- 3,726,719 Users
- 2,245,247 Discussions
- 7,852,369 Comments
- 16 Data
- 362.2K Big Data Appliance
- 7 Data Science
- 2.3K Databases
- 665 General Database Discussions
- 32 Multilingual Engine
- 498 MySQL Community Space
- 8 NoSQL Database
- 7.7K Oracle Database Express Edition (XE)
- 2.8K ORDS, SODA & JSON in the Database
- 424 SQLcl
- 66 SQL Developer Data Modeler
- 185.1K SQL & PL/SQL
- 21.1K SQL Developer
- 2.7K Development
- 3 Developer Projects
- 32 Programming Languages
- 135.9K Development Tools
- 18 DevOps
- 3K QA/Testing
- 374 Java
- 15 Java Learning Subscription
- 13 Database Connectivity
- 72 Java Community Process
- 2 Java 25
- 13 Java APIs
- 141.2K Java Development Tools
- 13 Java EE (Java Enterprise Edition)
- 153K Java Essentials
- 135 Java 8 Questions
- 86.2K Java Programming
- 270 Java Lambda MOOC
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 17 Java SE
- 13.8K Java Security
- 4 Java User Groups
- 18 Programs
- 154 LiveLabs
- 36 Workshops
- 11 Software
- 5 Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 4 Deutsche Oracle Community
- 17 Español
- 1.9K Japanese
- 4 Portuguese
Java 9 Keytool / JarSigner use Post Quantum Crypto (PQC) Signature Schemes such as XMSS / XMSSMT thr
I am trying to use PQC Signature Schemes in order to sign my Java Source Code.
Therefor I need to use the KeyTool to generate KeyPairs and store them in a KeyStore and JarSigner to sign the jar files with the secret key from the KeyStore.
The current way (so without PQC Signature Schemes) of signing SourceCode from command line interface (cli) would look something like this:
keytool -genkeypair -alias rsa_signing -keyalg RSA -sigalg SHA256withRSA -storetype PKCS12 -keypass password -keystore mykeystore.p12 -storepass password
jarsigner -keystore mykeystore.p12 -storepass password -tsa https://tsa-internal:8000/tsarequest -signedjar mysignedcode.jar mycode.jar rsa_signing
So first we generate a KeyPair using RSA as keygenalg and SHA256 as digest alg. A selfsigned X.509 certificate gets placed in mykestore.p12 including information about the used algs and the public key. The private eky gets also placed there.
Second we use the private key from mykeystore.p12 by calling rsa_signing in order to sign mycode.jar and write the signed jar file out as mysignedcode.jar.
Further details on how signing code with jarsigner can be found here.
As mentioned here it is possible to extend the set of security algorithms used by the Java Development Kit (JDK) through the Java Cryptography Architexture (JCA).
BouncyCastle provides a so called "provider" to extend the JDK security features through JCA.
The Provider which is from interest for us, is the BouncyCastlePQCProvider located under org.bouncycastle.pqc.jcajce.provider in the https://www.bouncycastle.org/download/bcprov-jdk15on-160.jar .
Adding the BC-Provider to the JCA and so to your jdk is described here.
The new way (so with PQC Signature Schemes) of signing SourceCode from cli woud look like this:
keytool -genkeypair -alias xmss_signing -keyalg XMSS -sigalg SHA256withXMSS -storetype PKCS12 -keypass password -keystore mykeystore.p12 -storepass password
Followed by: [same as above]
Sadly this does not work.
keytool error: java.security.NoSuchAlgorithmException: XMSS KeyPairGenerator not available
Even by specifying -providername or -providerclass, -providerpath the functions provided by the BCPQC provider do not get recognized. Though I think the provider it self gets recognized..
Hopefully someone of you can help me and tell me how to correctly import BCPQCProvider and/or use keytool and jarsigner with it!