EV Code Signing In Java (Token-Based)
Feb 26, 2024
EV Code Signing In Java (Token-Based)
Prerequisites
This guide assumes that you have already:
- Picked up and installed your Certificate onto your security token
- Installed the Java JDK.
- Administrative rights may be needed depending on the permissions set to the Java JDK bin folder.
Signature Setup
- In order to enable the JDK to access the security token, you will first need to create a configuration file. Open any plain-text editor and create a file named eToken.cfg. The file should contain 2, possibly 3, lines:
name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll
slot=3
Note: The default token that GlobalSign provides is the eToken 5110. The default slot number when left unspecified is 0. SafeNet eToken 5110 will automatically assign to slot 0, therefore there will be no need for the slot line in the .cfg file. However this may need to be changed depending on the number of eTokens / SmartCard readers installed. The default slot number for the SafeNet Ikey 4000 is slot 3. The slot line will be required when using a SafeNet iKey 4000.
- Save this file in the JDK bin folder, by default it is:
C:\Program Files (x86)\Java\jdk1.7.0_67\bin
- Open the command prompt: Start > Run > cmd
- Navigate to your Java JDK Bin Folder:
cd C:\Program Files (x86)\Java\jdk1.7.0_67\bin
- In order to use the token to sign you will need to find the alias of your private key. This will enable you to reference the proper Certificate when signing. Run the following command from the bin folder:
keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
Enter keystore password: “Your Token Password”
Error Note: If you receive the following error: “java.security.KeyStoreException: PKCS11 not found” at this point. There are 2 potential issues with the configuration:
- The Slot Number specified is not the correct slot. To find the proper slot, please set the slot number to zero in your eToken.cfg file (slot=0). Attempt to run the list command again, incrementing the slot number by 1 with each iteration of the error. You should eventually receive the Enter KeyStore Password prompt that will accept your SafeNet Token passphrase. *See: Signature Set Up Step 1.
- SafeNet Drivers are not installed correctly. Ensure the proper drivers are installed.
- The output is made up of the key alias, the key type, and the Certificate fingerprint. We will need the alias of the EV Code Signing Certificate to actually sign the file.
le-d0e453de-66db-414a-8fa8-0a07cfad66b5, PrivateKeyEntry, Certificate fingerprint (SHA1): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
- If there is more than one Certificate on your token, you may need to discern which Certificate we will be using. Open the Safenet Authentication Client, press the gear icon at the top:
- Find your installed GlobalSign EV Code Signing Certificate, and double-click it. This will pull up the Certificate details. Select the Details tab, scroll to the bottom and the Thumbprint will be there:
- Match the Certificate thumbprint with the proper alias on your output. In this case it will be the first entry:
le-d0e453de-66db-414a-8fa8-0a07cfad66b5, PrivateKeyEntry, Certificate fingerprint (SHA1): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
- Copy the alias (e.g. le-d0e453de-66db-414a-8fa8-0a07cfad66b5) for use in our next command.
Signing a .Jar File
- Now that we have successfully accessed the token and received our Certificates alias, we can sign the .jar file. You will need to place the .jar file you are signing into the bin directory.
- In the command line, navigate to the Java SDK bin directory, (e.g. C:\Program Files (x86)\Java\jdk1.7.0_67\bin)
The command used to sign is:
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/tsa/r6advanced1 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5"
Note: Time stamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the Certificate itself has expired.
Common Errors
- Warning: The signer's Certificate chain is not validated.
- You will need to import the GlobalSign GCC R45 EV CodeSigning CA 2020 Intermediate Certificate onto your token to ensure the signature chains properly.