Workbook on Digital Private Papers > How-Tos

How-Tos

KeyTool and Jarsigner

keytool is a command-line key and certificate management utility provided as part of the Sun Java Development Kit (JDK). It allows users to manage their own public/private key pairs and associated certificates as well as storing the certificates (public keys) of other users and services.

keytool -genkey -alias signFiles -keypass lan123 -keystore lancestore -storepass lan987
What is your first and last name?
[Unknown]: lance
What is the name of your organisational unit?
[Unknown]: Development
What is the name of your organisation?
[Unknown]: Paradigm
What is the name of your City or Locality?
[Unknown]: Oxford
What is the name of your State or Province?
[Unknown]: Oxfordshire
What is the two-letter country code for this unit?
[Unknown]: UK
Is CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK correct?

[no]: y

Keytool can show the contents of a keystore if one knows the password. For example we can look at the keystore just created or the example included with the Fedora digital repository software installer:

keytool -list -keystore lancestore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

signfiles, 03-Apr-2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 87:91:7E:1A:7B:05:09:ED:C8:47:72:F2:C5:7E:F4:D0

keytool -list -keystore truststore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

tomcat, 19-Oct-2006, trustedCertEntry,
Certificate fingerprint (MD5): 81:A0:4B:A5:FE:56:6E:DB:BC:7D:03:E6:6C:59:C3:CC
mykey, 04-Dec-2006, trustedCertEntry,
Certificate fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D

keystore just created or the example included with the Fedora digital repository software installer:

jarsigner (a JAR Signing and Verification Tool) is another command-line application, also part of the Sun Java Development Kit (JDK). It generates signatures for Java Archive (JAR) files and also verifies the signatures of signed JAR files. jarsigner uses the key and certificate information from a keystore to generate digital signatures for JAR files.

For example we can use this command to sign a JAR file named Count.jar:

jarsigner -keystore lancestore -signedjar sCount.jar Count.jar signFiles
Enter Passphrase for keystore:
Enter key password for signFiles:

Warning:

To verify the signatures and integrity of the signed JAR files the receiver's keystore will need to contain a copy of the public key corresponding to the private key used to generate the signature. This is supplied by sending a copy of the certificate authenticating the public key. The certificate is extracted as follows:

keytool -export -keystore lancestore -alias signFiles -file Lance.cer
Enter keystore password:

The receiver will then need to import the certificate into their keystore. In this example the keystore doesn't exist yet so it will prompt for a password:

keytool -import -keystore mattstore -alias lance -file Lance.cer
Enter keystore password:
Re-enter new password:
Owner: CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK
Issuer: CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK
Serial number: 461254ba
Valid from: Tue Apr 03 14:20:58 BST 2007 until: Mon Jul 02 14:20:58 BST 2007
Certificate fingerprints:
MD5: 87:91:7E:1A:7B:05:09:ED:C8:47:72:F2:C5:7E:F4:D0
SHA1: 39:F8:A5:BE:99:B0:B5:35:D0:CF:99:80:CF:82:B0:3A:09:F7:A0:86
Signature algorithm name: SHA1withDSA
Version: 3

The keytool command will print out the certificate details and ask for verification. One method would be to contact the sender and ask them to confirm what the fingerprints should be which they can find as follows:

keytool -printcert -file Lance.cer
Owner: CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK
Issuer: CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK
Serial number: 461254ba
Valid from: Tue Apr 03 14:20:58 BST 2007 until: Mon Jul 02 14:20:58 BST 2007
Certificate fingerprints:
MD5: 87:91:7E:1A:7B:05:09:ED:C8:47:72:F2:C5:7E:F4:D0
SHA1: 39:F8:A5:BE:99:B0:B5:35:D0:CF:99:80:CF:82:B0:3A:09:F7:A0:86

Verifying the received jar file proceeds as follows:

jarsigner -verify sCount.jar -keystore mattstore
jar verified.

Warning:
This jar contains entries whose signer certificate will expire within six months.

or in glorious detail:

jarsigner -verify -verbose -certs sCount.jar -keystore mattstore

111 Tue Apr 03 14:30:48 BST 2007 META-INF/MANIFEST.MF
253 Tue Apr 03 14:30:48 BST 2007 META-INF/SIGNFILE.SF
1049 Tue Apr 03 14:30:48 BST 2007 META-INF/SIGNFILE.DSA
0 Tue Apr 03 13:57:14 BST 2007 META-INF/
sm 1044 Tue Apr 03 13:51:36 BST 2007 Count.class

X.509, CN=lance, OU=Development, O=Paradigm, L=Oxford, ST=Oxfordshire, C=UK
[certificate will expire on 02/07/07 14:20]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Warning:

More information is available from Java's security pages and from the websites of keytool and jarsigner.