aspose file tools*
The moose likes Applets and the fly likes Looking for a good example/explanation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Applets
Bookmark "Looking for a good example/explanation" Watch "Looking for a good example/explanation" New topic
Author

Looking for a good example/explanation

Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
I am using windows xp (probably not relevant) and I have an applet. I need to sign the jar file. I do not have a certificate yet. Frankly I am confused. I did this

C:\Program Files\Java\jre6\bin>keytool -genkey -alias myCert -keypass mypswd -keyalg RSA -sigalg MD5withRSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: ln
What is the name of your organizational unit?
[Unknown]: me
What is the name of your organization?
[Unknown]: me
What is the name of your City or Locality?
[Unknown]: RSC
What is the name of your State or Province?
[Unknown]: none
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=BAH, OU=USACE, O=USACE, L=RSC, ST=Federal, C=US correct?
[no]: y


C:\Program Files\Java\jre6\bin>jarsigner -keystore myCert -storepass mypswd -keypass mypswd myJar.jar
'jarsigner' is not recognized as an internal or external command

But correct me if I am wrong please-all this did was create a key pair-right? I still need to create a certificate and sign it to the jar? Not sure how to do this?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18675
    
    8

Yes, that's right, you haven't signed the jar yet. Reading the error message, it appeared to me that your current working directory didn't contain a jarsigner.exe. And the same directory on my machine doesn't contain one either. You'll want your current working directory to be the bin directory in your JDK, not your JRE.
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
Yes. I did do that here

C:\Oracle\Middleware\jdk160_11\bin>jarsigner -keystore myCert -storepass pswd -keypass mypswd -signedjar myjar.jar s_myjar.jar
Usage: jarsigner [options] jar-file alias
jarsigner -verify [options] jar-file

[-keystore <url>] keystore location

[-storepass <password>] password for keystore integrity

[-storetype <type>] keystore type

[-keypass <password>] password for private key (if different)

[-sigfile <file>] name of .SF/.DSA file

[-signedjar <file>] name of signed JAR file

[-digestalg <algorithm>] name of digest algorithm

[-sigalg <algorithm>] name of signature algorithm

[-verify] verify a signed JAR file

[-verbose] verbose output when signing/verifying

[-certs] display certificates when verbose and verifying

[-tsa <url>] location of the Timestamping Authority

[-tsacert <alias>] public key certificate for Timestamping Authority

[-altsigner <class>] class name of an alternative signing mechanism

[-altsignerpath <pathlist>] location of an alternative signing mechanism

[-internalsf] include the .SF file inside the signature block

[-sectionsonly] don't compute hash of entire manifest

[-protected] keystore has protected authentication path

[-providerName <name>] provider name

[-providerClass <class> name of cryptographic service provider's
[-providerArg <arg>]] ... master class file and constructor argument

and got the error. I suppose the keystore is in the jre directory? So I would need to include the path in the command? But is this also creating the certificate or am I missing a step?

Thanks for the help.
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
I tried

jarsigner -keystore "C:\Program Files\Java\jre6\bin\myCert" -storepass englink -keypass englinkpswd -signedjar "C:\Program Files\Java\jre6\bin\ippbx620.jar" s_ippbx620.jar

with and without quotes. Without it asked for a password and then tossed an error. with it just tossed an error.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18675
    
    8

I would start over and run the "keystore" command in the JDK also.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42294
    
  64
Usage: jarsigner [options] jar-file alias
jarsigner -verify [options] jar-file

This sounds as if either a) the jar file name needs to be followed by an alias, or b) the -verify switch needs to be used. Since the command you used does not have either, jarsigner won't run.

The "alias" is whatever you passed to the keytool command as value for the -alias parameter.

(I think Paul also meant keytool, not keystore.)


Ping & DNS - my free Android networking tools app
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
Wow, oh wow....It would appear that anything I try fails on this so let me see if I got this right:

C:\Oracle\Middleware\jdk160_11\bin>keytool -genkey -alias myCert -keypass myPswd-keyalg RSA -sigalg MD5withRSA
--my comments. The above created a keypair with RSA encryption?

Enter keystore password:
What is your first and last name?
[Unknown]: RCH
What is the name of your organizational unit?
[Unknown]: Sub1
What is the name of your organization?
[Unknown]: Org
What is the name of your City or Locality?
[Unknown]: NY
What is the name of your State or Province?
[Unknown]: S
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=BAH, OU=HQ, O=USACE, L=RSC, ST=Federal, C=US correct?
[no]: Y
--my comments: Then I created the certificate above?
--so now I see I have a keystore.jks in C:\Program Files\Java\jre\bin-is this where the keypair is or the certificate or both?

C:\Oracle\Middleware\jdk160_11\bin>

--At this point I have tried running jarsigner numerous ways and I always get an error-file not found is a common one but I am also not using alias --correctly. I just want to sign a file call myJar.jar that I put into C:\Oracle\Middleware\jdk160_11\bin because I thought it would be easier.



I appreciate the help so far and it has gotten me further. I think I understand better but could someone verify my questions and tell me what command they would use to sign the jar. I am not getting anywhere with this.

Thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42294
    
  64
The command should be something like:

jarsigner -keypass myPswd -keystore keystore.jks -signedJar ippbx620_signed.jar ippbx620.jar myCert

When I used this I also had -storepass PWD in there, with PWD being the same password as used during the invocation of keytool.

... and just to make sure: there was a space between"myPswd" and "-keyalg", right? That was just a copy/paste error in the post?
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
I have tried using -keystore keystore.jks and -keystore C:\Program Files\Java\jre\bin\keystore.jks

In both cases I am prompted for the password and then told that the system can not find the file.

I did a search for keystore.jks and I see that the file was modified last back in April (and while it feels like I have been working on this that long, I haven't)

Does this mean that the certificate I am looking for is not there-i.e. I did something wrong ealier when I thought I cretaed the keypair and certificate?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42294
    
  64
It's probably best to delete the keystores you've created, and create a fresh one from scratch with different usernames, passwords, aliases etc. I remember how easy it is to forget (or confuse) key password, store password, alias name etc.

You can also use the " keytool -list -keystore keystore.jks" command to examine what's in a keystore.
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
OK-The list worked good in that it revealed to me that I don't know the password for the keystore...I tried -delete, but again, I need the password. Can I just go into the bin directory and toss keystore.jks into the trash can or do I actually need to do a delete?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42294
    
  64
If you're certain that the keystore does not contain anything the JRE actually needs (in other words, all it contains is whatever you did in your experiments), then -sure- delete it. (And in the future, don't create anything in the JRE directory, lest it interferes with the JRE itself.)
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
Thanks guys. Below is what I got after tossing the existing keystores into the trash. Now it looks to me that the jar file is signed by the certificate I created but that last warning tells me that the file was already signed. When I redeployed the jar-the initial error still persist. The error being the yellow caution sign. Is this because of the old certificate and if so-how do I get rid of it?

C:\Oracle\Middleware\jdk160_11\bin>keytool -list
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

myCert, Jul 6, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 48:256:0A:4E:AD:1C:1E:9D:2E:9E:AC:36:84:C5:55
keyalias, Jul 12, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): A4:B4:C2:16:CE:75:99:E0:30:9F:5D:A14:FB:43:1A

C:\Oracle\Middleware\jdk160_11\bin>jarsigner C:\jars\myJar.jar keyAlias
Enter Passphrase for keystore:
Enter key password for keyAlias:

Warning:
The signer certificate will expire within six months.

C:\Oracle\Middleware\jdk160_11\bin>jarsigner -verify -verbose -certs C:\jars\myJar.jar

633 Wed Mar 21 15:43:46 CST 2001 META-INF/manifest.mf
460 Mon Jul 12 11:51:58 CDT 2010 META-INF/KEYALIAS.SF
877 Mon Jul 12 11:51:58 CDT 2010 META-INF/KEYALIAS.RSA
741 Wed Mar 21 15:43:46 CST 2001 META-INF/zigbert.sf
2479 Wed Mar 21 15:43:46 CST 2001 META-INF/zigbert.rsa
smk 4224 Wed Mar 21 15:43:46 CST 2001 ippbxmbx.class

X.509, CN=BAH, OU=USACE, O=RSC, L=HQ, ST=Federal, C=US (keyalias)
[certificate will expire on 10/10/10 11:32 AM]

X.509, C=GB, ST=Herefordshire, L=Symond's Yat, OU=-, CN=Image Intelligence
Ltd., OU=Digital ID Class 3 - Netscape Object Signing, OU="www.verisign.com/rep
ository/RPA Incorp. by Ref.,LIAB.LTD(c)99", OU=VeriSign Trust Network, O="VeriSi
gn, Inc."
[certificate expired on 11/21/01 5:59 PM]
X.509, CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU=
"www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Tru
st Network, O="VeriSign, Inc."
[certificate expired on 1/6/04 5:59 PM]
[KeyUsage, NetscapeCertType extension does not support code signing]

smk 721 Wed Mar 21 15:43:46 CST 2001 ippbxbin.class

X.509, CN=BAH, OU=USACE, O=RSC, L=HQ, ST=Federal, C=US (keyalias)
[certificate will expire on 10/10/10 11:32 AM]

X.509, C=GB, ST=Herefordshire, L=Symond's Yat, OU=-, CN=Image Intelligence
Ltd., OU=Digital ID Class 3 - Netscape Object Signing, OU="www.verisign.com/rep
ository/RPA Incorp. by Ref.,LIAB.LTD(c)99", OU=VeriSign Trust Network, O="VeriSi
gn, Inc."
[certificate expired on 11/21/01 5:59 PM]
X.509, CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU=
"www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Tru
st Network, O="VeriSign, Inc."
[certificate expired on 1/6/04 5:59 PM]
[KeyUsage, NetscapeCertType extension does not support code signing]

smk 4327 Wed Mar 21 15:43:46 CST 2001 ippbxbox.class

X.509, CN=BAH, OU=USACE, O=RSC, L=HQ, ST=Federal, C=US (keyalias)
[certificate will expire on 10/10/10 11:32 AM]

X.509, C=GB, ST=Herefordshire, L=Symond's Yat, OU=-, CN=Image Intelligence
Ltd., OU=Digital ID Class 3 - Netscape Object Signing, OU="www.verisign.com/rep
ository/RPA Incorp. by Ref.,LIAB.LTD(c)99", OU=VeriSign Trust Network, O="VeriSi
gn, Inc."
[certificate expired on 11/21/01 5:59 PM]
X.509, CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU=
"www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Tru
st Network, O="VeriSign, Inc."
[certificate expired on 1/6/04 5:59 PM]
[KeyUsage, NetscapeCertType extension does not support code signing]

smk 26565 Wed Mar 21 15:43:46 CST 2001 myJar.class

X.509, CN=BAH, OU=USACE, O=RSC, L=HQ, ST=Federal, C=US (keyalias)
[certificate will expire on 10/10/10 11:32 AM]

X.509, C=GB, ST=Herefordshire, L=Symond's Yat, OU=-, CN=Image Intelligence
Ltd., OU=Digital ID Class 3 - Netscape Object Signing, OU="www.verisign.com/rep
ository/RPA Incorp. by Ref.,LIAB.LTD(c)99", OU=VeriSign Trust Network, O="VeriSi
gn, Inc."
[certificate expired on 11/21/01 5:59 PM]
X.509, CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU=
"www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Tru
st Network, O="VeriSign, Inc."
[certificate expired on 1/6/04 5:59 PM]
[KeyUsage, NetscapeCertType extension does not support code signing]


s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose signer certificate will expire within six months
.

C:\Oracle\Middleware\jdk160_11\bin>
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
So it appears to me that the fact that the jar file was previously signed by an old algorithim is still causing problems. This is the error message after I deployed the jar.

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm check failed: MD2withRSA is disabled
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)

but I had signed it last using -sigalg MD5with RSA.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42294
    
  64
I'd delete all jar files, and start over from scratch. I'd also delete the keystore, since it contains two keys (myCert and keyalias) - probably not what you want?

Lastly, I'd use jarsigner's "-signedJar" option to create a new signed jar, and thus leave the original jar untouched.
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194
Thanks-willdo and let everyone know. I am not sure about deleting the jarfile. I didn't create it.The original developer we bought the application from is the one who told me to resignin order to eliminate an error that is popping up aftergoing to a new version of java.
Pat Peg
Ranch Hand

Joined: Feb 04, 2005
Posts: 194


Got it signed - followed the advice and I also created a new jar from the class files of the old jar. Still getting the same warning after deploying but will post a second topic.

Thanks All!!!
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Looking for a good example/explanation