0

I'm trying to use a custom security provider with JDK 11's jarsigner application. I'm using the following command:

 jarsigner -verbose -keystore C:\foo\bar\mykeystore -storetype Luna -tsa http://timestamp.digicert.com C:\foo\bar\sample.jar "mykeyalias" -provider com.safenetinc.luna.provider.LunaProvider

However, I receive the following error output:

jarsigner error: java.lang.Exception: Provider "com.safenetinc.luna.provider.LunaProvider" not found

I found Using custom PKCS11 provider with jarsigner and tried to use the -J-cp option but then I get the error:

jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: LUNA not found

Using the suggested -J-Djava.ext.dirs=C:\foo\bar\LunaProvider.jar does not work either, it fails with:

-Djava.ext.dirs=C:\foo\bar\LunaProvider.jar is not supported.  Use -classpath instead.

The option -classpath does not exist, but it is probably referencing -cp, which I already tried (see above).

How to do that properly?

Note: keytool is also part of the JRE, I could fix the JRE by 1) putting the JAR and the DLL of Luna in the \lib\ext directory and adjust the java.security file by adding the provider there. Unfortunately, jarsigner is only part of the JDK and I don't find a \lib\ext folder in the JDK neither do I find a java.security file.

D.R.
  • 20,268
  • 21
  • 102
  • 205
  • Are you looking for -J-classpath ? – Alan Bateman Nov 07 '18 at 16:47
  • After using `-J-classpath` the tool says "The option -classpath does not exist." – D.R. Nov 07 '18 at 17:00
  • Have you tried both -J-cp and -provider? The former include the jar in classpath and the latter add the provider, and then KeyStore.getInstance("LUNA") should work? BTW, are you able to run it in your own program with jar on classpath and provider added? – speedogoo Nov 08 '18 at 10:06
  • Yes, for all my tests I used "-provider" - but not "-J-provider" if that's what you mean. – D.R. Nov 08 '18 at 11:27

2 Answers2

0

Try passing the following to jarsigner 

-J-cp -J<path to LunaProvider.jar>
James Sperry
  • 1
  • Thanks for contributing, I already tried that though, see my question :-) – D.R. Nov 08 '18 at 07:41
  • Hi, I thought from your question you only tried the -J-cp option alone. I had this same problem this week and my answer solved it for me. – James Sperry Nov 09 '18 at 14:08
0

I found a solution. Dont use the -provider flag, instead add com.safenet.luna.provider.LunaProvider at the beginning of the security providers in the java.security file (the order is really important here). Then the command

jarsigner -keystore <path to keystore> -storetype Luna -tsa http://timestamp.digicert.com <path to jar> <key label> -certchain <path to certchain> -J-cp -J<path to LunaProvider.jar>

should work.

D.O.
  • 227
  • 1
  • 5