Sign Jar

generate certitficate signing request

1
2
3
4
keytool -certreq -alias xxx -keystore xxx_signing.jks -file certreq.pem.2
keytool -importcert -alias inter   -file intermediate.pem  -keystore xxx_signing.jks -storepass yyy.xxx@2017
keytool -importcert -alias root    -file root.pem          -keystore xxx_signing.jks -storepass yyy.xxx@2017
keytool -importcert -alias xxx  -file signedcert.pem    -keystore xxx_signing.jks -storepass yyy.xxx@2017
1
2
keytool -printcertreq -file certreq.pem
openssl req -in certreq.pem -noout -text

sign jnlp jar

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
D:\signjar> mkdir hk\gov\ogcio
D:\signjar> mkdir hk\gov\xxx\user\fxbrowser

xxx\public\bin> 
xcopy /y hk\gov\ogcio /s D:\signjar\bin\hk\gov\ogcio
xcopy /y hk\gov\xxx\user\fxbrowser /s D:\signjar\bin\hk\gov\xxx\user\fxbrowser
copy smartid.properties D:\signjar\bin
copy pkcs12.properties D:\signjar\bin
copy etoken.properties D:\signjar\bin 

jar -cf fxbrowser.jar -C bin/ .
jar ufm fxbrowser.jar Manifest.txt
pack200 --repack fxbrowser.jar
// pack200 --repack itextpdf-5.5.6.jar
// pack200 --repack bcprov-jdk15on-1.56.jar
// pack200 --repack bcpkix-jdk15on-1.56.jar

jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore xxx_signing.jks fxbrowser.jar xxx -storepass yyy.xxx@2017
jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore xxx_signing.jks itextpdf-5.5.6.jar xxx -storepass yyy.xxx@2017
jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore xxx_signing.jks bcprov-jdk15on-1.56.jar xxx -storepass yyy.xxx@2017
jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore xxx_signing.jks bcpkix-jdk15on-1.56.jar xxx -storepass yyy.xxx@2017

pack200 fxbrowser.jar.pack.gz fxbrowser.jar
pack200 itextpdf-5.5.6.jar.pack.gz itextpdf-5.5.6.jar
pack200 bcprov-jdk15on-1.56.jar.pack.gz bcprov-jdk15on-1.56.jar
pack200 bcpkix-jdk15on-1.56.jar.pack.gz bcpkix-jdk15on-1.56.jar

del fxbrowser__V1.4.jar.pack.gz
rename fxbrowser.jar.pack.gz fxbrowser__V1.4.jar.pack.gz
rename itextpdf-5.5.6.jar.pack.gz itextpdf-5.5.6__V1.0.jar.pack.gz
rename bcprov-jdk15on-1.56.jar.pack.gz bcprov-jdk15on-1.56__V1.0.jar.pack.gz
rename bcpkix-jdk15on-1.56.jar.pack.gz bcpkix-jdk15on-1.56__V1.0.jar.pack.gz

copy /y fxbrowser__V1.4.jar.pack.gz C:\Users\my\Desktop\Forrest\workspace\xxx\public\src\main\resources\public\user
copy /y fxbrowser__V1.4.jar.pack.gz Y:\public\bin\public\user

Reference

https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/
https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-csr-certificate-signing-request-using-keytool-and-get-it-signed-from-an-external-ca-certificate-authority-thawte
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/rsa_signing.html

Import certificate

1
keytool -import -trustcacerts -keystore xxx_signing.jks -alias xxx -file ssl_certificate.p7b

Add key entry to xxx_signing.jks for pdf signing

1
2
3
4
5
6
7
8
9
10
useless:
 openssl pkcs12 -export -inkey www.dummy.gov.hk-privateKey.key -in www.dummy.gov.hk.crt -name xxx-cert -out xxx-cert.p12
 keytool -importkeystore -srckeystore ..\apache\ssl\public\xxx-cert.p12 -srcstoretype pkcs12 -alias xxx-cert -destkeystore xxx_signing.jks

self-sign:
  openssl req -x509 -newkey rsa:2048 -keyout sign-pdf-cert-key.pem -out sign-pdf-cert.pem -days 3650
  openssl x509 -text -noout -in sign-pdf-cert.pem (review cert)
  openssl pkcs12 -inkey sign-pdf-cert-key.pem -in sign-pdf-cert.pem -export -name xxx-cert -out sign-pdf-cert.p12
  openssl pkcs12 -in certificate.p12 -noout -info (validate p12 file)
  keytool -importkeystore -srckeystore sign-pdf-cert.p12 -srcstoretype pkcs12 -alias xxx-cert -destkeystore xxx_signing.jks

jks location

1
D:\keystore\xxx_signing.jks comes from public\config\jws\xxx_signing.jks