How do I create or extract the certificate from a signed jar file

Question

I am working on extracting the metadata from jar file. One of the metadata component is the certificate. I have a signed jar file that has *.DSA and *.SC files generated. Is there a way to programmatically create a certificate file from these files in java?

Answer 1

A signed jar should have (for each signature, if more than one)

• a signer.SF (not .SC ) entry which, like the manifest, has some global attributes plus a digest of each jar entry (class, resource, etc) covered by the signature and

• a signer.{RSA,DSA,EC} entry which is a PKCS7 (aka CMS) 'detached' signature. Such a PKCS7/CMS signature can and usually (at least from jarsigner ) does contain the signer's cert chain -- or more exactly the certs making up that chain, since cert chains are normally ordered (certainly they are in a Java keystore) but the certs in a PKCS7/CMS SignedData are defined in ASN.1 as a SET which doesn't preserve order.

'Plain' Java does not expose classes for dealing with PKCS7 (although they exist internally), but if you can use (add) bcprov from https://www.bouncycastle.org it does and you can use code like this to write the certs as DER or PEM files:

import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;
...
    byte[] sig = // contents of the signer.RSA/DSA/EC entry e.g. using ZipFile
    int n = 0; boolean DER = // true or false as desired
    for( X509CertificateHolder cert : new CMSSignedData(sig).getCertificates().getMatches(null) ){
        byte[] der = cert.getEncoded(); String filename = "cert"+(++n);
        if( DER ) Files.write(Paths.get(filename), der);
        else try( PemWriter w = new PemWriter(new FileWriter(filename)) ){
            w.writeObject( new PemObject("CERTIFICATE",der) );
        }
    }

Of course instead of writing files, you can do other storage or processing in the loop.