Jar signing
Upcoming SlideShare
Loading in...5
×
 

Jar signing

on

  • 305 views

 

Statistics

Views

Total Views
305
Views on SlideShare
304
Embed Views
1

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://polinwei.blogspot.tw/2013/02/java-keytoolmicrosoft-active-directory.htmlhttp://cooking-java.blogspot.tw/2010/01/java-keytool.htmlhttp://fecbob.pixnet.net/blog/post/36050717-%5Bandroid%5D-keytool%E5%B7%A5%E5%85%B7%E4%BD%BF%E7%94%A8%E8%A9%B3%E8%A7%A3
  • http://www.openssl.org/docs/apps/x509.html
  • X.509 的目的為,證實這個已簽發憑證,確實為憑證上宣稱的那個人所發行的憑證。
  • http://www.frogjumpjump.com/2011/09/ssl-x509ssl.htmlhttp://www.imacat.idv.tw/tech/sslcerts.html.zh-tw#sslx509

Jar signing Jar signing Presentation Transcript

  • Java jar signer Jason
  • Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
  • Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager View slide
  • Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。 View slide
  • Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
  • Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
  • Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
  • Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
  • Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
  • Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
  • Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
  • Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
  • Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
  • Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
  • Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
  • Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
  • Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
  • Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
  • Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
  • Certificate detail
  • Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html