JDK tool keytool and jarsigner help Part2 (JDK keytool & jarsigner tool manual)

JDK tool keytool and jarsigner help Part2 (JDK keytool & jarsigner tool manual)
0. Background
Keytool is the key and certificate management tool included in JDK. The keystore used to manage the private key and its associated X.509 certificate chain. The X.509 certificate chain is used to authenticate the corresponding public key. The keystore is similar to a database. At the same time, keytool is also used to manage certificates issued by trusted entities.
Jarsigner is a tool included in JDK for signing and verifying jar files. Generate a signature for the Java file (jar) and verify the signed JAR file.
1. tool location
Both tools are located in the $ java_home/bin directory, where $ java_home is the JDK installation directory.
Both tools are used in the command line. In the command line window, enter:
Keytool and jarsigner can get how to use the command tool.
2. Introduction to jarsigner tools
The jarsigner tool has the following functions:
A. Sign the JAR File
B. verify the integrity of the signature and signature jar files.
Jar files can contain multiple package class files, images, sounds, and digital data at the same time, allowing faster and more convenient release. The jar tool is used to create jar files. Technically, any ZIP file can be seen as a jar file, although the JAR file created using jar contains the META-INF/manifest. MF file.
A digital signature is a bit string calculated using some data (Signed data) and the private key of an object. Like a handwritten signature, a digital signature has many features:
Authority can be verified and calculated by using the public key corresponding to the private key.
It cannot be forged. If the private key is not disclosed.
Signature is a function of data, so it cannot be used as the signature of other data at the same time.
The data used for signature cannot be changed; otherwise, the signature cannot be verified.
To generate an object signature as a file, the object must first have a pair of keys, namely, public & private key and some certificates that authenticate the public key.
A certificate is a signature signed by one entity to another entity, proving that the public key of another entity has certain specific values.
Jarsigner uses the key and Certificate Information in the keystore to generate a digital signature for the JAR file. Keystore is a database used to store private keys and their corresponding X.509 certificate chains for Public Key Authentication. The keytool is used to create and manage the keystore.
Jarsigner uses the private key of an object to generate a signature. The signed JAR file contains the certificate Copy of the public key corresponding to the private key in the keystore. Jarsigner can use its certificate to verify the digital signature of the JAR file.
Since j2se 5.0, jarsigner can generate a signature containing the timestamp. Therefore, the system/deployment can check whether the certificate contained in the signed JAR is valid. J2se 5.0 also contains the APIs that obtains the timestamp information.
So far, jarsigner can only sign the jar files generated by the SDK jar tool and the ZIP files. The META-INF/manifest. MF file is automatically generated when you sign the ZIP file using jarsigner.
The default function of jarsigner is to sign the JAR/ZIP file. You can use the-verify option to verify the signature.
3. Concepts
Keystore alias: All keystore entities are accessed through unique aliases. When jarsigner is used to sign the JAR file, the alias corresponding to the private key used for signature must be specified.
Keystore storage location: jarsigner includes the-keystore option to specify the keystore URL.
Keystore implementation: see the first part of this article.
Supported signature algorithms: So far, jarsigner can use sha1withdsa or md5withrsa to name the JAR file.
Sign the JAR File: When jarsigner is used to sign the JAR file, the exported JAR file and the input JAR file are identical except the following:
Signature file, suffixed with. SF
Signature block file with the suffix ". DSA"
The basic file names (excluding the suffix) of these two files are specified using the-sigfile option. If this option is not specified, the basic file name selects the first 8 characters of alias and converts them to uppercase characters. If it is less than 8 characters long, all alias names are used. If alias contains characters that cannot be used as the signature file name, it is converted to an underscore.
Signature file (. SF): the signature file is similar to the manifest file. When jarsigner is used to sign the file, it is always included in the jar file. That is to say, for each source file in the jar file, there are three rows in the. SF file. Like manifest, the following content is listed: file name, the Sha and Sha values of the hash algorithm used. In the manifest file, the Sha hash value of the source file is the hash value of the binary data in the source file. In the. SF file, the hash value of each source file is the hash value of the three rows in the manifest file. The signature file also contains the hash value of the entire manifest file in the file header for optimization verification.
Signature block file (. DSA): The. SF file is signed and placed in the. DSA file. The. DSA file also contains a certificate or certificate chain.
Signature timestamp: In j2se5.0, The jarsigner tool can generate and store the signature timestamp. In addition, jarsigner supports different signature mechanisms. This function is optional and can be controlled during signature using the following options:
-TSA URL
-Tsacert alias
-Altsigner class
-Altsignerpath classpathlist
JAR file verification: when the signature is valid and no files in the jar file are modified, the jar verification is successful. To verify the JAR file, perform the following steps:
Verify the signature of the. SF file.
Validation. Hash of each object contained in the SF file.
Read each file contained in the. SF file in the jar file. During the reading process, calculate the file hash and compare the calculation result with the corresponding value in the manifest file.
If any of the above steps fails, the entire verification process is stopped and a security-related exception is thrown, Which is captured and displayed by jarsigner.
Multi-signature JAR file: the JAR file can be signed by multiple users.
4. jarsigner tool help
C:/j2sdk1.4.2 _ 15/JRE/lib/Security> C:/j2sdk1.4.2 _ 15/bin/jarsigner.exe
Usage: jarsigner [Options] jar-file alias
Jarsigner-verify [Options] jar-File
[-Keystore <URL>]
[-Storepass <password>]
[-Storetype <type>]
[-Keypass <password>]
[-Sigfile <File>]
[-Signedjar <File>]
[-Verify]
[-Verbose]
[-Certs]
[-Internalsf]
[-Sectionsonly]
[-Provider]
...
Example:
C:/> jar CF pg. Jar ORG /*.*

C:/> jarsigner-storetype jks-keystore C:/mykeystore. keystore-digestalg MD5
-Sigalg md5withrsa-signedjar pgsigned. Jar pg. Jar myalias
When there are too many threads, too many threads:

The content of manifest. mf is as follows:
Manifest-version: 1.0
Created-by: 1.6.0 _ 12 (Sun Microsystems Inc .)

Name: ORG/jff/example/util/printgreeting. Class
MD5-Digest: fjspbdcp8n2 + cqko6ciiig =

The content of the myalias. SF file is as follows:
Signature-version: 1.0
MD5-Digest-Manifest: V6 + q + hvz6nmkmwlskciorg =
MD5-Digest-Manifest-Main-Attributes: qgefyowqcj8su + kqamjbba =
Created-by: 1.6.0 _ 12 (Sun Microsystems Inc .)

Name: ORG/jff/example/util/printgreeting. Class
MD5-Digest: wiikmblosrbl53bcupa74g =

The content of myalias. RSA is binary.

C:/> jarsigner-verify pgsigned. Jar
Jar worker.
Modify the content of the myalias. SF file and then verify:
C:/> jarsigner-verify pgsigned. Jar
Jarsigner: Java. Lang. securityexception: cannot verify signature block file meta-
INF/myalias

5. Summary
This article is the second part of the keytool & jarsigner document. It mainly introduces the functions and concepts of jarsigner and briefly describes the jarsigner tool included in JDK.
For more information about keytool, see the first part of this article.