Oracle Cloud Infrastructure Documentation

Jarsigner Commands

When using the Jarsigner commands in this topic, ensure that you use the command flags discussed in Prerequisites for Keytool and Jarsigner.

Signing a Jar File with a Key

This operation signs a JAR file with a key. The command is run using jarsigner with JCE.

To sign a JAR file with a key stored in the HSM

Command syntax:

jarsigner \
  -J-cp -J<dedicated_kms_jce_jar_path> \
  -J-Djava.security.properties=<java_security_override_file>
  -keystore <local-keystore-name>.dkms -storepass <example-password> -storetype DKKS -keypass <example-password> \
  -signedjar <signed-jar-name> \
  -digestalg <digest-algorithm> -sigalg <signature-algorithm> -certs <jar-to-be-signed> <hsm-key-alias>

If you receive a warning message stating "The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targeThe signer's certificate chain is invalid", the local keystore lacks a signed certificate.

You can resolve a certificate chain error with the following operations:

  1. Use the keytool program to generate a CSR corresponding to the key on the HSM.

    keytool \
-J-cp -J<dedicated_kms_jce_jar_path> \
-certreq \
-alias <example-alias> \
-file <CSR-stored-file>.csr \
-keyalg <key-algorithm> -keysize <key-size> -sigalg <signature-algorithm> \
-dname <example-distinguished-name> \
-keypass <example-password> -keystore <keystore-name> -storepass <example-password> -storetype DKKS \

    Note the following:

    • -certreq is used to generate a CSR.
    • -alias indicates the alias for the specified key. By specifying this alias, if the key doesn’t exist in the keystore, the DKKS keystore searches the HSM for a label matching this alias.
    • -keyalg rsa -keysize 4096 specifies algorithm and key size for the key pair
    • -sigalg sha512withrsa -dname provides the details for the CSR

  2. Use openssl to create a new self-signed local ca X.509 certificate (.crt file) and a RSA private key (.pem file).

    
openssl req -x509 -newkey rsa:4096 -sha512 -nodes \
-out <local-ca-crt>.crt \
-outform pem -keyout <local-ca-pem>.pem \
-subj /C=US/ST=CA/L=SanJose/O=ExampleCA/OU=Signing/CN=exampleca.com

  3. Insert the CA owner certificate into the keystore.

    keytool \
-J-cp -J<dedicated_kms_jce_jar_path> \
-importcert -noprompt \
-alias <local-ca-cert-alias> \
-file <local-ca-crt>.crt \
-keypass <example-password> -keystore <keystore-name>.dkms -storepass <example-password> -storetype DKKS \

    Note the following

    • -importcert is used to import a certificate
    • -noprompt instructs the program not to use prompts
    • -alias specifies the alias that the CA certificate will be assigned
    • -file is the file for the cert
    • -keypass sets a password for the key

  4. List the certificate to ensure the local ca certificate is in the keystore:

    keytool \
-J-cp -J<dedicated_kms_jce_jar_path> \
-list \
-alias <local-ca-cert-alias> \
-keypass <example-password> -keystore <keystore-name> -storepass <example-password> -storetype DKKS \

    The command returns output similar to the following:

    Your keystore contains 1 entry

  5. Using openssl, create an X.509 certificate with the generated CSR and local ca Crt. Then set the serial number for the new cert:

    openssl x509 -req -days 365 \
-in <CSR-stored-file>.csr \
-CA <local-ca-crt>.crt \
-CAkey <local-ca-pem>.pem \
-set_serial <example-serial-number> \

-out <output-crt>.crt

  6. Using keytool, import the <output-crt>.crt file into the keystore:

    keytool \
-J-cp -J<dedicated_kms_jce_jar_path> \
-importcert -noprompt \
-alias <output-crt-alias> \
-file <output-crt>.crt \
-keypass <example-password> -keystore <keystore-name> -storepass <example-password> -storetype DKKS \

  7. Confirm that the certificate was successfully imported:

    keytool \
-J-cp -J<dedicated_kms_jce_jar_path> \
-list \
-alias <output-crt-alias> \
-keypass <example-password> -keystore <keystore-name> -storepass <example-password> -storetype DKKS \

    The program returns output similar to the following:

    Your keystore contains 1 entry
Tip

Signing a jar file with a new key ensures that the signing operation doesn't produce a certificate chain error, because the new key's certificate is added to the local keystore during creation. Use the instructions in Generate Key Pair to create a new key with keytool.

Verifying the JAR File Signing Details

Use the -verify flag to verify the signing details of a signed JAR file, including which key was used to sign the file. The command is run using jarsigner with JCE.

To verify the signed JAR file with the key

Command syntax:

jarsigner \
  -J-cp -J<dedicated_kms_jce_jar_path> \
  -verify \
  -keystore <local_keystore><local-keystore-name>.dkms -storepass <example-password> -storetype DKKS -keypass <example-password> \
  -certs <signed-jar-name> <example-key-alias>