4

I formerly signed jar files using a locally installed keystore as part of an automated build. I'm now faced with having to use a hardware-based device, due to recent changes to minimal code signing requirements, and while I've figured out how to do it, I'm seeing extreme slow-downs.

Just as one example, a jar file with 180 classes that I could formerly sign in about half a second is now taking about 30 seconds. As it's going, I see my token device's access light flashing a few times a second, presumably once for each class in the jar file.

Is there any way to speed this up, e.g. some way to reduce the token accesses to a single access for the entire jar file?

Andy Lowry
  • 785
  • 7
  • 12
  • Since the signing is actually happening in the e-Token which has a very low processing power, there's probably nothing that you can do. If by any chance, your key is exportable, you can export it as a PKCS#12 pfx file and use that for signing. – ares Apr 28 '17 at 17:26
  • @ares Thanks. Alas, my key is not exportable. Part of what m*soft now requires, apparently. – Andy Lowry Apr 28 '17 at 19:10

2 Answers2

3

It was not an answer, but it is too long for a comment:

If your supposition of an access to the token for any file is correct, then it would mean the hash of the files is also being calculated in the device, not only the signature.

Does your PKCS11 device have a logging option that could show which pkcs11 calls are the device receiving (hash operations are called C_Digest in PKCS11) to confirm? Maybe with the option mentioned in java keytool with opensc pkcs#11 provider only works with debug option enabled (I haven't tried it)

Since I don't know if there's any way to tell jarsigner to hash by software and to sign by hardware, if you can't find a better answer, maybe you can write your own provider: ( http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html ) :

  • implementing a software hash (MessageDigestSpi, just forwarding the call to the default software java provider)
  • and a device signature (SignatureSpi, just forwarding the call to the PKCS11 provider configured in java ). I think it was Signature signature = Signature.getInstance("SHA1withRSA", "SunPKCS11") and so on. And analog for KeyStoreSpi.

And then call jarsigner with your provider as parameter.

Community
  • 1
  • 1
Egl
  • 774
  • 7
  • 20
  • thanks for the advice. My token does have a logging feature, but it requires administrative access, which I don't have. Thanks for the pointers, I'll take a look. – Andy Lowry Apr 28 '17 at 19:16
  • As you say, your response isn't really an answer, but it seems likely that it's the closest I'll get any time soon, so for now I'll give you answer credit. Thanks! – Andy Lowry Apr 30 '17 at 12:43
  • I don't know what is jarsigner license. But maybe, if license allows you to, you can modify jarsigner source code to make a sofware digest (always software, I mean) and signature using the criptographic provider from jarsigner command line arguments. – Egl May 02 '17 at 13:06
  • In a comment in https://stackoverflow.com/questions/44761149/wrapper-pkcs11-functions-passing-arguments-and-get-return-values, @vlp comments two tools for logging pkcs11 libs – Egl Jun 28 '17 at 12:59
1

Try adding -sigalg SHA512withRSA to your jarsigner options.

For further information, check my answer to a related question

Hannes Schuette
  • 121
  • 1
  • 4