Jar Signer

General Information

This user guide is integrated with the jarsigner of the Java SDK was prepared using the software and firmware versions below:

• Windows 11 OS (English)
• Linux OS Debian 11
• JDK: 8 and 17
• HSM firmware: 5.4.0.0 (or higher)
• HSM Client: 4.14.0.0 (or higher)

Requirements

1. Connectivity with the HSM (TCP port 4433);
2. HSM service started;
3. Key and certificate/certificate chain in HSM;
4. Credentials of the HSM partition where the private key will be created or used.

Installing Keys and Certificates

Warning

In the following import steps, the names for the key, certificate and chain in the HSM must follow the naming rules defined in the topic Implementation. For example key, key_cert e key_chain.

1. Import or generate the key on the chosen partition.

2. Import the certificate and optionally the PKCS#7 chain of the Certificate Authority (CA) that issued the certificate into the chosen partition.

Code Signing

Signing with jarsigner using the HSM is done via the JCA/JCE integration API. So the initial step is to configure the integration API to connect to the HSM. For more details on the JCA/JCE API of the HSM see the topic JCA/JCE.

1. Install the Java package DINAMO. Follow the manual Installation guide.

2. Run the command jarsigner with the following parameters.

   Java 8Java 9 or higher

   jarsigner -J-D"dinamo.hsm.jca.ip=<HSM_IP>" -J-D"dinamo.hsm.jca.user=<HSM_USER>" -J-D"dinamo.hsm.jca.pwd=<HSM_PWD>" -tsa http://timestamp.digicert.com -providerName ND -storetype TAC -providerClass br.com.trueaccess.provider.netdfence.ND -keystore NONE -storepass <HSM_PWD> "<JAR_APPLICATION>" <KEY>
   

   jarsigner -J-cp -J"<DINAMO_JAVA_PACKAGE>" -J-D"dinamo.hsm.jca.ip=<HSM_IP>" -J-D"dinamo.hsm.jca.user=<HSM_USER>" -J-D"dinamo.hsm.jca.pwd=<HSM_PASSWORD>" -tsa http://timestamp.digicert.com -providerName ND -storetype TAC -providerClass br.com.trueaccess.provider.netdfence.ND -keystore NONE -storepass <HSM_PASSWORD> "<JAR_APPLICATION>" <KEY>
   

   Where:

   • <DINAMO_JAVA_PACKAGE>: path of the Java package DINAMO;
   • <HSM_IP>: address of HSM;
   • <HSM_USER>: username/partition;
   • <HSM_PASSWORD>: user/partition password;
   • <JAR_APPLICATION>Java application (.jar) that will have its code signed;
   • <KEY>: is the name of the private key that was generated or imported into the HSM.

   The signature of an ACT (Time Stamp Authority), with the addition of timestamp is optional (parameter -tsa).

Verification

1. Checking a signed .jar file is also done with the program jarsigner:

   jarsigner -verify -verbose app.jar
   
   s        1782 Wed Aug 31 18:04:42 UTC 2022 META-INF/MANIFEST.MF
           1876 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.SF
           12143 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.RSA
               0 Tue Aug 30 21:50:40 UTC 2022 META-INF/
               0 Tue Aug 30 21:50:40 UTC 2022 br/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/
               0 Tue Aug 30 21:50:40 UTC 2022 com/
               0 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/
   sm        170 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/NetDFence.class
   sm       2265 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacAccessToken.class
   sm       1252 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacException.class
   sm      60370 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacNDJavaLib.class
   sm       2360 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacSPBException.class
   sm      34425 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/Dinamo.class
   sm        718 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMAllInfo.class
   sm        631 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMCounterInfo.class
   sm        413 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMDiskInfo.class
   sm        490 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMStatInfo.class
   sm        576 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/JwsComponents.class
   sm       2006 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXHTTPReqDetails.class
   sm        401 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXResponse.class
   sm       1073 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenInfo.class
   sm        514 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenResponse.class
   
     s = signature was verified
     m = entry is listed in manifest
     k = at least one certificate was found in keystore
     i = at least one certificate was found in identity scope
   
   - Signed by "CN=Dinamo Networks, O=Dinamo Networks, ST=Distrito Federal, C=BR"
       Digest algorithm: SHA-256
       Signature algorithm: SHA256withRSA, 3072-bit key
     Timestamped by "CN=DigiCert Timestamp 2022 - 2, O="DigiCert, Inc.", C=US" on Wed Aug 31 18:04:42 UTC 2022
       Timestamp digest algorithm: SHA-256
       Timestamp signature algorithm: SHA256withRSA, 4096-bit key
   
   jar verified.
   
   The signer certificate will expire on 2023-03-14.
   The timestamp will expire on 2031-11-09.