GridLab logo
Public
* About
* News
* Download
* Documents
* Collaborations
Internal
* Meetings
* Links
* Mailing List
* Management
* Yellow Pages
* Our Eyes Only
Information Society Technologies  
 
| Home | Products & Technologies | Support & Downloads | Contact us |  
GridLab WP-5

Signing JAR files with Globus credential

You can sign a JAR file with your Globus credential, if you have OpenSSL tools and JDK 1.4+, by converting the Globus credential (or any other private key and X509 certificate pair) to PKCS12 file and using the PKCS12 file as a Java keystore.

To convert Globus credential to PKCS12 file, type (replace "myalias" with some other arbitrary identifier): 

openssl pkcs12 -export -chain \
        -inkey ~/.globus/userkey.pem \
        -in ~/.globus/usercert.pem \
	-out ~/.globus/user.p12 \
        -CApath /etc/grid-security/certificates/ \
        -name "myalias"
To verify content of the PKCS12 file, you can use: 
openssl pkcs12 -info -in ~/.globus/user.p12
or 
keytool -list -v -keystore ~/.globus/user.p12 -storetype PKCS12
To sign a JAR file: 
jarsigner -keystore ~/.globus/user.p12 -storetype PKCS12 file.jar myalias
The user.p12 file is a standard PKCS12 file, so you can use it for any other purpose, for example for importing the credential into Mozilla/Netscape, MSIE, Outlook and use it for signing e-mails.

Background information

Globus credential is a standard SSL credential

There is nothing special or Globus-specific in the Globus credential. It consists of two files located in ~/.globus directory. File userkey.pem is a PEM-encoded "OpenSSL traditional"-formated private key. File usercert.pem is a PEM-encoded X509v3-format certificate.

So they are standard files and can be manipulated by any standard tool. OpenSSL is just a handy one of them. You can even use the credential for any other purpose where SSL credential can be used, typicaly for SSL authentication or for signing e-mails using S/MIME.

The X509v3 certificate in usercert.pem contains just a public key with subject info and is signed by some Certification Authority (CA). It doesn't include the certificate of the CA itself, so it cannot be validated alone if the validating party doesn't know the signing CA. For successful usage, whole chain of certificates from the subject's one up to the topmost CA should be included. Certificate of CAs are located in /etc/grid-security/certificates/ directory, this is why it should be specified when converting the certificate into the PKCS12 file format.

For explanation what the terms PKCS, PEM and DER means read JavaCA explanation of terms.

Java keystores

Java version 1.4 and above includes cryptography tools. Credentials are stored in so called Java keystores, by default in file ~/.keystore which has proprietary format called JKS (Java Key Store). You can list and (to some extend) manipulate keystores using keytool included in JDK. A better tool is KeytoolGUI.

You can use other formats for keystores, namely PKCS12 type, which is just a PKCS#12-formated file containing a private key and corresponding certificate chain. So, when you convert your Globus credential into a PKCS#12 file, you can use that file as a keystore of type "PKCS12" and do everything what can be done with a keystore.

Sent any comments to Martin Kuba.

Last updated: $Date: 2003/12/11 14:31:57 $



GridLab: Grid Application Toolkit and Testbed is co-funded by the European Commission under the Fifth Framework Programme (IST-2001-32133).
Web admin: Petr Holub, web design: Radoslaw Strugalski
Last update on Thursday, 11-Dec-2003 15:32:23 CET.