Java Code Signer
Generate and secure your Java Code Signing certificate, used for signing Java artifacts, on a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM for Java Code Signer service for this integration.
Java code signing is used for signing Java applications for desktops, digitally signing .jar files and Netscape Object signing recognized by Java Runtime Environment (JRE). In Java, the process for setting up your Code Signing Certificate consists of creating a keystore and a Certificate Signing Request (CSR) and then, installing your code signing certificate file to the keystore where the CSR was generated.
The Java platform enables one to digitally sign .jar files. The signer signs the .jar file using a private key. The corresponding public key is placed in the .jar file with its certificate, so that it is available for use by anyone who has access to the key. When the .jar file is signed, the user can timestamp the signature.
This integration guide uses the following third party applications:
- Java JDK 8
This integration is supported on the following operating systems:
- RHEL 64-bit
- Windows Server 2016
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Install Java Development Kit
Ensure that the Java Development Kit (JDK) is installed on your local system, and the bin directory is accessible by users on the system. We recommend adding the JDK Bin folder to the PATH environment, alternatively, you can run the commands from the
This document provides detailed instructions on using the Java keytool utility to generate signing keys and certificates using the HSM on Demand service, and then use those keys to sign a .jar file.
Configuring the java.security File
Open the java.security file in a text editor and update it to use the Luna Provider.
Open the Java Security Configuration File,
java.security, in a text editor. The file is available at
Add the Luna Provider to the
java.security file, so that the file appears as follows:
Save the changes to the
Enabling the HSM on Demand Service Keystore
You must configure the Java Code Signing utility to use the keystore located on the HSM on Demand service.
LunaAPI.dll (Windows) or the
libLunaAPI.so (UNIX) and the
LunaProvider.jar files from the
<client_installation_directory>/jsp/lib to the Java extension folder located at
Set the environment variables for JAVA_HOME and PATH.
We recommend setting the PATH variable in Windows environments using the System Environments menu.
Create a file called
lunastore and add the following line:
Acquiring the Encryption Keys for Signing the .jar File
There are two methods for acquiring the encryption key on the Luna Cloud HSM Service for signing the .jar files. You can migrate an existing keystore into the Luna Cloud HSM Service, or generate a new key pair for use on the HSM on Demand service.
Migrating the JKS Keystore for Signing the .jar File
If the JKS keystore is already in use, you can migrate the keys from the JKS keystore to the HSM on Demand service to better secure the encryption keys. The following procedure details the steps required to migrate signing keys from the JKS local keystore to the keystore on the Luna Cloud HSM Service.
Migrate the JKS keystore into the
keytool -importkeystore -srckeystore <source_key_store> -destkeystore lunastore -srcstoretype jks -deststoretype luna
Respond to the prompts from the system to complete the migration.
Verify the contents of the lunastore.
keytool -list -v -keystore lunastore -storetype luna
Generating the Encryption Key for Signing the .jar File
You can generate a new key pair directly on the Luna Cloud HSM Service keystore.
Generate a key pair using the Java keystore utility and respond to the prompts to configure the key pair.
keytool -genkeypair -alias <key_label> -keyalg RSA -sigalgSHA256withRSA -keypass <key_password> -keysize 2048 -keystore lunastore -storepass <service_password> -storetype luna
When you complete the process, a new key pair will be generated on the registered HSM on Demand service.
Verify that the private key exists on the HSM on Demand service.
keytool -list -v -storetype luna -keystore lunastore
The system will prompt the user to enter the keystore password. This is the password for the Luna Cloud HSM Service. On correct entry, it will display the existing keys.
Generate a certificate request from the private key in the keystore.
keytool -certreq -alias <key_label> -sigalg SHA256withRSA -file \ <cert_request_file> -storetype luna -keystore lunastore
The system will prompt the user to enter the keystore password. This is the password for the Luna Cloud HSM Service.
Deliver the CSR file to your local Certification Authority (CA). Request the CA authenticates the request and returns a signed certificate or certificate chain. Save the reply and the CA root certificate in the current working directory.
Import the CA root certificate into the keystore.
keytool -trustcacerts -importcert -alias rootca -file <root_certificate> -keystore lunastore -storetype luna
Import the signed certificate reply, or certificate chain, into the keystore.
keytool -trustcacerts -importcert -alias <key_label> -file <certificate_file_or_chain> -keystore lunastore -storetype luna
Verify the files exist in the keystore.
keytool -list -v -storetype luna -keystore lunastore
Ensure you keep a record of the location of your keystore file following the creation of the CSR. You will need this location as it contains your private key, and it will be needed when you install the Code Signing Certificate.
Signing the .jar File
You can sign the .jar files using the encryption keys stored in the Luna Cloud HSM Service keystore.
*.jar file inside the current working directory.
*.jar file. Execute:
jarsigner -keystore lunastore -storetype luna -signedjar <signed_jar_to_be_generated> <jar_to_be_signed><private_key_label> -tsa <time_stamping_URL>
On correct execution, the system will prompt the user to enter the keystore password. This is the Crypto Officer password
Verify the signed
jarsigner -verify <signed_jar_file> -verbose -certs
If the .jar file is verified, a message similar to the following is returned.
565 Tue Apr 17 09:42:36 PDT 2018 META-INF/MANIFEST.MF
[entry was signed on 4/16/18 9:12 PM]
X.509, CN=Administrator, CN=Users, DC=hlk, DC=com
[certificate is valid from 4/16/18 12:02 PM to 4/16/19 12:02 PM]
X.509, CN=hlk-CA, DC=hlk, DC=com
[certificate is valid from 4/5/18 10:25 AM to 4/5/23 10:35 AM]
647 Tue Apr 17 09:42:36 PDT 2018 META-INF/LUNAKEY.SF
5869 Tue Apr 17 09:42:36 PDT 2018 META-INF/LUNAKEY.RSA
0 Thu Dec 02 10:41:40 PST 2010 META-INF/
m 506 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$1.class
m 533 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$2.class
m 1567 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$3.class
m 3905 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
-Signed by "CN=Administrator, CN=Users, DC=hlk, DC=com"
Digest algorithm : SHA256
Signature algorithm : SHA256withRSA, 2048-bit key
Timestamped by "CN=GlobalSign TSA for Standard -- G2, O=GMO GlobalSign Pte Ltd, C=SG" on Tue
Apr 17 04:12:52 UTC 2018
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA1withRSA, 2048-bit key