Using Fortanix Data Security Manager with Microsoft CNG and Java 8 for JAR Signing

1.0 Introduction

This article provides an overview of how to sign a Java ARchive (JAR) file using the Microsoft CNG Client and Java 8 for JAR Signing.

It also contains the information that a user requires to:

• Generate a private key and import a certificate.

• Verifying the signed JAR file.

2.0 Prerequisites

Ensure the following:

• Download the latest Fortanix CNG client from here. This will download the sdkms-jce-provider-bundled-x.xx.xxxx.jar file on your system.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating a Security Object

Perform the following steps to generate an RSA key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name of your security object. For example, RSA-Key-Demo.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the RSA key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click GENERATE to create the new security object.

4.0 Setup Fortanix Microsoft CNG Client on Windows

This section provides the steps to set up the Fortanix CNG client on a Windows machine.

Perform the following steps:

1. Move the downloaded sdkms-jce-provider-bundled-x.xx.xxxx.jar file to the ${JAVA_HOME}/jre/lib/ext directory.

2. Apply Unlimited Strength Jurisdiction Policy Files by downloading the policy files from the Java website.

3. Extract the content of the downloaded zip file and copy the following files to the ${JAVA_HOME}/jre/lib/security directory:

   • local_policy.jar

   • US_export_policy.jar

4. Alternatively, you can add the JCE provider in the ${JAVA_HOME}/jre/lib/security/java.security file as the last provider in the list for non-program-based usage. For example, keytool, jarsigner, and so on.

   The following is a sample java.security file:

   security.provider.1=sun.security.provider.Sun 
   security.provider.2=sun.security.rsa.SunRsaSign 
   security.provider.3=sun.security.ec.SunEC 
   security.provider.4=com.sun.net.ssl.internal.ssl.Provider 
   security.provider.5=com.sun.crypto.provider.SunJCE 
   security.provider.6=sun.security.jgss.SunProvider 
   security.provider.7=com.sun.security.sasl.Provider 
   security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI 
   security.provider.9=sun.security.smartcardio.SunPCSC 
   security.provider.10=com.fortanix.sdkms.jce.provider.SdkmsJCE

5.0 Generate the Certificate Signing Request

This section describes the steps to generate a Certificate Signing Request (CSR) using the private key created in Section 3.4: Creating a Security Object and using the SignTool.

Perform the following steps:

1. Create a new inf file. For example, request.inf.

2. Add the following content to the file:

   [NewRequest]
   Subject = "CN=<KeyName>"
   KeyContainer = "<KeyName for example, RSA-Key-Demo>"
   MachineKeySet = true
   ProviderName = "Fortanix KMS CNG Provider"
   UseExistingKeySet = true

   Where,

   • keyContainer refers to the key name as created in Section 3.4: Creating a Security Object.

   • ProviderName refers to the name of the Fortanix KMS CNG provider.

3. Run the following command to generate the CSR:

   certreq.exe -new request.inf request.csr

   This command generates a request.csr file. You must send this file to a trusted Certificate Authority (CA) to receive a signed certificate.

6.0 Import the Signed Certificate into Fortanix DSM

After receiving the signed certificate from the CA, you need to import it into Fortanix DSM.

NOTE

The name of the imported certificate must be <KeyName>-certificate-0. For example, RSA-Key-Demo-certificate-0.

Perform the following steps to import an RSA key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object Name: Enter the name of your security object. For example, RSA-Key-Demo.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select IMPORT.

   4. In the Choose a type section, select the RSA key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw, and click UPLOAD A FILE to upload the CA signed certificate file generated in Section 5.0: Generate the Certificate Signing Request. For example, <KeyName>-certificate-0.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click IMPORT to create the new security object.

7.0 Create a Java KeyStore File

This section describes the steps to create a Java KeyStore (.jks) file using the certificate imported in the previous section and use it to sign a JAR file.

Perform the following steps:

1. Create a new .jks file with the following JSON structure:

   {"<keyName>":{"keyName":"<keyName>","date":1713425597608,"chain":["<keyName-Certificate>"],"certId":null,"isCertEntry":false}}

   Where,

   • <keyName> refers to the name of the security object as created in Section 3.4: Creating a Security Object.

   • <keyName-certificate> refers to the name of the imported certificate.

     For example,

     {"RSA-Key-Demo":{"keyName":"RSA-Key-Demo","date":1713425597608,"chain":["RSA-Key-Demo-certificate-0"],"certId":null,"isCertEntry":false}}

2. Save the output of the command as keystore.jks.

3. Run the following command to sign the JAR file:

   jarsigner -keystore <jks file> -providername sdkms-jce -storetype SDKMS-Local -storepass <group-id> -sigalg SHA256withRSA "sample_signed.jar"  "<keyname alias>"

   Where,

   • <jks file> refers to the path to your .jks file.

   • <group-id> refers to the UUID of the group. This is available on the group details page as created in Section 3.3: Creating a Group.

   • <keyname alias> refers to the key name as created in Section 3.4: Creating a Security Object.

4. Run the following command to verify the signed JAR file to ensure it has been correctly signed:

   jarsigner -verify "<jarName>" -providerName sdkms-jce -sigalg SHA256withRSA

   Where, <jarName> refers to the name of the JAR file.