Previous section: Digital Certificates

Tools to be used

1. Keytool
2. Jar tool
3. JarSigner

NOTE : All the tools can be found in the bin directory under the java home directory

Keytool

The keytool that accompanies the JDK is used to provide an administrative interface to the keystore class. This keystore class stores the information about all the keys used.

Global Options to the keytool

1.      –alias alias                                        Specifies the alias the operation should apply to. The default is “myKey”.

2.      –dname distinguishedName       Specifies distinguished name. There is no default for this value and if nothing is entered, the user  will be prompted for it when it is needed.

3.      –keypass password                     Specifies the password to protect the entire keyStore.

4.      –keystore filename                        Specifies name of the file that holds the keyStore.

5.      –storepass password                  Specifies password used to protect a particular entry’s private key.

6.      –storetype storeType                   Specifies the type of keystore that the keytool should operate on

7.      –v                                                        Verbose – prints information about operations the keytool is performing.

Other Options

o       –import                                               Helps importing a certificate into the database. This creates either a new entry or imports for existing alias. You can specify the certificate file from which it has to be imported.

o       –export                                               This option will export the certificate for a given alias to a given file. The certificate is exported in RFC 1421 format.

o       –gekey                                                This generates a key pair and adds that entry to the keyStore. Here, you can specify the algorithm name, key size, the signature algorithm and the validity in days.

o       –certreq                                              This option generates a certificate-signing request. Here, you can specify the output file name, signature algorithm and the alias for which the request is created. The format of CSR is defined in PKCS# 10. This CSR can be sent to the CA to get back a certificate they have signed. The certificate verifies the public key sent.

o       –keyclone                                          This option creates a clone of a given key. A new alias name and password are required.

o       –selfcert                                             This option replaces a current certificate with a new self signed certificate.

o       –list                                                     This option will list one or more entries in the keyStore.

o       –delete                                                This option is used to delete entry of the specified alias.

o       –printcert                                           This option is used to print a certificate in a readable form so that its fingerprint can be verified. The  input certificate file should be in RFC 1421 format.

Jar tool

The jar tool is another utility offered by the JDK. This utility allows the user to create a Java Archive including one or more files. Optional manifest information can also be included.

JarSigner

The JarSigner tool is used to sign an already created jar file. The same tool can also be used to verify if the given archive is signed or unsigned. A signed Jar file is identical to a standard Jar file except that a singed Jar file creates two additional entries – 

o       SIGNER.SF                 This is a file containing a SHA message digest for each class file in the archive.

o       SIGNER.DSA              This file contains digital signature of the SF file. The extension is the algorithm used to generate the signature.

The Operation of the JarSigner tool can be divided into 2 parts –

1.      Creating a Signed Jar File

This involves signing the existing jar file using the private key of the given alias.

The default syntax is as follows –

Jarsigner [options] jar-file alias

Following are the options to be used.

1.–keystore keystore                   Specify the file name that the keystore class should use as a keystore.

2.–storepass storepass              Specify global keystore password.

3.–keypass passwd                     Specify password for key entry of given alias.

4.–sigfile file                                  Specify base name to be used for .SF and .DSA files.

5.–signedjar file                           Write a signed jar file to the name file instead of adding the signature entries.

6.–verbose                                    Prints out the information as the jarsigner progresses.

2.      Verifying a Jar File

This process involves verification of a already signed jar file using the above process.

The default syntax is as follows –

Jarsigner –verify [options] jar-file

Following options are supported –

1.–sigfile file                                 Use the given base name to look for .SF and .DSA files. This is used when the jar has been  signed with multiple entries.

2.–verbose                                   Provide verbose output for verification, indicating for each file if it was signed and whether or the signer of the file is found in the keyStore.

3.–ids                                            This is used in conjunction with the –verbose option to print the distinguished name and alias of the certificate (if any).

4.–keystore keystore                Use the given file as a keystore to load. The default is the .keystore file in the users home directory.

Next section: Signing the JAR files
 
Table of Contents

Top of Page | Home

© 2001 – EBSolute Technologies