • 17. Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
  • 18. Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
  • 19. Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
  • 20. Certificate detail
  • 21. Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html