keytool
My most recent project, the Multimodal Operational Test Harness (OTH), is a thick Java Swing client used to gather biometrics and package them up into a properly formatted XML document. The Maven 2 build generates an uber jar including all the dependencies that can be run from the command line, but we also have a requirement to run as a WebStart application. It’s not generally required to digitally sign the software, but we have the requirement locally.
So here’s how I went about signing the OTH.
1) Generate the key pair and self-signed certificate.
I could have used the command line for this step, but instead I decided to use the Maven Keytool plugin.
Here’s a clip of the pom.xml file I created:
<pluginManagement> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>keytool-maven-plugin</artifactId> <executions> <execution> <phase>generate-resources</phase> <id>clean</id> <goals> <goal>clean</goal> </goals> </execution> <execution> <phase>generate-resources</phase> <id>genkey</id> <goals> <goal>genkey</goal> </goals> </execution> </executions> <configuration> <keystore>keystore.jks</keystore> <dname>cn=commonName, ou=organizationUnit, o=organizationName, c=countryCode</dname> <keypass>password</keypass> <storepass>password</storepass> <alias>OTH</alias> <keyalg>RSA</keyalg> <keysize>2048</keysize> <validity>3650</validity> </configuration> </plugin> </plugins> </pluginManagement>
I know it’s not the best idea to put the passwords in the pom.xml file, but the security of this keystore isn’t very important and I wanted to allow other developers to access the keystore without needing to discover the password.
Take special note of the option. If you don’t specify this value, the default is only 90 days. 10 years is much better.
2) Instead of just relying on a self-signed certificate, I need to get my certificate signed by a Certificate Authority. To do that, I generate a certificate signing request (CSR) file.
keytool -certreq -alias oth -file oth.csr -keystore keystore.jks -v
3) I sent that through our security team to our Certificate Authority. They first sent me their root certificates. These have to be imported into our keystore before we can authtenticate the certificate reply.
keytool -importcert -file "rootcert.crt" -alias rootcert -trustcacerts -keystore keystore.jks -v
4) Then I receive my certificate reply from the certificate authority. Now I can import that into my keystore and my certificate is authenticated.
keytool -importcert -file "cert.txt" -trustcacerts -keystore keystore.jks -v
5) You can verify the contents of your keystore by running the following command:
keytool -list -keystore keystore.jks -v
6) Here’s the bit of Maven WebStart plugin configuration that uses the keystore to sign the war.
<plugin>
<groupId>org.codehaus.mojo.webstart</groupId>
<artifactId>webstart-maven-plugin</artifactId>
<version>1.0-beta-1</version>
<executions>
<execution>
<phase>compile</phase>
<goals>
<goal>jnlp-download-servlet</goal>
</goals>
</execution>
</executions>
<configuration>
<outputDirectory>src/webapp</outputDirectory>
<excludeTransitive>true</excludeTransitive>
<jnlpFiles>
<jnlpFile>
<templateFilename>jnlp_launch_template.vm</templateFilename>
<outputFilename>oth.jnlp</outputFilename>
<jarResources>
<jarResource>
<groupId>videology</groupId>
<artifactId>videology-driver</artifactId>
<version>1.0.0</version>
<classifier>win32</classifier>
</jarResource>
...
</jarResources>
</jnlpFile>
</jnlpFiles>
<sign>
<keystore>${project.basedir}/keystore.jks</keystore>
<keypass>password</keypass>
<storepass>password</storepass>
<alias>OTH</alias>
<verify>true</verify> <!-- verify that the signing operation succeeded -->
</sign>
<!-- BUILDING PROCESS -->
<pack200>false</pack200>
<gzip>false</gzip>
<verbose>true</verbose>
<outputJarVersions>true</outputJarVersions>
</configuration>
</plugin>
Finally, here’s the URL of the documentation of the Java keytool tool.
http://download.oracle.com/javase/6/docs/technotes/tools/windows
Paul Vodra's Blog 