Recent Changes - Search:

edit SideBar

Main /

JavaCodeSigningCertificatesForBerkeley

Berkeley now provides code signing certificates, but using them is a little tricky because the certificate ends up in the browser and needs to be backed up as a PKCS12 file and converted to a JKS format keystore that can be read by the jarsigner command. In addition, during the conversion, the keystore alias is changed.

See https://wiki.eecs.berkeley.edu/ptolemy/Ptolemy/Certificates for the current Ptolemy II code signing certificate.

Get the certificate

https://calnetweb.berkeley.edu/calnet-technologists/calnet-incommon-comodo-certificate-service says:

For code signing certificates:
Contact calnet-pki@lists.b.e and we can work with you on provisioning your code signing certificate.

I emailed the above alias and the response was asked if a browser certificate would work and to provide my email address and name that would appear in the certificate. I was told that I would get an invitation to generate a private key and then a second email where I should pick up my signed public key using the same browser.

I responded with my email address and name.

I then received an email message from InCommon telling me to go to a URL and generate a private key. I did that.

I then received an email message from InCommon telling me that my certificate had been created. I went to that URL and my certificate was added to the certificates of my browser.

Export the certificate from Firefox

In Firefox on the Mac, to view the certificate, do Preferences -> Privace & Security -> Security -> View Certificates. The certificate will have a recent date on it and say something like "University of California at Berkeley's Internet 2 id".

In the Certificate Manager window of Firefox, select the certificate and click on Backup and save the file with a .p12 extension. This is a PKCS#12 file format. We use Backup here so that we get the private key and the public key.

This password is also used when adding the cert to the keystore below, so choose a password that can be shared with others if necessary

To view the contents of the backup, use the command below. The password is the password that was entered when the certificate was saved.

bash-3.2$ keytool -list -keystore ucb.p12 -storetype PKCS12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

university of california, berkeley (regents of the univ. of ca)’s internet2 id, May 16, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
[$[Get Code]]

If you get

keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
[$[Get Code]]

then the password you entered for keytool does not match, see http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6974037

One important thing to note is that the alias for this key is university of california, berkeley (regents of the univ. of ca)’s internet2 id. This alias is used later. To see the alias, use:

keytool -v -list -keystore ucb.p12 -storetype PKCS12
Enter keystore password:


Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: university of california, berkeley (regents of the univ. of ca)’s internet2 id
Creation date: May 16, 2018
Entry type: PrivateKeyEntry
...
[$[Get Code]]

The above command will also list the email address that was supplied:

...
#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: xxx@berkeley.edu
]
[$[Get Code]]

Import the certificate into your keystore

Use the command below to convert the PKCS12 file created by Firefox to a JKS file that can be used by jarsigner.

keytool -importkeystore -srcalias "university of california, berkeley (regents of the univ. of ca)’s internet2 id" \
-srckeystore jnlp-ptolemy-software-cert.p12 -srcstoretype PKCS12 -destkeystore ptkeystore.jks -destalias ptolemy
[$[Get Code]]

The key features are

-importkeystore
Import the keystore. This command line option is found in recent versions of keytool such as the version that is shipped with Java 6. See http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html for details. This parameter is very important and not present in earlier versions of keytool. The Mac OS X 10.7 keytool man page does not mention -importkeystore
-srcalias "university of california, berkeley (regents of the univ. of ca)’s internet2 id"
The alias in the srckeystore. The value of the alias can be found with keytool -v -list -keystore ucb.p12 -storetype PKCS12, look for Alias name.
-srckeystore jnlp-ptolemy-software-cert.p12
The file created by Firefox when the certificate was backed up.
-srcstoretype PKCS12
The type of the source certificate.
-destkeystore ptkeystore.jks
The keystore that will be used by jarsigner.
-destalias ptolemy
A shorter alias that is easier to use in scripts

View the contents of ptkeystore.jks:

bash-3.2$ keytool -list -keystore ptkeystore.jks -alias ptolemy
Enter keystore password:

ptolemy, Dec 14, 2016, PrivateKeyEntry,
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
[$[Get Code]]

Use the certificate

We create a jar file and sign it.

bash-3.2$ echo "This is my test file" > README.txt
bash-3.2$ jar -cf test.jar README.txt
bash-3.2$ jarsigner -verbose -keystore ptkeystore.jks test.jar ptolemy
Enter Passphrase for keystore:
updating: META-INF/PTOLEMY.SF
updating: META-INF/PTOLEMY.RSA
signing: README.txt
jar signed.

Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate \
this jar after the signer certificate's expiration date (2019-12-14) or after any future revocation date.
bash-3.2$
[$[Get Code]]

Resigning Jar files

When the certificate expires, we need to resign the jar files.

I Resign! Resigning Jar Files with Initium. by Doug Lyon outlines the solution:

  1. Get a new certificate (See above)
  2. Load the certificate into our keystore. For Ptolemy, this is /users/ptII/adm/certs/ptKeystore on moog
  3. Back up the jar files
  4. Unjar the previously signed .jar files
  5. Rejar the directories into .jar files of the same name.
  6. Sign the .jar files and
  7. Verify the .jar file signatures.

Get a new certificate

See above.

Load the certificate into our keystore.

For Ptolemy, this is /users/ptII/adm/certs/ptKeystore on moog.

Back up the jar files

  [root@moog books]# pwd
  /home/www/ptweb/books
  [root@moog books]# tar -zcf Systems23Jan2015.tar.gz Systems

Unjar the previously signed .jar files

A sample script is at http://ptolemy.eecs.berkeley.edu/books/updatejars

#!/bin/sh

# See http://chess.eecs.berkeley.edu/ptexternal/wiki/Main/JavaCodeSigningCertificatesForBerkeley
if [ ! -d unjar ]; then
  mkdir unjar
fi     

cd unjar
echo "In `pwd`"

# In 2014, signed jar files need a manifest that has a Permissions attribute.
# See http://docs.oracle.com/javase/tutorial/deployment/jar/secman.
# http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions
# http://docs.oracle.com/javase/tutorial/deployment/jar/modman.html

JNLP_MANIFEST=jnlp_manifest.txt
echo "Application-Name: Ptolemy II" > $JNLP_MANIFEST
echo "Permissions: all-permissions" >> $JNLP_MANIFEST


JVM=/usr/lib/jvm/latest
jarsigner=$JVM/bin/jarsigner
jar=$JVM/bin/jar

files=`find .. -name "*.jar"`
for file in $files
do
        rm -rf tmp
        mkdir tmp
        cd tmp
        echo "  In `pwd`"
        $jar -xf ../$file
        rm -rf META-INF
        newjar=`basename $file`
        echo $newjar
        rm -f /tmp/$newjar
        $jar -cf /tmp/$newjar .

        # Avoid message about missing a "Permmissions" manifest attribute.
        # Use the Oracle jar and avoid jarsigner: unable to sign jar: java.io.IOException: invalid header field
        $jar -umf ../$JNLP_MANIFEST /tmp/$newjar

        # Index it and avoid "This jar contains unsigned entries which have not been integrity-checked."
        $jar -i /tmp/$newjar

        # /usr/bin/jarsigner will report: jarsigner error: gnu.javax.crypto.keyring.MalformedKeyringException: incorrect magic

        TSA=""

        # Set TSA and use a timestamp and avoid:
        #
        # "This jar contains signatures that does not include a
        # timestamp. Without a timestamp, users may not be able to
        # validate this jar after the signer certificate's expiration
        # date (2019-12-14) or after any future revocation date."
        #
        # See http://certhelp.ksoftware.net/support/solutions/articles/17164-how-do-i-sign-and-timestamp-a-java-jar-file-
        # For now, skip this because it takes too long.
        #TSA="-tsa http://timestamp.comodoca.com/rfc3161"

        $jarsigner -storepass `cat ~/.certpw` -keystore /users/ptII/adm/certs/ptKeystore -keypass `cat ~/.certpw` $TSA /tmp/$newjar ptolemy


        if [ ! -z "$TSA" ]; then
            # https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server
            echo "Comodo asks that we sleep for 15 seconds between calls."
            sleep 15
        fi

        # /usr/bin/jarsigner will report "jarsigner: Signature Block missing for PTOLEMY".  Use Oracle JDK1.7 jarsigner
        $jarsigner -verify /tmp/$newjar
        cd ..

        echo "Copying /tmp/$newjar to $file"
        cp /tmp/$newjar $file
done
 
[$[Get Code]]
  1. Rejar the directories into .jar files of the same name.
  2. Sign the .jar files and
  3. Verify the .jar file signatures.
    1. Verify returns jarsigner: Signature Block missing for PTOLEMY. Solution: use jarsigner from Oracle JVM 1.7 or later: /usr/lib/jvm/latest/bin/jarsigner -verify Systems/models/signed/lib/smackx.jar
    2. Verify returns This jar contains unsigned entries which have not been integrity-checked. The solution is to index the file 'before signing it.
Edit - History - Print - Recent Changes - Search
Page last modified on June 21, 2019, at 11:13 PM