Signing a JAR file using Luna Cloud HSM

Using SunPKCS11 provider.

- Sample configuration file for SunPKCS11.

name = CloudHSM
library = /usr/safenet/lunaclient/lib/libCryptoki2_64.so
slot = 0

attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_TOKEN = true
  CKA_SIGN = true
  CKA_SENSITIVE = true
  CKA_PRIVATE = true
  CKA_DECRYPT = true
  CKA_UNWRAP = true
  CKA_EXTRACTABLE = false
  CKA_MODIFIABLE = true
}

attributes(*,CKO_PUBLIC_KEY,*) = {
  CKA_VERIFY = true
  CKA_ENCRYPT = true
  CKA_WRAP = true
  CKA_TOKEN = false
}

attributes(*, CKO_SECRET_KEY,*) = {
 CKA_ENCRYPT = true
 CKA_DECRYPT = true
 CKA_SENSITIVE = true
 CKA_WRAP = true
 CKA_UNWRAP = true
 CKA_PRIVATE = true
 CKA_TOKEN = true
}

- Generating signing key and certificates.

Generating keys for signing.

keytool -genkey -alias signingKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -dname "CN=Code Signing" -ext KU:C="digitalSignature" -ext EKU:C="codeSigning" -keystore NONE -storetype PKCS11 -providername SunPKCS11-CloudHSM -providerclass sun.security.pkcs11.SunPKCS11 -providerarg p11.cfg

Generating a certificate request using the generated key.

keytool -certreq -alias signingKey -keystore NONE -storetype pkcs11 -providername SunPKCS11-CloudHSM -providerclass sun.security.pkcs11.SunPKCS11 -providerarg p11.cfg -file signingKey.csr

Signing the generated Certificate Signing Request (CSR) using an OpenSSL based Certificate Authority (CA)

openssl ca -config myCA/myIssuing/myIssuing.cnf -extensions code_signing -days 730 -md sha256 -in signingKey.csr -out signingKey.cer

Create a P7B File containing the signed certificate and the certificate chain.

openssl crl2pkcs7 -nocrl -certfile myRoot.cer -certfile myIssuing.cer -certfile signingKey.cer -out signingKey.p7b

Importing certificates from a P7B file to SunPKCS11 keystore.

keytool -importcert -alias signingKey -keystore NONE -storetype PKCS11 -providername SunPKCS11-CloudHSM -providerclass sun.security.pkcs11.SunPKCS11 -providerarg p11.cfg -file signingKey.p7b

List contents of the keystore to check it has everything you need.

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerarg p11.cfg -v

- Signing a JAR file.

Check if the JAR file is already signed or not.

jarsigner -verify SolarSystem.jar

Signing the JAR file using the generated signing key.

jarsigner -keystore NONE -storetype PKCS11 -providername SunPKCS11-CloudHSM -providerclass sun.security.pkcs11.SunPKCS11 -providerarg p11.cfg -signedjar SS_p11.jar -tsa http://timestamp.globalsign.com/tsa/r6advanced1 SolarSystem.jar signingKey

Verify the signed JAR file.

jarsigner -verify SS_p11.jar -keystore truststore -verbose

Using LunaProvider (Java Security Provider for Luna HSMs) to sign a JAR file.

- Generating keys for signing.

LunaProvider requires a dummy keystore file containing information about the slot to use.

echo "slot:0" > luna.ks

Generate signing key using LunaProvider

keytool -genkey -alias mySigningKey -keyalg RSA -keysize 2048 -validity 730 -sigalg sha256WithRSA -dname "CN=Jar Signing" -ext KU:C="digitalSignature" -ext EKU:C="codeSigning" -keystore luna.ks -storetype Luna

Generate a Certificate Signing Request (CSR).

keytool -certreq -alias mySigningKey -keystore luna.ks -storetype Luna -file signingKey.csr

CSR signed using an OpenSSL based CA.

openssl ca -config myCA/myIssuing/myIssuing.cnf -extensions code_signing -days 730 -notext -md sha256 -in signingKey.csr -out signingKey.cer

Create a P7B file containing the signed certificate and the issuers.

openssl crl2pkcs7 -nocrl -certfile myRoot.cer -certfile myIssuing.cer -certfile signingKey.cer -out signingKey.p7b

Import all certificates from a P7B file.

keytool -importcert -keystore luna.ks -storetype Luna -alias mySigningKey -file signingKey.p7b

- Signing JAR file.

Signing the jar file using the generated signing key and certificate.

jarsigner -keystore luna.ks -storetype Luna -signedjar SS.jar -tsa http://timestamp.globalsign.com/tsa/r6advanced1 SolarSystem.jar mySigningKey

Use this command if you want to load your LunaProvider dynamically.

jarsigner -keystore luna.ks -storetype Luna -providername LunaProvider -providerclass com.safenetinc.luna.provider.LunaProvider -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar:/opt/java/jdk1.8.0_333/lib/tools.jar -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -signedjar SS.jar -tsa http://timestamp.globalsign.com/tsa/r6advanced1 SolarSystem.jar mySigningKey

Verify the signed JAR file.

jarsigner -verify SS.jar -keystore truststore -verbose