Software Trust Manager (STM) の統合 - Java でのPKCS11
Jarsigner is a command-line tool provided as part of the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.
Follow these instructions to sign using Java code and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Jarsigner with Signing Manager Controller (SMCTL) for simplified signing.
前提条件
Download and configure Software Trust Manager clients tools
Java との統合
テスト用鍵ペアと証明書を作成する
例として、Java のセットアップを使用して、RSA のテスト鍵ペアと証明書を生成することができます。まず、以下を含む .bat ファイルを作成します。
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=TESTInput the following values:
Certificate profile ID
Save the file as a .bat file.
注記
The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.
When you retrieve your certificate profile ID, ensure that the profile category is Test.
証明書付きの鍵ペアを作成する
To use Java setup, generate an RSA production keypair with certificate:
例として、Java のセットアップを使用して、RSA のプロダクション鍵ペアと証明書を生成することができます。まず、以下を含む .bat ファイルを作成します。
smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=PRODUCTION
Input the following values:
Certificate profile ID
Save the file as a .bat file.
Run:
import java.io.IOException; public class SmctlGenerateProductionKeypairCert{ public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_prodcert.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
注記
The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.
When you retrieve your certificate profile ID, ensure that the profile category is Production.
既存の鍵ペアから証明書を作成する
例として、Java のセットアップを使用して、既存の鍵ペアから証明書を生成することができます。まず、以下を含む .bat ファイルを作成します。
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
smctl keypair generate-cert <keypair ID> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --set-as-default-cert=true
Input the following values:
Certificate profile ID
Save the file as a .bat file.
Run:
import java.io.IOException; public class GenerateCertForKeypair { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_cert_for_keypair.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
Signing
To sign with Java code:
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg <sigalg> -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path of config file> -signedjar <path of signed jar> <keypair alias> -tsa http://timestamp.digicert.com
Input the following values:
Path to the .jar file that needs to be signed
Path where the signed .jar file needs to be saved after it has been signed
Save the file as a .bat file.
Run:
import java.io.IOException; public class Pkcs11Sign { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\sign.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
検証
署名したファイルを検証するためのコマンドを含む.batファイルを作成します。verify.batの内容は以下のようになります。
jarsigner -verify <path of signed file>
Input the path to the signed jar that needs to be verified.
Run:
import java.io.IOException; public class Pkcs11Verify { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\verify.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }