Using Fortanix Data Security Manager with Microsoft CNG and Java 8 for JAR Signing

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) with Microsoft CNG Client and Java 8 for JAR Signing integration guide. This article provides an overview on how to sign a Java ARchive (JAR) file using the Fortanix Microsoft CNG client and Java 8.

It also contains the information that a user requires to:

• Generate a private key and import a certificate.

• Verifying the signed JAR file.

2.0 Prerequisites

Ensure the following:

• Download the latest Fortanix CNG client from the here. This will download the sdkms-jce-provider-bundled-x.xx.xxxx.jar file on your system.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group. For example, Group-Demo.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating a Security Object

Perform the following steps to generate an RSA key in the Fortanix DSM:

1. Click the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to add a security object.

   

2. On the Add New Security Object page, enter the following details:

   1. Security Object name: Enter the name of your security object. For example, RSA-Key-Demo.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select the GENERATE radio button.

   4. Choose a type: Select the RSA key type.

   5. Key Size: Indicates the size of the key in bits.

   6. Key operations permitted: Select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

3. Click the GENERATE button to create the new security object.

The security object is added to the Fortanix DSM successfully.

4.0 Setup Fortanix Microsoft CNG Client on Windows

This section provides the steps to set up the Fortanix CNG client on a Windows machine.

Perform the following steps:

1. Move the downloaded sdkms-jce-provider-bundled-x.xx.xxxx.jar file to the ${JAVA_HOME}/jre/lib/ext directory.

2. Apply Unlimited Strength Jurisdiction Policy Files by downloading the policy files from the Java website.

3. Extract the content of the downloaded zip file and copy the following files to the ${JAVA_HOME}/jre/lib/security directory:

   • local_policy.jar

   • US_export_policy.jar

4. Alternatively, you can add the JCE provider in the ${JAVA_HOME}/jre/lib/security/java.security file as the last provider in the list for non-program-based usage. For example, keytool, jarsigner, and so on.

   The following is a sample java.security file:

   security.provider.1=sun.security.provider.Sun 
   security.provider.2=sun.security.rsa.SunRsaSign 
   security.provider.3=sun.security.ec.SunEC 
   security.provider.4=com.sun.net.ssl.internal.ssl.Provider 
   security.provider.5=com.sun.crypto.provider.SunJCE 
   security.provider.6=sun.security.jgss.SunProvider 
   security.provider.7=com.sun.security.sasl.Provider 
   security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI 
   security.provider.9=sun.security.smartcardio.SunPCSC 
   security.provider.10=com.fortanix.sdkms.jce.provider.SdkmsJCE

5.0 Generate the Certificate Signing Request

This section describes the steps to generate a Certificate Signing Request (CSR) using the private key created in the Section 3.4: Creating a Security Object and using the SignTool.

Perform the following steps:

1. Create a new inf file. For example, request.inf.

2. Add the following content to the file:

   [NewRequest]
   Subject = "CN=<KeyName for example, RSA-Key-Demo>"
   KeyContainer = "<KeyName>"
   MachineKeySet = true
   ProviderName = "Fortanix KMS CNG Provider"
   UseExistingKeySet = true

   Where,

   • keyContainer refers to the key name as created in Section 3.4: Creating a Security Object.

   • ProviderName refers to the name of the Fortanix KMS CNG provider.

3. Run the following command to generate the CSR:

   certreq.exe -new request.inf request.csr

   This command generates a request.csr file. You must send this file to a trusted Certificate Authority (CA) to receive a signed certificate.

6.0 Import the Signed Certificate into Fortanix DSM

After receiving the signed certificate from the CA, you need to import it into Fortanix DSM.

NOTE

The name of the imported certificate must be <KeyName>-certificate-0. For example, RSA-Key-Demo-certificate-0.

Perform the following steps:

1. Click the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to add a security object.

   

2. On the Add New Security Object page, enter the following details:

   1. Security Object name: Enter the name of your security object.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. Choose a type: Select the RSA key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the CA signed certificate file generated in Section 5.0: Generate the Certificate Signing Request. For example, <KeyName>-certificate-0.

   6. Select the permitted key operations and any key tags if required using ADD TAG.

   7. Enter the key Expiration Date and key Activation Date, if required.

3. Click the IMPORT button to import the certificate.

The certificate is added to the Fortanix DSM successfully.

7.0 Create a Java KeyStore File

This section describes the steps to create a Java KeyStore (.jks) file using the certificate imported in the pervious section and use it to sign a JAR file.

Perform the following steps:

1. Create a new .jks file with the following JSON structure:

   {"<keyName>":{"keyName":"<keyName>","date":1713425597608,"chain":["<keyName-Certificate>"],"certId":null,"isCertEntry":false}}

   Where,

   • <keyName> refers to the name of the security object as created in Section 3.4: Creating a Security Object.

   • <keyName-certificate> refers to the name of the imported certificate.

     For example,

     {"RSA-Key-Demo":{"keyName":"RSA-Key-Demo","date":1713425597608,"chain":["RSA-Key-Demo-certificate-0"],"certId":null,"isCertEntry":false}}

2. Save the output of the command as keystore.jks.

3. Run the following command to sign the JAR file:

   jarsigner -keystore <jks file> -providername sdkms-jce -storetype SDKMS-Local -storepass <group-id> -sigalg SHA256withRSA "sample_signed.jar"  "<keyname alias>"

   Where,

   • <jks file> refers to the path to your .jks file.

   • <group-id> refer to the UUID of the group. This is available on the group details page as created in Section 3.3: Creating a Group.

   • <keyname alias> refers to the key name as created in Section 3.4: Creating a Security Object.

4. Run the following command to verify the signed JAR file to ensure it has been correctly signed:

   jarsigner -verify "<jarName>" -providerName sdkms-jce -sigalg SHA256withRSA

   Where, <jarName> refers to the name of the JAR file.