Signing crypto jars with Oracle JCE certs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Signing crypto jars with Oracle JCE certs

john.kewley
Hi

Does anyone know of an Oracle tsa for timestamping such jars that have been signed with our JCE certificate?

Also, has anyone asked Oracle for a SHA2 replacement for their exsiting SHA1 one - do you have to go through the whole rigmarole again,
or can they just re-issue.

I know these 2 questions would be better asked of Oracle, but I haven't yet found an appropriate Oracle channel to ask.

Cheers

JK


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Signing crypto jars with Oracle JCE certs

Eckenfels. Bernd
Hello,

I have asked "Oracle", Sean replied that a SHA-2 CA is generated and shipped:

http://mail.openjdk.java.net/pipermail/security-dev/2016-November/015177.html

I am however not sure how you would request a cert signed by it.

# It was released in JDK 8u111, 7u121, 6u131.
# More information is here
# (see "New JCE Code Signing Root CA": http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
#
# You can now request a new JCE code signing certificate that uses
# stronger algorithms. However, this certificate will only work on
# releases on or after the above releases. Thus, we recommend that if you
# do need to support older releases, you keep the signature on the
# existing JAR and re-sign it with the new certificate/key -- which means
# the resulting signed JAR will have 2 signatures.

Gruss
Bernd

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Friday, December 16, 2016 12:55 PM
To: [hidden email]
Subject: [dev-crypto] Signing crypto jars with Oracle JCE certs

Hi

Does anyone know of an Oracle tsa for timestamping such jars that have been signed with our JCE certificate?

Also, has anyone asked Oracle for a SHA2 replacement for their exsiting SHA1 one - do you have to go through the whole rigmarole again,
or can they just re-issue.

I know these 2 questions would be better asked of Oracle, but I haven't yet found an appropriate Oracle channel to ask.

Cheers

JK










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Signing crypto jars with Oracle JCE certs

john.kewley
OK thanks for that - good point about consideration for supporting earlier java versions.

Adding 2 signatures won't do any good for us since the main reason for wanting to upgrade was so that all the chain would
be signed with SHA2 - we have to sign again with a general code signing cert (ours is from Comodo) and webstart seems to have issues
if everything isn't signed with the same algorithm.

I'm still looking for information on using a tsa timestamp signature though, our Comodo one comes with access to one of theirs so I assume Oracle have one too.

Cheers

JK

> -----Original Message-----
> From: Eckenfels. Bernd [mailto:[hidden email]]
> Sent: Friday, December 16, 2016 3:10 PM
> To: [hidden email]
> Cc: Kewley, John (STFC,DL,SC)
> Subject: RE: Signing crypto jars with Oracle JCE certs
>
> Hello,
>
> I have asked "Oracle", Sean replied that a SHA-2 CA is generated and shipped:
>
> http://mail.openjdk.java.net/pipermail/security-dev/2016-
> November/015177.html
>
> I am however not sure how you would request a cert signed by it.
>
> # It was released in JDK 8u111, 7u121, 6u131.
> # More information is here
> # (see "New JCE Code Signing Root CA":
> http://www.oracle.com/technetwork/java/javase/8u111-relnotes-
> 3124969.html
> #
> # You can now request a new JCE code signing certificate that uses
> # stronger algorithms. However, this certificate will only work on
> # releases on or after the above releases. Thus, we recommend that if you
> # do need to support older releases, you keep the signature on the
> # existing JAR and re-sign it with the new certificate/key -- which means
> # the resulting signed JAR will have 2 signatures.
>
> Gruss
> Bernd
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> Sent: Friday, December 16, 2016 12:55 PM
> To: [hidden email]
> Subject: [dev-crypto] Signing crypto jars with Oracle JCE certs
>
> Hi
>
> Does anyone know of an Oracle tsa for timestamping such jars that have been
> signed with our JCE certificate?
>
> Also, has anyone asked Oracle for a SHA2 replacement for their exsiting SHA1
> one - do you have to go through the whole rigmarole again,
> or can they just re-issue.
>
> I know these 2 questions would be better asked of Oracle, but I haven't yet
> found an appropriate Oracle channel to ask.
>
> Cheers
>
> JK
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg,
> Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the
> SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial
> Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und
> kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material
> enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die
> des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der
> SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail
> irrtümlich erhalten und jegliche Verwendung, Veröffentlichung,
> Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens
> untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd)
> übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail
> und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This
> email may contain confidential material that may be protected by professional
> secrecy. Any fact or opinion contained, or expression of the material herein,
> does not necessarily reflect that of SEEBURGER AG. If you are not the
> addressee or if you have received this email in error, any use, publication or
> distribution including forwarding, copying or printing is strictly prohibited.
> Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for
> viruses; it is your responsibility to check this email and its attachments for
> viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signing crypto jars with Oracle JCE certs

Uri Blumenthal
In reply to this post by Eckenfels. Bernd
Anybody knows where one can get/download the actual SHA-2 based CA certificate for JCE code signing? It isn’t included in $JDKHOME/jre/lib/security/cacerts...

Thanks!

> On Dec 16, 2016, at 10:10 , Eckenfels. Bernd <[hidden email]> wrote:
>
> Hello,
>
> I have asked "Oracle", Sean replied that a SHA-2 CA is generated and shipped:
>
> http://mail.openjdk.java.net/pipermail/security-dev/2016-November/015177.html
>
> I am however not sure how you would request a cert signed by it.
>
> # It was released in JDK 8u111, 7u121, 6u131.
> # More information is here
> # (see "New JCE Code Signing Root CA": http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
> #
> # You can now request a new JCE code signing certificate that uses
> # stronger algorithms. However, this certificate will only work on
> # releases on or after the above releases. Thus, we recommend that if you
> # do need to support older releases, you keep the signature on the
> # existing JAR and re-sign it with the new certificate/key -- which means
> # the resulting signed JAR will have 2 signatures.
>
> Gruss
> Bernd
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> Sent: Friday, December 16, 2016 12:55 PM
> To: [hidden email]
> Subject: [dev-crypto] Signing crypto jars with Oracle JCE certs
>
> Hi
>
> Does anyone know of an Oracle tsa for timestamping such jars that have been signed with our JCE certificate?
>
> Also, has anyone asked Oracle for a SHA2 replacement for their exsiting SHA1 one - do you have to go through the whole rigmarole again,
> or can they just re-issue.
>
> I know these 2 questions would be better asked of Oracle, but I haven't yet found an appropriate Oracle channel to ask.
>
> Cheers
>
> JK
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>
--
Uri Blumenthal
[hidden email]


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signing crypto jars with Oracle JCE certs

David Hook

It's embedded (and obfuscated) in the actual JVM. I've never actual seen
a copy of it either.

Regards,

David

On 27/12/16 13:13, Uri Blumenthal wrote:

> Anybody knows where one can get/download the actual SHA-2 based CA certificate for JCE code signing? It isn’t included in $JDKHOME/jre/lib/security/cacerts...
>
> Thanks!
>
>> On Dec 16, 2016, at 10:10 , Eckenfels. Bernd <[hidden email]> wrote:
>>
>> Hello,
>>
>> I have asked "Oracle", Sean replied that a SHA-2 CA is generated and shipped:
>>
>> http://mail.openjdk.java.net/pipermail/security-dev/2016-November/015177.html
>>
>> I am however not sure how you would request a cert signed by it.
>>
>> # It was released in JDK 8u111, 7u121, 6u131.
>> # More information is here
>> # (see "New JCE Code Signing Root CA": http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
>> #
>> # You can now request a new JCE code signing certificate that uses
>> # stronger algorithms. However, this certificate will only work on
>> # releases on or after the above releases. Thus, we recommend that if you
>> # do need to support older releases, you keep the signature on the
>> # existing JAR and re-sign it with the new certificate/key -- which means
>> # the resulting signed JAR will have 2 signatures.
>>
>> Gruss
>> Bernd
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]]
>> Sent: Friday, December 16, 2016 12:55 PM
>> To: [hidden email]
>> Subject: [dev-crypto] Signing crypto jars with Oracle JCE certs
>>
>> Hi
>>
>> Does anyone know of an Oracle tsa for timestamping such jars that have been signed with our JCE certificate?
>>
>> Also, has anyone asked Oracle for a SHA2 replacement for their exsiting SHA1 one - do you have to go through the whole rigmarole again,
>> or can they just re-issue.
>>
>> I know these 2 questions would be better asked of Oracle, but I haven't yet found an appropriate Oracle channel to ask.
>>
>> Cheers
>>
>> JK
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
>> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
>> Edisonstr. 1
>> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
>> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
>> Fax: 07252 / 96 - 2222
>> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
>> e-mail: [hidden email]               HRB 240708 Mannheim
>>
>>
>> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>>
>>
>> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>>
> --
> Uri Blumenthal
> [hidden email]
>


Loading...