How to sign a Java code

Some commands in Java requires special permissions to run on client PC. This restrictions are applied especially when programming web applets. To allow the applet to use the special commands, the Java applet needs to be “signed”. This signature can be generated by a trusted vendor like Thawte or similar, but issuing such certificate cost significant amount of money.

You can also generate the certificate yoursel using JDK tools called keytool and jarsigner but then the applet will tell users that the signature has not been verified. If this is not a roadblock for you, you can sign the code using the following code (create a *.bat file, copy the following code as its contents and modify the parameters according to your needs)

SET PWD=MySecretP@ssw0rd
SET USER=John_Doe
SET STOREPASS=St0reP@ssw0rd 
SET CERTFILE=SignatureStore
SET JARCERTFILE=Applet.jar
SET VALIDITY=3650

SET COMPANY_NAME=IT Forever
SET ORG_UNIT=Application Outsourcing
SET ORG=Development Company
SET LAND=Copenhagen
SET STATE=Denmark
SET COUNTRY=DK

REM del %CERTFILE%
keytool -genkey -alias %USER% -keystore %CERTFILE% -keypass %PWD% -dname "CN=%COMPANY_NAME%, OU=%ORG_UNIT%, O=%ORG%, L=%LAND%, ST=%STATE%, C=%COUNTRY%" -storepass %STOREPASS% -validity %VALIDITY%
jarsigner -keystore %CERTFILE% -storepass %STOREPASS% -keypass %PWD% %JARCERTFILE% %USER%
REM del %CERTFILE%

Or…if you have PKCS12 (.p12) certificate you can sign the code using the following batch (windows .bat file)

@SET KEYFILE=key.pem
@SET CERTFILE=cert.pem
@SET P12FILE=cert.p12
@SET JARCERTFILE=Applet.jar
@SET DAYS=365
@SET PASSWORD=St0reP@ssw0rd
@SET C=DK
@SET ST=Denmark
@SET L=Copenhagen
@SET O=Development Company
@SET OU=Application Outsourcing
@SET CN=Application Outsourcing
@SET EMAIL=john_doe@development_company.com
@SET BASEPATH=c:\OpenSSL-Win32
@set OPENSSL_CONF=%BASEPATH%\bin\openssl.cfg

@ECHO Generating PKCS12 certificate file automatically providing password
@ECHO ...........................

@%BASEPATH%\bin\openssl req -x509 -newkey rsa:2048 -passout pass:%PASSWORD% -keyout %BASEPATH%\bin\PEM\%KEYFILE% -out %BASEPATH%\bin\PEM\%CERTFILE% -days %DAYS% -subj "/C=%C%/ST=%ST%/L=%L%/O=%O%/OU=%OU%/CN=%CN%/emailAddress=%EMAIL%"
@%BASEPATH%\bin\openssl pkcs12 -export -in %BASEPATH%\bin\PEM\%CERTFILE% -inkey %BASEPATH%\bin\PEM\%KEYFILE% -out %P12FILE% -name "%CN%" -passin pass:%PASSWORD% -password pass:%PASSWORD%
@ECHO ...........................
@ECHO Your new certificate has been generated to %P12FILE%
@ECHO ...........................

@ECHO Clean up...
@del %BASEPATH%\bin\PEM\%CERTFILE%
@del %BASEPATH%\bin\PEM\%KEYFILE%
@ECHO Done
@ECHO ...........................

@ECHO Signing JAR file %JARCERTFILE%
jarsigner -storetype pkcs12 -keystore %P12FILE% -storepass %PASSWORD% %JARCERTFILE% "%CN%"
@ECHO Done

Leave a Reply