signing jar to set up a debug environment?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

signing jar to set up a debug environment?

Lou Wynn

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing jar to set up a debug environment?

Uri Blumenthal
Tough luck - you cannot sign bc-prov jar with your own certs, because JVM expects a special certificate issued by Oracle. Or rather, you can, but JVM doesn't accept that signature. 

You may try to request such a JCE signing certificate from Oracle, but the likelihood they'd just issue you one is not great.

Sent from my iPad

On Dec 14, 2016, at 19:19, Lou Wynn <[hidden email]> wrote:

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing jar to set up a debug environment?

Lou Wynn

So, what's the best solution to this so that I can setup a debug environment?

Is requesting a JCE signing certificate from Oracle the only way, although it isn't great?


On 12/14/2016 06:15 PM, Uri Blumenthal wrote:
Tough luck - you cannot sign bc-prov jar with your own certs, because JVM expects a special certificate issued by Oracle. Or rather, you can, but JVM doesn't accept that signature. 

You may try to request such a JCE signing certificate from Oracle, but the likelihood they'd just issue you one is not great.

Sent from my iPad

On Dec 14, 2016, at 19:19, Lou Wynn <[hidden email]> wrote:

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: signing jar to set up a debug environment?

Dudde, Stefan
In reply to this post by Lou Wynn

Hi Lou,

 

You can get a JCE signing certificate from Oracle here: http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html

We requested a certificate for our company. It took a while to get the request processed. But now we are able to sign our own build of Bouncy Castle.

 

I don’t know if it is possible to request certificate to private persons.

 

Best regards, Stefan

 

From: Lou Wynn [mailto:[hidden email]]
Sent: Donnerstag, 15. Dezember 2016 00:19
To: [hidden email]
Subject: [dev-crypto] signing jar to set up a debug environment?

 

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: <a href="file:///\\home\lu\repos\projects\eclipse\SGEmail3\lib\bc-prov-1.52.jar">file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing jar to set up a debug environment?

Uri Blumenthal
And to answer your question - yes, obtaining a JCE certificate from Oracle is the only way.

An alternative is to use bc-prov from the BC site, and rebuild the rest of the jars (only prob requires that special signing). 

Another alternative would be to rebuild the JVM from the source, replacing the hardcoded JCE root with your own CA. The Oracle path is simpler.

Sent from my iPad

On Dec 15, 2016, at 06:09, Dudde, Stefan <[hidden email]> wrote:

Hi Lou,

 

You can get a JCE signing certificate from Oracle here: http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html

We requested a certificate for our company. It took a while to get the request processed. But now we are able to sign our own build of Bouncy Castle.

 

I don’t know if it is possible to request certificate to private persons.

 

Best regards, Stefan

 

From: Lou Wynn [[hidden email]]
Sent: Donnerstag, 15. Dezember 2016 00:19
To: [hidden email]
Subject: [dev-crypto] signing jar to set up a debug environment?

 

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: <a href="file:///\\home\lu\repos\projects\eclipse\SGEmail3\lib\bc-prov-1.52.jar">file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: signing jar to set up a debug environment?

David Hook

If it's any help the JVMs from the OpenJDK project do not require a JCE signing certificate.

Regards,

David

On 16/12/16 00:46, Uri Blumenthal wrote:
And to answer your question - yes, obtaining a JCE certificate from Oracle is the only way.

An alternative is to use bc-prov from the BC site, and rebuild the rest of the jars (only prob requires that special signing). 

Another alternative would be to rebuild the JVM from the source, replacing the hardcoded JCE root with your own CA. The Oracle path is simpler.

Sent from my iPad

On Dec 15, 2016, at 06:09, Dudde, Stefan <[hidden email]> wrote:

Hi Lou,

 

You can get a JCE signing certificate from Oracle here: http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html

We requested a certificate for our company. It took a while to get the request processed. But now we are able to sign our own build of Bouncy Castle.

 

I don’t know if it is possible to request certificate to private persons.

 

Best regards, Stefan

 

From: Lou Wynn [[hidden email]]
Sent: Donnerstag, 15. Dezember 2016 00:19
To: [hidden email]
Subject: [dev-crypto] signing jar to set up a debug environment?

 

Hi,

I'm new to JCA and BC, and I'm trying to trace some example programs, but failed to make my jar-signing work.

I used the keytool command to generate a pair of keys and used it to sign jars compiled from BC source. I also imported the certificate into my $JDK8/jre/lib/security/cacerts truststore. I searched the turststore for the fingerprint of my certificate and it's there. However, when I run a program with jars signed by my own key, I get the following exceptions:

Exception in thread "main" org.bouncycastle.openpgp.PGPException: Exception decrypting key
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:465)
        at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey(PGPSecretKey.java:496)
        at DirectKeySignature.signPublicKey(DirectKeySignature.java:106)
        at DirectKeySignature.main(DirectKeySignature.java:83)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(Cipher.java:657)
        at javax.crypto.Cipher.getInstance(Cipher.java:596)
        at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:38)
        at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(OperatorHelper.java:132)
        at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(JcePBESecretKeyDecryptorBuilder.java:76)
        at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData(PGPSecretKey.java:391)
        ... 3 more
Caused by: java.util.jar.JarException: file:/home/lu/repos/projects/eclipse/SGEmail3/lib/bc-prov-1.52.jar is not signed by a trusted signer.
        at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:505)
        at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:325)
        at javax.crypto.JarVerifier.verify(JarVerifier.java:253)
        at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:159)
        at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:185)
        at javax.crypto.Cipher.getInstance(Cipher.java:653)
        ... 8 more

Looks like that it's not enough to place my certificate in the cacerts truststore or I missed something important. Whatelse should I do?

Much appreciated for any help.

Lou

 


Loading...