How to Use YubiHSM 2 for Java Code Signing with Jarsigner?

YubiHSM 2 is a hardware security module (HSM) developed by Yubico. An HSM is a specialized device that provides secure storage and management of cryptographic keys and performs cryptographic operations.

The YubiHSM 2 is specifically designed to enhance the security of applications, systems, and devices that require cryptographic functions.

This blog will assist you in Java Code Signing with YubiHSM 2. First, let us explore the explicit attributes of YubiHSM 2 below.

Different Features of YubiHSM 2

Here are some key features and characteristics of the YubiHSM 2:

Hardware-Based Security:

YubiHSM 2 is a tamper-resistant device that physically protects sensitive cryptographic material, such as private keys, from unauthorized access or extraction.

High-Performance Cryptography:

The YubiHSM 2 offers fast and efficient cryptographic operations, including key generation, signing, and verification, enabling secure and reliable cryptographic operations in various scenarios.

Standards Compliance:

YubiHSM 2 adheres to industry-standard cryptographic algorithms and protocols, ensuring compatibility with existing cryptographic infrastructure and applications.

Remote Management:

The YubiHSM 2 can be remotely managed and controlled, allowing for centralized administration and monitoring of cryptographic operations across multiple devices.

• PKCS #11 Support: YubiHSM 2 supports the PKCS #11 standard, which provides a standardized interface for cryptographic operations and key management, making it compatible with various software applications and libraries.

• Key Protection and Isolation: Private keys stored within the YubiHSM 2 are never exposed outside the device, ensuring their confidentiality and protecting against unauthorized use or compromise.

• Versatile Use Cases: The YubiHSM 2 can be utilized in a wide range of applications, including secure code signing, secure key storage, certificate authority operations, secure network communication, and more, enhancing the overall security of these systems.

Java Code Signing with Jarsigner

The process of signing Java code using the “jarsigner” tool comes bundled with the Java Development Kit (JDK). It provides an example of generating an RSA key pair and a self-signed certificate that will be stored on the YubiHSM 2, a hardware security module.

The provided command demonstrates how to use the “keytool” utility to generate the RSA key pair and self-signed certificate.

The command specifies the following parameters:

-keystore NONE: Specifies that no keystore file will be used.

-storetype PKCS11: Sets the keystore type as PKCS11, indicating it will interact with a hardware security module.

-storepass 0001password: Sets the password for accessing the keystore.

-addProvider SunPKCS11 -providerArg ./sunpkcs11.conf: Adds the SunPKCS11 provider and specifies the configuration file “sunpkcs11.conf” to establish communication with the YubiHSM 2.

-genkey: Generates a new key pair and a self-signed certificate.

-alias rsaSign: Assigns the alias “rsaSign” to the generated key pair.

-keyalg RSA: Specifies that the key pair should use the RSA algorithm.

-dname CN=rsaSign: Sets the distinguished name (DN) for the certificate, with “CN=rsaSign” representing the common name.

The output mentions successfully generating a 2,048-bit RSA key pair and self-signed certificate using the specified parameters. It also indicates that the generated certificate uses the “SHA256withRSA” algorithm and has a validity period of 90 days.

Additionally, it notes the usage of the SunPKCS11 provider to interact with the YubiHSM 2, similar to other examples.

Process of Signing JAR (Java Archive) Files using the “jarsigner” Tool

The text describes the process of signing JAR (Java Archive) files using the “jarsigner” tool. It provides a step-by-step example to illustrate the process.

First, it presents a minimal Java source file called “HelloWorld.java,” which contains a simple “Hello, World” program.

Next, it demonstrates how to compile the Java source file using the “javac” command and create an unsigned JAR file named “unsigned.jar” using the “jar” command. The “-cfe” option specifies the main class to be executed when running the JAR file.

To sign the JAR file, the example uses the “jarsigner” command with the following parameters:

–tsa http://timestamp.digicert.com: Specifies a timestamp authority (TSA) server, which records the current time in the signed JAR file. This ensures that the JAR file remains valid after the signing certificate expires.

-addProvider SunPKCS11 -providerArg ./sunpkcs11.conf: Adds the SunPKCS11 provider and specifies the configuration file “sunpkcs11.conf” to interact with the YubiHSM 2.

-keystore NONE -storetype PKCS11 -storepass 0001password: Specifies the keystore type as PKCS11 and provides the password to access the keystore.

-signedjar signed.jar ./unsigned.jar rsaSign: Specifies the name of the signed JAR file to be created as “signed.jar” and the path to the unsigned JAR file. “rsaSign” represents the alias of the RSA signing key stored in the YubiHSM 2.

After executing the command, the output confirms that the JAR file has been successfully signed. However, it includes a warning stating that the signer’s certificate is self-signed and not issued by a trusted certificate authority (CA).

$ jarsigner -tsa http://timestamp.digicert.com -addProvider SunPKCS11 -providerArg ./sunpkcs11.conf -keystore NONE -storetype PKCS11 -storepass 0001password -signedjar signed.jar ./unsigned.jar rsaSign

jar signed.

You must use a timestamp server to record the current time in the signed JAR file. This eliminates the need to re-sign the JAR file when the signing certificate expires.

It also mentions that for others to validate the certificate, it is recommended to use a public CA to sign the Java code.

How do you Verify the Signature on Java Archive?

The section explains the process of verifying the signature on a signed JAR (Java Archive) file using the “jarsigner” tool.

Here, we provide an example and highlight the considerations for trusting the signer and the Certificate Authority (CA) that issued the signer’s certificate.

To verify the signature, the example uses the “jarsigner” command with the following parameters:

-verify: Specifies that the command is for verifying the signature.

-addProvider SunPKCS11 -providerArg ./sunpkcs11.conf: Adds the SunPKCS11 provider and specifies the configuration file “sunpkcs11.conf” to interact with the YubiHSM 2.

-keystore NONE -storetype PKCS11 -storepass 0001password: Specifies the keystore type as PKCS11 and provides the password to access the keystore.

./signed.jar: Specifies the path to the signed JAR file that needs to be verified.

After executing the command, the output confirms that the JAR file’s signature has been verified successfully, indicated by the message “jar verified.”

$ jarsigner -verify -addProvider SunPKCS11 -providerArg ./sunpkcs11.conf -keystore NONE -storetype PKCS11 -storepass 0001password ./signed.jar

jar verified.

If the signer and the CA that issued the signer’s certificate are trusted, the example demonstrates that the software within the JAR file can be executed by using the “java -jar” command, followed by the name of the signed JAR file.

When verifying the signature on a signed JAR file, access to the YubiHSM 2 is not required. This is because the certificate necessary for verification is included within the JAR file itself.

However, we emphasize that the verification process will fail unless a trusted CA signs the certificate. In other words, the trustworthiness of the signer and the CA is crucial for ensuring the integrity and authenticity of the software contained within the JAR file.

Steps to Configure YubiHSM 2 for Code Signing in Java

Now, we will provide an overview of the purpose and functionality of the scripts in a repository that aims to configure a YubiHSM 2 for Java code signing. We will mention the primary software tools used, including YubiHSM-Shell, Java KeyTool, and OpenSSL.

The repository contains two scripts:
YubiHSM_Cert_Enroll.ps1 for Windows PowerShell
YubiHSM_Cert_Enroll.sh for Linux Bash

These scripts facilitate the generation of an RSA key pair and the enrollment of an X.509 certificate to the YubiHSM 2. The process involves using YubiHSM-Shell along with Java KeyTool and OpenSSL.

Once the RSA key pair and certificate have been enrolled in the YubiHSM 2, the YubiHSM 2 PKCS #11 library can be utilized in conjunction with the Sun JCE PKCS #11 Provider.

The main objective of these scripts is to enable the use of the enrolled key and certificate for signing Java code, specifically using the JarSigner tool.

The scripts execute the instructions given below:

1. First, you must generate an RSA key pair within the YubiHSM 2.
2. Then, look for exporting the Certificate Signing Request (CSR).
3. Sign the CSR using an X.509 certificate, with the example given having SignMyCode.
4. Finally, the signed certificate X.509 needs to be Imported inside the YubiHSM 2.

It’s important to note that the scripts are provided “as-is” and are not officially supported. They are intended as references for configuring the YubiHSM 2 for Java code signing.

Administrators should refer to Yubico’s documentation on managing YubiHSMs and exercise caution before implementing these scripts in production environments.

Wrapping up

Overall, YubiHSM 2 is a robust hardware security module that offers secure key storage, cryptographic operations, and enhanced security for various applications, systems, and devices that require strong cryptographic capabilities.

We finally hope that you can now use YubiHSM 2 for Java Code Signing.

Search