Jar Signer

General Information

This user guide integrated with the jarsigner utility of the Java SDK has been prepared using the software and firmware versions below:

• Windows 11 OS (English)
• Linux OS Debian 11
• JDK: 8 and 17
• HSM firmware: 5.4.0.0 (or higher)
• HSM Client: 4.14.0.0 (or higher)

Requirements

1. Connectivity with the HSM (TCP port 4433);
2. HSM service started;
3. Key and certificate/certificate chain in HSM;
4. Credentials of the HSM partition where the private key will be created or used.

Installing Keys and Certificates

Warning

In the following import steps, the names for the key, certificate and chain in the HSM must follow the naming rules defined in the Implementation topic. For example key, key_cert and key_chain.

1. Import or generate the key on the chosen partition.

2. Import the certificate and optionally the PKCS#7 chain of the Certificate Authority (CA) that issued the certificate into the chosen partition.

Code Signing

Signing with jarsigner using HSM is done via the JCA/JCE integration API. So the initial step is to configure the integration API to connect to the HSM. For more details on HSM 's JCA/JCE API, see the JCA/JCE topic.

1. Install the Java package DINAMO. Follow the manual Installation guide.

2. Run the jarsigner command with the following parameters.

   Java 8Java 9 or higher

   jarsigner -J-D"dinamo.hsm.jca.ip=<HSM_IP>" -J-D"dinamo.hsm.jca.user=<HSM_USER>" -J-D"dinamo.hsm.jca.pwd=<HSM_PWD>" -tsa http://timestamp.digicert.com -providerName ND -storetype TAC -providerClass br.com.trueaccess.provider.netdfence.ND -keystore NONE -storepass <HSM_PWD> "<JAR_APPLICATION>" <KEY>
   

   jarsigner -J-cp -J"<DINAMO_JAVA_PACKAGE>" -J-D"dinamo.hsm.jca.ip=<HSM_IP>" -J-D"dinamo.hsm.jca.user=<HSM_USER>" -J-D"dinamo.hsm.jca.pwd=<HSM_PASSWORD>" -tsa http://timestamp.digicert.com -providerName ND -storetype TAC -providerClass br.com.trueaccess.provider.netdfence.ND -keystore NONE -storepass <HSM_PASSWORD> "<JAR_APPLICATION>" <KEY>
   

   Where:

   • <DINAMO_JAVA_PACKAGE>: path do pacote Java DINAMO;
   • <HSM_IP>: enderço do HSM;
   • <HSM_USER>: nome do usuário/partição;
   • <HSM_PASSWORD>: senha da usuário/partição;
   • <JAR_APPLICATION>: aplicação Java (.jar) que terá o código assinado;
   • <KEY>: é o nome da chave privada que foi gerada ou importada no HSM.

   Signing an ACT (Time Stamp Authority) with the addition of a timestamp is optional ( -tsa parameter).

Verification

1. Checking a signed .jar file is also done with the jarsigner program:

   jarsigner -verify -verbose app.jar
   
   s        1782 Wed Aug 31 18:04:42 UTC 2022 META-INF/MANIFEST.MF
           1876 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.SF
           12143 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.RSA
               0 Tue Aug 30 21:50:40 UTC 2022 META-INF/
               0 Tue Aug 30 21:50:40 UTC 2022 br/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/
               0 Tue Aug 30 21:50:40 UTC 2022 com/
               0 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/
   sm        170 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/NetDFence.class
   sm       2265 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacAccessToken.class
   sm       1252 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacException.class
   sm      60370 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacNDJavaLib.class
   sm       2360 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacSPBException.class
   sm      34425 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/Dinamo.class
   sm        718 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMAllInfo.class
   sm        631 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMCounterInfo.class
   sm        413 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMDiskInfo.class
   sm        490 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMStatInfo.class
   sm        576 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/JwsComponents.class
   sm       2006 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXHTTPReqDetails.class
   sm        401 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXResponse.class
   sm       1073 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenInfo.class
   sm        514 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenResponse.class
   
     s = signature was verified
     m = entry is listed in manifest
     k = at least one certificate was found in keystore
     i = at least one certificate was found in identity scope
   
   - Signed by "CN=Dinamo Networks, O=Dinamo Networks, ST=Distrito Federal, C=BR"
       Digest algorithm: SHA-256
       Signature algorithm: SHA256withRSA, 3072-bit key
     Timestamped by "CN=DigiCert Timestamp 2022 - 2, O="DigiCert, Inc.", C=US" on Wed Aug 31 18:04:42 UTC 2022
       Timestamp digest algorithm: SHA-256
       Timestamp signature algorithm: SHA256withRSA, 4096-bit key
   
   jar verified.
   
   The signer certificate will expire on 2023-03-14.
   The timestamp will expire on 2031-11-09.