From 9a681bc5d3e0c987586d9c3f0212f144780c89ed Mon Sep 17 00:00:00 2001 From: Emmanuel Bourg Date: Wed, 13 Nov 2024 13:39:29 +0100 Subject: [PATCH] SignServer documentation (#252) --- README.md | 8 +++- docs/index.html | 40 +++++++++++++++++++ .../src/main/java/net/jsign/JsignCLI.java | 1 + .../src/main/java/net/jsign/KeyStoreType.java | 10 +++++ .../src/main/java/net/jsign/JsignMojo.java | 2 +- .../share/bash-completion/completions/jsign | 2 +- jsign/src/deb/data/usr/share/man/man1/jsign.1 | 2 + 7 files changed, 62 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2eccb789..59f493a4 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/ * [GaraSign](https://garantir.io/garasign/) * [Google Cloud KMS](https://cloud.google.com/security-key-management) * [HashiCorp Vault](https://www.vaultproject.io/) + * [Keyfactor SignServer](https://www.signserver.org) * [Oracle Cloud KMS](https://www.oracle.com/security/cloud-security/key-management/) * [SSL.com eSigner](https://www.ssl.com/esigner/) * Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not @@ -54,7 +55,12 @@ See https://ebourg.github.io/jsign for more information. #### Version 7.0 (in development) -* New signing services: HashiCorp Vault Transit (contributed by Eatay Mizrachi), Azure Trusted Signing, Oracle Cloud and GaraSign +* New signing services: + * Azure Trusted Signing + * Oracle Cloud + * GaraSign + * HashiCorp Vault Transit (contributed by Eatay Mizrachi) + * Keyfactor SignServer (contributed by Björn Kautler) * Signing of NuGet packages has been implemented (contributed by Sebastian Stamm) * Commands have been added: * `timestamp`: timestamps the signatures of a file diff --git a/docs/index.html b/docs/index.html index 7b9f3f6a..6d7bc0b7 100644 --- a/docs/index.html +++ b/docs/index.html @@ -70,6 +70,7 @@

Features

  • GaraSign
  • Google Cloud KMS
  • HashiCorp Vault
    • +
  • Keyfactor SignServer
  • Oracle Cloud KMS
  • SSL.com eSigner
    • @@ -228,6 +229,7 @@

    Attributes

  • GOOGLECLOUD: Google Cloud KMS
  • HASHICORPVAULT: HashiCorp Vault
  • ORACLECLOUD: Oracle Cloud Key Management Service
    • +
  • SIGNSERVER: Keyfactor SignServer
  • TRUSTEDSIGNING: Azure Trusted Signing
    • @@ -549,6 +551,7 @@

    Command Line Tool

    - GOOGLECLOUD: Google Cloud KMS - HASHICORPVAULT: HashiCorp Vault - ORACLECLOUD: Oracle Cloud Key Management Service + - SIGNSERVER: Keyfactor SignServer - TRUSTEDSIGNING: Azure Trusted Signing -a,--alias <NAME> The alias of the certificate used for signing in the keystore --keypass <PASSWORD> The password of the private key. When using a keystore, @@ -880,6 +883,43 @@

    Signing with HashiCorp Vault

    --certfile full-chain.pem application.exe + +

    Signing with Keyfactor SignServer

    + +

    SignServer is an on-premises open source signing service developed by Keyfactor. +SignServer supports various signing operations handled by signer workers. Jsign requires a +Plain Signer +worker configured with the CLIENTSIDEHASHING or ALLOW_CLIENTSIDEHASHING_OVERRIDE properties +set to true, and the SIGNATUREALGORITHM property set to NONEwithRSA or +NONEwithECDSA.

    + +

    The authentication is performed by specifying the username/password or the TLS client certificate in the +storepass parameter. If the TLS client certificate is stored in a password protected keystore, the password +is specified in the keypass parameter. The keystore parameter references the URL of the +SignServer REST API. The alias parameter specifies the id or the name of the worker.

    + +

    Authenticating with a username and a password:

    + +
    + jsign --storetype SIGNSERVER \
+       --keystore https://example.com/signserver \
+       --storepass "<username>|<password>" \
+       --alias test \
+       application.exe
+
    + +

    Authenticating with a TLS client certificate:

    + +
    + jsign --storetype SIGNSERVER \
+       --keystore https://example.com/signserver \
+       --storepass "/path/to/client-certificate.p12" \
+       --keypass <client-certificate-password> \
+       --alias test \
+       application.exe
+
    + +

    Signing with Oracle Cloud Key Management Service

    Signing with the Oracle Cloud Infrastructure Key Management Service requires the diff --git a/jsign-cli/src/main/java/net/jsign/JsignCLI.java b/jsign-cli/src/main/java/net/jsign/JsignCLI.java index 12969b2f..9cb9c6a5 100644 --- a/jsign-cli/src/main/java/net/jsign/JsignCLI.java +++ b/jsign-cli/src/main/java/net/jsign/JsignCLI.java @@ -95,6 +95,7 @@ public static void main(String... args) { + "- GOOGLECLOUD: Google Cloud KMS\n" + "- HASHICORPVAULT: HashiCorp Vault\n" + "- ORACLECLOUD: Oracle Cloud Key Management Service\n" + + "- SIGNSERVER: Keyfactor SignServer\n" + "- TRUSTEDSIGNING: Azure Trusted Signing\n").build()); options.addOption(Option.builder("a").hasArg().longOpt(PARAM_ALIAS).argName("NAME").desc("The alias of the certificate used for signing in the keystore").build()); options.addOption(Option.builder().hasArg().longOpt(PARAM_KEYPASS).argName("PASSWORD").desc("The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password").build()); diff --git a/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java b/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java index 29961471..c082b21c 100644 --- a/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java +++ b/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java @@ -547,6 +547,16 @@ Provider getProvider(KeyStoreBuilder params) { } }, + /** + * Keyfactor SignServer. This keystore requires a Plain Signer worker configured to allow client-side hashing (with + * the properties CLIENTSIDEHASHING or ALLOW_CLIENTSIDEHASHING_OVERRIDE set to true), and + * the SIGNATUREALGORITHM property set to NONEwithRSA or NONEwithECDSA. + * + *

    The authentication is performed by specifying the username/password or the TLS client certificate in the + * storepass parameter. If the TLS client certificate is stored in a password protected keystore, the password is + * specified in the keypass parameter. The keystore parameter references the URL of the SignServer REST API. The + * alias parameter specifies the id or the name of the worker.

    + */ SIGNSERVER(false, false, false) { @Override void validate(KeyStoreBuilder params) { diff --git a/jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java b/jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java index aa7b99ad..c400d0cd 100644 --- a/jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java +++ b/jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java @@ -90,7 +90,7 @@ public class JsignMojo extends AbstractMojo { /** * The type of the keystore (JKS, JCEKS, PKCS12, PKCS11, ETOKEN, NITROKEY, OPENPGP, OPENSC, PIV, YUBIKEY, AWS, - * AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD or TRUSTEDSIGNING). + * AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD, SIGNSERVER or TRUSTEDSIGNING). */ @Parameter( property = "jsign.storetype" ) private String storetype; diff --git a/jsign/src/deb/data/usr/share/bash-completion/completions/jsign b/jsign/src/deb/data/usr/share/bash-completion/completions/jsign index cbf4473a..15a0ed2b 100644 --- a/jsign/src/deb/data/usr/share/bash-completion/completions/jsign +++ b/jsign/src/deb/data/usr/share/bash-completion/completions/jsign @@ -42,7 +42,7 @@ _jsign() return 0 ;; --storetype) - COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) ) + COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD SIGNSERVER TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) ) return 0 ;; --storepass|-a|--alias|--keypass|-t|--tsaurl|-r|--tsretries|-w|--tsretrywait|-n|--name|-u|--url|--proxyUrl|--proxyUser|--proxyPass|--value) diff --git a/jsign/src/deb/data/usr/share/man/man1/jsign.1 b/jsign/src/deb/data/usr/share/man/man1/jsign.1 index 7276db52..969df446 100644 --- a/jsign/src/deb/data/usr/share/man/man1/jsign.1 +++ b/jsign/src/deb/data/usr/share/man/man1/jsign.1 @@ -99,6 +99,8 @@ Cloud key management systems: .br - ORACLECLOUD : Oracle Cloud Key Management Service .br +- SIGNSERVER : Keyfactor SignServer +.br - TRUSTEDSIGNING: Azure Trusted Signing This option is not required for file based keystores (JKS, JCEKS and PKCS12).