Re: Is JSS 4.3.2 released? I'm looking for the Mozilla signed jar.

Fri, 30 Apr 2010 12:05:30 -0700 

Marsh Ray wrote:

On 4/30/2010 12:51 PM, Bob Foss wrote:
Everything, I've read indicates that a JCE Provider's signing cert must be signed by a cert from Sun (or maybe IBM). 

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6


http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61
:

You will receive an email message containing two plain-text file
attachments: one file containing this code-signing certificate and
another file containing its own CA certificate, which authenticates its
public key. Please also allow five business days from receipt of your
request for processing.

5. Use keytool to import the certificates received from the CA.

Once you have received the two certificates from the JCA Code
Signing Certification Authority, you can use keytool to import them
into your keystore.

First import the CA's certificate as a "trusted certificate":


keytool -import -alias <alias for the CA cert> \ -file <CA cert file 
name> \ -keystore <keystore file name> \ -storepass <keystore 
password>


Then import the code-signing certificate:

....

This would seem to imply that you can add your own CA for code-signing
purposes.

If you think about it, Sun once had developers too who presumably needed
to test their code without being given access to the official code
signing CA.

- Marsh


Here you are importing the certificate into a keystore which is
only used to sign your jar file.  It's not a keystore that contains
the root CA used to verify all JCE providers when loaded by the JVM.

I'm not sure where they stored away the root CA(s).

I have read that the OpenJDK doesn't have this restriction;
unfortunately, I cannot switch at this time.  That will probably
be the long term solution.

Since, the restriction is primarily on the actual crypto algorithms,
I'm going to see if I can rebuild with the 3 SSL classes in a separate
jar ahead in the classpath.

Thank you.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to