Jar Signer

General Information

This user guide is integrated with the jarsigner of the Java SDK has been prepared using the software and firmware versions below: - OS Windows 10 (English) - Linux OS Debian 11 - JDK: 8 - HSM firmware: 5.0.26.0 (or higher) - HSM client: 4.7.30 (or higher)

Requirements

1. Connectivity with the HSM (TCP port 4433).
2. HSM client software installed (see Installation topic).
3. HSM service started.
4. Credentials of the HSM partition where the private key will be created or used.

Java code signing using HSM

Warning

In the following import steps, the names for the key, certificate and chain in the HSM must follow the naming rules defined in the topic Implementation. For example key, key_cert e key_chain.

Signing with jarsigner using the HSM is done via the JCA/JCE integration API. So the initial step is to configure the integration API to connect to the HSM. For more details on the HSM JCA/JCE API, see the topic JCA/JCE.

1. Import or generate the key on the chosen partition.

2. Import the certificate and optionally the PKCS#7 chain from the Certificate Authority (CA) that issued the certificate into the chosen partition.

3. Generate the JCA configuration file using the java program jcaconfig.jar. This program is installed together with the HSM client software. For more details on the utility, see the topic Configuration. Location default of HSM Java programs and libraries is as follows.

   • Windows: C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\java
   • Linux: /opt/dinamo

   The name of the generated configuration file should be Configuration.ND.

   java -jar jca_config.jar -addr <HSM_IP> -usr <HSM_PARTITION> -pwd <HSM_PARTITION_PASSWORD> -file Configuration.ND
   

   Where - <HSM_IP>: HSM IP address - <HSM_PARTITION>: HSM partition - <HSM_PARTITION_PASSWORD>: partition password

4. Copy the generated configuration file to the same folder where you will run the command jarsigner.

5. Copying files ndjca.jar e tacndjavalib.jar to the Java extensions folder. Normally this folder has the following path, where <VERSION> is the version of the JDK installed.

   • Windows: C:\Program Files\Java\jdk<VERSION>\jre\lib\ext
   • Linux: /usr/local/openjdk-<VERSION>/jre/lib/ext/

6. Run the command jarsigner with the following parameters.

   jarsigner -tsa http://timestamp.digicert.com -providerName ND -storetype TAC -providerClass br.com.trueaccess.provider.netdfence.ND -keystore /dev/null -storepass <HSM_PARTITION_PASSWORD> <JAR_APPLICATION> key`
   

   Where - <HSM_PARTITION_PASSWORD>: partition password - <JAR_APPLICATION>Java application (.jar) that will have its code signed. - key: is the name of the private key that was generated or imported into the HSM.

   The signature of an ACT (Time Stamp Authority), with the addition of timestamp is optional (parameter -tsa).

Verification

1. Checking a signed .jar file is also done with the program jarsigner:

   jarsigner -verify -verbose app.jar
   
   s        1782 Wed Aug 31 18:04:42 UTC 2022 META-INF/MANIFEST.MF
           1876 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.SF
           12143 Wed Aug 31 18:04:42 UTC 2022 META-INF/KEY.RSA
               0 Tue Aug 30 21:50:40 UTC 2022 META-INF/
               0 Tue Aug 30 21:50:40 UTC 2022 br/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/
               0 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/
               0 Tue Aug 30 21:50:40 UTC 2022 com/
               0 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/
   sm        170 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/NetDFence.class
   sm       2265 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacAccessToken.class
   sm       1252 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacException.class
   sm      60370 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacNDJavaLib.class
   sm       2360 Tue Aug 30 21:50:40 UTC 2022 br/com/trueaccess/TacSPBException.class
   sm      34425 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/Dinamo.class
   sm        718 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMAllInfo.class
   sm        631 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMCounterInfo.class
   sm        413 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMDiskInfo.class
   sm        490 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/HSMStatInfo.class
   sm        576 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/JwsComponents.class
   sm       2006 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXHTTPReqDetails.class
   sm        401 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/PIXResponse.class
   sm       1073 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenInfo.class
   sm        514 Tue Aug 30 21:50:40 UTC 2022 com/dinamonetworks/SVaultGenTokenResponse.class
   
     s = signature was verified
     m = entry is listed in manifest
     k = at least one certificate was found in keystore
     i = at least one certificate was found in identity scope
   
   - Signed by "CN=Dinamo Networks, O=Dinamo Networks, ST=Distrito Federal, C=BR"
       Digest algorithm: SHA-256
       Signature algorithm: SHA256withRSA, 3072-bit key
     Timestamped by "CN=DigiCert Timestamp 2022 - 2, O="DigiCert, Inc.", C=US" on Wed Aug 31 18:04:42 UTC 2022
       Timestamp digest algorithm: SHA-256
       Timestamp signature algorithm: SHA256withRSA, 4096-bit key
   
   jar verified.
   
   The signer certificate will expire on 2023-03-14.
   The timestamp will expire on 2031-11-09.