Skip to content

Commit

Permalink
Add support for PKCS11 jar signing
Browse files Browse the repository at this point in the history
  • Loading branch information
bphinz committed Jun 15, 2024
1 parent fb7b956 commit 78510b9
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 10 deletions.
6 changes: 6 additions & 0 deletions java/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ set(JAVA_KEYSTORE_TYPE "jks" CACHE STRING "Type of keystore (Default: \"jks\")")
set(JAVA_KEY_ALIAS NOTFOUND CACHE STRING "Alias for the keystore entry used to generate the signature")
set(JAVA_STOREPASS NOTFOUND CACHE STRING "Password required to access the keystore")
set(JAVA_KEYPASS NOTFOUND CACHE STRING "Password used to protect the private key of the specified keystore entry")
set(JAVA_PKCS11_PROVIDER_CLASS "sun.security.pkcs11.SunPKCS11" CACHE STRING "PKCS11 SecurityProvider class name")
set(JAVA_PKCS11_PROVIDER_ARG NOTFOUND CACHE STRING "Path to the PKCS11 security provider class config file")
set(JAVA_TSA_URL NOTFOUND CACHE STRING "URL of Time Stamping Authority (TSA)")
set(JAVA_CERT_CHAIN NOTFOUND CACHE STRING "Path to CA certificate chain file")

if(NOT BUILD)
STRING(TIMESTAMP BUILD "%Y%m%d" UTC)
Expand Down Expand Up @@ -166,9 +169,12 @@ add_custom_command(OUTPUT VncViewer.jar
-DJAVA_KEYSTORE=${JAVA_KEYSTORE}
-DJAVA_KEYSTORE_TYPE=${JAVA_KEYSTORE_TYPE}
-DJAVA_STOREPASS=${JAVA_STOREPASS}
-DJAVA_PKCS11_PROVIDER_CLASS=${JAVA_PKCS11_PROVIDER_CLASS}
-DJAVA_PKCS11_PROVIDER_ARG=${JAVA_PKCS11_PROVIDER_ARG}
-DJAVA_KEYPASS=${JAVA_KEYPASS}
-DJAVA_KEY_ALIAS=${JAVA_KEY_ALIAS}
-DJAVA_TSA_URL=${JAVA_TSA_URL}
-DJAVA_CERT_CHAIN=${JAVA_CERT_CHAIN}
-P ${SRCDIR}/cmake/SignJar.cmake)

add_custom_target(java ALL DEPENDS VncViewer.jar)
41 changes: 31 additions & 10 deletions java/cmake/SignJar.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,20 @@ set(KEYTOOL "${Java_PATH}/keytool")
set(JARSIGNER "${Java_PATH}/jarsigner")

if(JAVA_KEYSTORE)
if((NOT JAVA_STOREPASS) OR (NOT JAVA_KEYPASS) OR (NOT JAVA_KEY_ALIAS))
message(FATAL_ERROR "When JAVA_KEYSTORE is specified, JAVA_KEY_ALIAS, JAVA_STOREPASS, and JAVA_KEYPASS must also be specified:\n${ERROR}")
if((NOT JAVA_KEYSTORE_TYPE))
message(FATAL_ERROR "When JAVA_KEYSTORE is specified, JAVA_KEYSTORE_TYPE must also be specified:\n${ERROR}")
endif()
string(TOUPPER "${JAVA_KEYSTORE_TYPE}" JAVA_KEYSTORE_TYPE_STRING)
if(${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS11")
if((NOT JAVA_PKCS11_PROVIDER_ARG) OR (NOT JAVA_STOREPASS) OR (NOT JAVA_KEY_ALIAS))
message(FATAL_ERROR "When JAVA_KEYSTORE_TYPE is PKCS11, JAVA_STOREPASS, JAVA_PKCS11_PROVIDER_ARG, and JAVA_KEY_ALIAS must also be specified:\n${ERROR}")
endif()
elseif((${JAVA_KEYSTORE_TYPE_STRING} MATCHES "JKS") OR (${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS12"))
if((NOT JAVA_STOREPASS) OR (NOT JAVA_KEYPASS) OR (NOT JAVA_KEY_ALIAS))
message(FATAL_ERROR "When JAVA_KEYSTORE_TYPE is JKS or PKCS12, JAVA_STOREPASS, JAVA_KEYPASS, and JAVA_KEY_ALIAS must also be specified:\n${ERROR}")
endif()
else()
message(FATAL_ERROR "Unsupported keystore type:\n${ERROR}")
endif()
else()
message(STATUS "Generating self-signed certificate")
Expand Down Expand Up @@ -44,14 +56,23 @@ else()
set(ARGS ${ARGS} -storepass ${JAVA_STOREPASS})
endif()

if(${JAVA_KEYPASS} MATCHES "^:env")
string(REGEX REPLACE "^:env[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}")
set(ARGS ${ARGS} -keypass:env ${JAVA_KEYPASS})
elseif("${JAVA_KEYPASS}" MATCHES "^:file")
string(REGEX REPLACE "^:file[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}")
set(ARGS ${ARGS} -keypass:file ${JAVA_KEYPASS})
else()
set(ARGS ${ARGS} -keypass ${JAVA_KEYPASS})
if(${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS11")
set(ARGS ${ARGS} -providerClass ${JAVA_PKCS11_PROVIDER_CLASS})
set(ARGS ${ARGS} -providerArg ${JAVA_PKCS11_PROVIDER_ARG})
elseif((${JAVA_KEYSTORE_TYPE_STRING} MATCHES "JKS") OR (${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS12"))
if(${JAVA_KEYPASS} MATCHES "^:env")
string(REGEX REPLACE "^:env[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}")
set(ARGS ${ARGS} -keypass:env ${JAVA_KEYPASS})
elseif("${JAVA_KEYPASS}" MATCHES "^:file")
string(REGEX REPLACE "^:file[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}")
set(ARGS ${ARGS} -keypass:file ${JAVA_KEYPASS})
else()
set(ARGS ${ARGS} -keypass ${JAVA_KEYPASS})
endif()
endif()

if(JAVA_CERT_CHAIN)
set(ARGS ${ARGS} -certchain ${JAVA_CERT_CHAIN})
endif()

if(JAVA_TSA_URL)
Expand Down

0 comments on commit 78510b9

Please sign in to comment.