Forum Stats

  • 3,768,482 Users
  • 2,252,799 Discussions


Java 9 Keytool / JarSigner use Post Quantum Crypto (PQC) Signature Schemes such as XMSS / XMSSMT thr

UnicornDeluxe Member Posts: 1

I am trying to use PQC Signature Schemes in order to sign my Java Source Code.

Therefor I need to use the KeyTool to generate KeyPairs and store them in a KeyStore and JarSigner to sign the jar files with the secret key from the KeyStore.

The current way (so without PQC Signature Schemes) of signing SourceCode from command line interface (cli) would look something like this:

keytool -genkeypair -alias rsa_signing -keyalg RSA -sigalg SHA256withRSA -storetype PKCS12 -keypass password -keystore mykeystore.p12 -storepass password

Followed by:

jarsigner -keystore mykeystore.p12 -storepass password -tsa https://tsa-internal:8000/tsarequest -signedjar mysignedcode.jar mycode.jar rsa_signing

So first we generate a KeyPair using RSA as keygenalg and SHA256 as digest alg. A selfsigned X.509 certificate gets placed in mykestore.p12 including information about the used algs and the public key. The private eky gets also placed there.

Second we use the private key from mykeystore.p12 by calling rsa_signing in order to sign mycode.jar and write the signed jar file out as mysignedcode.jar.

Further details on how signing code with jarsigner can be found here.

As mentioned here it is possible to extend the set of security algorithms used by the Java Development Kit (JDK) through the Java Cryptography Architexture (JCA).

BouncyCastle provides a so called "provider" to extend the JDK security features through JCA.

The Provider which is from interest for us, is the BouncyCastlePQCProvider located under org.bouncycastle.pqc.jcajce.provider in the .

Adding the BC-Provider to the JCA and so to your jdk is described here.

The new way (so with PQC Signature Schemes) of signing SourceCode from cli woud look like this:

keytool -genkeypair -alias xmss_signing -keyalg XMSS -sigalg SHA256withXMSS -storetype PKCS12 -keypass password -keystore mykeystore.p12 -storepass password

Followed by: [same as above]

Sadly this does not work.

keytool error: XMSS KeyPairGenerator not available

Gets printed.

Even by specifying -providername or -providerclass, -providerpath the functions provided by the BCPQC provider do not get recognized. Though I think the provider it self gets recognized..
Hopefully someone of you can help me and tell me how to correctly import BCPQCProvider and/or use keytool and jarsigner with it!