October 22, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

Securing Your Java ARchive (JAR) Files

  • October 7, 2009
  • By Sridhar M S
  • Send Email »
  • More Articles »

Signing the JAR File

This section uses the MyApplication.jar file from the code download for signing purpose. The arguments in the jarsigner command are self-explanatory, and you will explore the results of providing incorrect values for these arguments.

Case 1
Proper use of the command with the correct values will result in the following output:

jarsigner -keystore mykeystore -storepass password -keypass password MyApplication.jar myalias
 
Warning: The signer certificate will expire within six months.

Case 2
Here is the command usage and output when the value for the alias is incorrect:

jarsigner -keystore mykeystore -storepass password -keypass passwor MyApplication.jar newalias
 
jarsigner: Certificate chain not found for: newalias. newalias must reference a valid KeyStore 
key entry containing a private key and corresponding public key certificate chain.

Notice that the value newalias is incorrect, whereas the correct one in this case is myalias (The value is provided during the key-generation process).

Case 3
Here is the command usage and output when the value for the password is incorrect:

jarsigner -keystore mykeystore -storepass password -keypass passwor MyApplication.jar myalias
jarsigner: key associated with myalias not a private key

Here, the value for password is incorrectly spelled as "passwor." Hence, the system does not allow you to sign the JAR file. The error message is just an indication that the credentials do not match.

Verifying the Signed JAR File

You can use the –verify option in the jarsigner command to verify the integrity of the JAR file.

Case 1
Here is the command to verify the integrity of MyApplication.jar:

jarsigner -verify MyApplication.jar
jar verified.
 
Warning: This jar contains entries whose signer certificate will expire within six months. 
Re-run with the -verbose and -certs options for more details.

In this example, the result indicates that the JAR is verified. It also has an additional message informing the user that the certificate is expiring shortly. The user should take the appropriate action, perhaps purchase one from an authorized vendor.

Signed JAR Verification Tip
Try using the –validity option in the keytool command and exploring its usages.

Case 2
Here are the commands for verifying the integrity of MyApplication.jar using the –verbose option:

jarsigner -verbose -verify MyApplication.jar
 
         357 Thu Oct 01 08:00:48 PDT 2009 META-INF/MANIFEST.MF
         435 Thu Oct 01 08:00:48 PDT 2009 META-INF/MYALIAS.SF
        1095 Thu Oct 01 08:00:48 PDT 2009 META-INF/MYALIAS.DSA
           0 Wed Sep 16 15:56:40 PDT 2009 META-INF/
           0 Wed Sep 16 15:55:22 PDT 2009 com/
           0 Wed Sep 16 15:55:22 PDT 2009 com/mycomp/
           0 Wed Sep 16 15:55:22 PDT 2009 com/mycomp/demo/
sm       165 Tue Sep 15 17:39:38 PDT 2009 com/mycomp/demo/MyApplication.java
sm       465 Tue Sep 15 17:40:00 PDT 2009 com/mycomp/demo/MyApplication.class
           0 Wed Sep 16 15:55:22 PDT 2009 demo/
           0 Wed Sep 16 15:55:22 PDT 2009 images/
           0 Wed Sep 16 15:55:22 PDT 2009 lib/
sm        43 Wed Sep 16 15:56:38 PDT 2009 main-class-file
 
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
 
jar verified.
 
Warning: This jar contains entries whose signer certificate will expire within six months. 
Re-run with the -verbose and -certs options for more details.

The information displayed is quite comprehensive, but you can use it as desired.

Case 3
Here is the command for verifying an unsigned JAR file:

jarsigner -verify MyApplication.unsigned.jar
jar is unsigned. (signatures missing or not parsable)

The cases covered here are some of the most widely used test cases. Nevertheless, you likely will think of many other cases. Use those to explore some of the other security capabilities of JAR signing.

Code Download

  • JAR Signing_src

    For Further Reading

  • "jar - The Java Archive Tool" (from java.sun.com)
  • "keytool - Key and Certificate Management Tool" (from java.sun.com)

    About the Author

    Sridhar M S is a Java developer from Bangalore, India. He holds a master's degree in Computer Science.





  • Page 3 of 3



    Comment and Contribute

     


    (Maximum characters: 1200). You have characters left.

     

     


    Sitemap | Contact Us

    Rocket Fuel