Using Netscape Code-signing Cert with Sun Java Tools

The PKCS#12 crypto-standard specifies a standard for securely porting the public and private keys in this encrypted and password protected container. Both Netscape Communciator 4.4+ and Internet Explorer 4+ support exporting imported code-signing keys/certs in pkcs#12 file format. However, the default implementation of keystore provided with J2 SDK V1.3 and lower does not contain a keystore provider to handle pkcs#12 certificate store files. Therefore, it is not possible to use the J2SE tools keytool.exe and jarsigner.exe with exported private keys within PKCS#12 containers.

However, a PKCS#12 keystore implementation is provided with JSSE 1.0.2 (Java Secure Socket Extension). Currently, this implementation of PKCS#12 provides capability to read and use such files exported from Netscape (but not currently from IE) with keytool and jarsigner successfully. This document describes a typical simple example of this.

• Download and install JSSE 1.0.2 (noting export restrictions on this technology)

• Follow simple instructions to install the JSSE jar archives as extension libraries to your J2RE installation.

• Follow simple instructions to register the SunJSSE provider (provides pkcs#12 Keystore type implementation).

• Export the Netscape code-signing cert via the menu selection: Communicator/Tools/Security Info/Yours (Export button). This creates a pkcs#12 format file with .p12 extension (say nnexternal.p12 for example). This file is actually a valid Keystore file (with a single private key and public key(s)).

• Verify that your JSSE configuration is correct by listing the contents of this keystore:
  C:\WINDOWS\DESKTOP>keytool -list -storetype pkcs12 -keystore nnexternal.p12 Enter keystore password: XXXXXXXXX Keystore type: pkcs12 Keystore provider: SunJSSE Your keystore contains 1 entry: b8d314d7-423f-45f5-bef8-27dfca57fda7, Wed Jan 31 14:59:39 EST 2001, keyEntry, Certificate fingerprint (MD5): 65:26:5A:C4:1A:5D:7F:98:16:EF:09:FE:2C:4B:79:27 (Note the pkcs12 Keystore type line; also, the numeric alias is a result of exporting the key from IE (original import location) into Netscape).

• Package up the class files to be signed: jar -cf props.jar props.class

• Digitally sign the JAR archive with jarsigner specifying correct options:
  C:\WINDOWS\DESKTOP>jarsigner -storetype pkcs12 -keystore nnexternal.p12 props.jar b8d314d7-423f-45f5-bef8-27dfca57fda7 Enter Passphrase for keystore: XXXXXXXXX C:\WINDOWS\DESKTOP>

• Verify the signature:
  jarsigner -verbose -verify -certs props.jar C:\WINDOWS\DESKTOP>jarsigner -verbose -verify -certs props.jar 132 Wed Jan 31 14:47:36 EST 2001 META-INF/MANIFEST.MF 185 Wed Jan 31 14:47:36 EST 2001 META-INF/B8D314D7.SF 1860 Wed Jan 31 14:47:36 EST 2001 META-INF/B8D314D7.RSA 0 Wed Jan 31 14:43:34 EST 2001 META-INF/ sm 459 Thu Jan 14 12:17:34 EST 1999 props.class X.509, CN=Security Development, OU=devices, O=nortel external X.509, OU=NorlockPKI, O=nortel external s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. C:\WINDOWS\DESKTOP>

Several functions of keytool such as -import and -genkey do not appear to be implemented for a pkcs12 type of keystore in the current version of JSSE 1.0.2. It should be possible to use the Keystore API methods with JSSE however to load() and store() several private/public key pairs into one pkcs#12 keystore file.

Note that a JAR archive produced this way with Sun's jar.exe and jarsigner.exe tools does NOT produce the same JAR file as that produced with Netscape's signtool.exe v1.3 utility, even using exactly the same certificate (private and public key). There are differences in the manifest file location within the JAR archive which causes Netscape verification to fail on the JAR archive generated with the J2SE tools.