SlideShare uma empresa Scribd logo

Jar signing

Transferir como PPTX, PDF
L
LearningTech
Tecnologia
1 de 21
Java jar signer Jason
Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager
Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
Certificate detail
Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html

Recomendados

JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Java security
Java securityJava security
Java securityAnkush Kumar
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 

Recomendados

JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Java security
Java securityJava security
Java securityAnkush Kumar
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)Francois Marier
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - FastlaneSoftware Guru
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InPeter Friese
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIishratbhatti1
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Blueboxer2014
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 
vim
vimvim
vimLearningTech
 
PostCss
PostCssPostCss
PostCssLearningTech
 

Mais conteúdo relacionado

Semelhante a Jar signing

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)Francois Marier
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - FastlaneSoftware Guru
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InPeter Friese
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIishratbhatti1
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Blueboxer2014
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 

Semelhante a Jar signing (20)

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applications
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljug
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - Fastlane
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are key
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-In
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLI
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CI
 

Mais de LearningTech

Process control nodejs
Process control nodejsProcess control nodejs
Process control nodejsLearningTech
 
Vic weekly learning_20160504
Vic weekly learning_20160504Vic weekly learning_20160504
Vic weekly learning_20160504LearningTech
 
Reflection &amp; activator
Reflection &amp; activatorReflection &amp; activator
Reflection &amp; activatorLearningTech
 
Node child process
Node child processNode child process
Node child processLearningTech
 
Peggy elasticsearch應用
Peggy elasticsearch應用Peggy elasticsearch應用
Peggy elasticsearch應用LearningTech
 
Vic weekly learning_20160325
Vic weekly learning_20160325Vic weekly learning_20160325
Vic weekly learning_20160325LearningTech
 
D3js learning tips
D3js learning tipsD3js learning tips
D3js learning tipsLearningTech
 

Mais de LearningTech (20)

vim
vimvim
vim
 
PostCss
PostCssPostCss
PostCss
 
ReactJs
ReactJsReactJs
ReactJs
 
Docker
DockerDocker
Docker
 
Semantic ui
Semantic uiSemantic ui
Semantic ui
 
node.js errors
node.js errorsnode.js errors
node.js errors
 
Process control nodejs
Process control nodejsProcess control nodejs
Process control nodejs
 
Expression tree
Expression treeExpression tree
Expression tree
 
SQL 效能調校
SQL 效能調校SQL 效能調校
SQL 效能調校
 
flexbox report
flexbox reportflexbox report
flexbox report
 
Vic weekly learning_20160504
Vic weekly learning_20160504Vic weekly learning_20160504
Vic weekly learning_20160504
 
Reflection &amp; activator
Reflection &amp; activatorReflection &amp; activator
Reflection &amp; activator
 
Peggy markdown
Peggy markdownPeggy markdown
Peggy markdown
 
Node child process
Node child processNode child process
Node child process
 
20160415ken.lee
20160415ken.lee20160415ken.lee
20160415ken.lee
 
Peggy elasticsearch應用
Peggy elasticsearch應用Peggy elasticsearch應用
Peggy elasticsearch應用
 
Expression tree
Expression treeExpression tree
Expression tree
 
Vic weekly learning_20160325
Vic weekly learning_20160325Vic weekly learning_20160325
Vic weekly learning_20160325
 
D3js learning tips
D3js learning tipsD3js learning tips
D3js learning tips
 
git command
git commandgit command
git command
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Jar signing

  • 2. Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
  • 3. Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager
  • 4. Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
  • 5. Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
  • 6. Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
  • 7. Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
  • 8. Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
  • 9. Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
  • 10. Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
  • 11. Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
  • 12. Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
  • 13. Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
  • 14. Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
  • 15. Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
  • 16. Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
  • 17. Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
  • 18. Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
  • 19. Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
  • 21. Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html

Notas do Editor

  1. http://polinwei.blogspot.tw/2013/02/java-keytoolmicrosoft-active-directory.htmlhttp://cooking-java.blogspot.tw/2010/01/java-keytool.htmlhttp://fecbob.pixnet.net/blog/post/36050717-%5Bandroid%5D-keytool%E5%B7%A5%E5%85%B7%E4%BD%BF%E7%94%A8%E8%A9%B3%E8%A7%A3
  2. http://www.openssl.org/docs/apps/x509.html
  3. X.509 的目的為,證實這個已簽發憑證,確實為憑證上宣稱的那個人所發行的憑證。
  4. http://www.frogjumpjump.com/2011/09/ssl-x509ssl.htmlhttp://www.imacat.idv.tw/tech/sslcerts.html.zh-tw#sslx509