Thursday, February 25, 2010

Importing S/MIME certificate into Java

Although it is now possible to import a certificate in p12 format, into java, just any S/MIME certificate will not work to sign jars.

Thawte used to give out free S/MIME certificates and when imported into Java, those certificates could sign java code. I recently tried to import a Comodo S/MIME certificate into a Java keystore and sign a jar. While I managed to export my S/MIME certificate from Firefox in .p12 format and import .p12 keystore into a Java keystore, signing with this certificate generated a warning "The signer certificate's ExtendedKeyUsage extension doesn't allow code signing." Also, Web Start failed to validate the signed jar, generating an exception in com.sun.deploy.security.CertUtils in the following code

// Require either all of bits 5,6,7 are false or
// that at least bit 7 be true
if ((getNetscapeCertTypeBit(cert, NSCT_SSL_CA) != false ||
getNetscapeCertTypeBit(cert, NSCT_S_MIME_CA) != false ||
getNetscapeCertTypeBit(cert, NSCT_OBJECT_SIGNING_CA) != false) &&
getNetscapeCertTypeBit(cert, NSCT_OBJECT_SIGNING_CA) == false)
{
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
return false;
}
To get my S/MIME certificate from Java, I used Firefox Certificate backup as p12, then the following command to find the alias of my certificate inside the .p12 keystore:
keytool -list -keystore comodo-nsushkin\@openfinance.com-exp20120930.p12 -storetype PKCS12
Once I found out the alias "nicholas sushkin's the usertrust network id #3", I imported my S/MIME private key and certificate from p12 file into my JKS keystore under alias "nsushkin" using the following command:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore java-certs.keystore -srckeystore comodo-nsushkin\@openfinance.com-exp20120930.p12 -srcstoretype PKCS12 -alias "nicholas sushkin's the usertrust network id #3" -destalias nsushkin