net.jsign

Class AuthenticodeSigner

java.lang.Object

net.jsign.AuthenticodeSigner

public class AuthenticodeSigner
extends Object

Sign a file with Authenticode. Timestamping is enabled by default and relies on the Sectigo server (http://timestamp.sectigo.com).

Example:

 KeyStore keystore = new KeyStoreBuilder().keystore("keystore.p12").storepass("password").build();

 AuthenticodeSigner signer = new AuthenticodeSigner(keystore, "alias", "secret");
 signer.withProgramName("My Application")
       .withProgramURL("http://www.example.com")
       .withTimestamping(true)
       .withTimestampingAuthority("http://timestamp.sectigo.com");

 try (Signable file = Signable.of(new File("application.exe"))) {
     signer.sign(file);
 }
 

Since:

3.0

Author:

Emmanuel Bourg

Constructor Summary

Constructors

Constructor and Description
AuthenticodeSigner(Certificate[] chain, PrivateKey privateKey) Create a signer with the specified certificate chain and private key.
AuthenticodeSigner(KeyStore keystore, String alias, String password) Create a signer with a certificate chain and private key from the specified keystore.

Method Summary

Modifier and Type	Method and Description
void	sign(Signable file) Sign the specified file.
AuthenticodeSigner	withDigestAlgorithm(DigestAlgorithm algorithm) Set the digest algorithm to use (SHA-256 by default)
AuthenticodeSigner	withProgramName(String programName) Set the program name embedded in the signature.
AuthenticodeSigner	withProgramURL(String programURL) Set the program URL embedded in the signature.
AuthenticodeSigner	withSignatureAlgorithm(String signatureAlgorithm) Explicitly sets the signature algorithm to use.
AuthenticodeSigner	withSignatureAlgorithm(String signatureAlgorithm, Provider signatureProvider) Explicitly sets the signature algorithm and provider to use.
AuthenticodeSigner	withSignatureAlgorithm(String signatureAlgorithm, String signatureProvider) Explicitly sets the signature algorithm and provider to use.
AuthenticodeSigner	withSignatureProvider(Provider signatureProvider) Set the signature provider to use.
AuthenticodeSigner	withSignaturesReplaced(boolean replace) Enable or disable the replacement of the previous signatures (disabled by default).
AuthenticodeSigner	withTimestamper(Timestamper timestamper) Set the Timestamper implementation.
AuthenticodeSigner	withTimestamping(boolean timestamping) Enable or disable the timestamping (enabled by default).
AuthenticodeSigner	withTimestampingAuthority(String... urls) Set the URLs of the timestamping authorities.
AuthenticodeSigner	withTimestampingAuthority(String url) Set the URL of the timestamping authority.
AuthenticodeSigner	withTimestampingMode(TimestampingMode tsmode) RFC3161 or Authenticode (Authenticode by default).
AuthenticodeSigner	withTimestampingRetries(int timestampingRetries) Set the number of retries for timestamping.
AuthenticodeSigner	withTimestampingRetryWait(int timestampingRetryWait) Set the number of seconds to wait between timestamping retries.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthenticodeSigner

public AuthenticodeSigner(Certificate[] chain,
                          PrivateKey privateKey)

Create a signer with the specified certificate chain and private key.

Parameters:

chain - the certificate chain. The first certificate is the signing certificate

privateKey - the private key

Throws:

IllegalArgumentException - if the chain is empty

AuthenticodeSigner

public AuthenticodeSigner(KeyStore keystore,
                          String alias,
                          String password)
                   throws NoSuchAlgorithmException,
                          KeyStoreException,
                          UnrecoverableKeyException

Create a signer with a certificate chain and private key from the specified keystore.

Parameters:

keystore - the keystore holding the certificate and the private key

alias - the alias of the certificate in the keystore

password - the password to get the private key

Throws:

KeyStoreException - if the keystore has not been initialized (loaded).

NoSuchAlgorithmException - if the algorithm for recovering the key cannot be found

UnrecoverableKeyException - if the key cannot be recovered (e.g., the given password is wrong).

Method Detail

sign

public void sign(Signable file)
          throws Exception

Sign the specified file.

Parameters:

file - the file to sign

Throws:

Exception - if signing fails

withDigestAlgorithm

public AuthenticodeSigner withDigestAlgorithm(DigestAlgorithm algorithm)

Set the digest algorithm to use (SHA-256 by default)

Parameters:

algorithm - the digest algorithm

Returns:

the current signer

withProgramName

public AuthenticodeSigner withProgramName(String programName)

Set the program name embedded in the signature.

Parameters:

programName - the program name

Returns:

the current signer

withProgramURL

public AuthenticodeSigner withProgramURL(String programURL)

Set the program URL embedded in the signature.

Parameters:

programURL - the program URL

Returns:

the current signer

withSignatureAlgorithm

public AuthenticodeSigner withSignatureAlgorithm(String signatureAlgorithm)

Explicitly sets the signature algorithm to use.

Parameters:

signatureAlgorithm - the signature algorithm

Returns:

the current signer

Since:

2.0

withSignatureAlgorithm

public AuthenticodeSigner withSignatureAlgorithm(String signatureAlgorithm,
                                                 Provider signatureProvider)

Explicitly sets the signature algorithm and provider to use.

Parameters:

signatureAlgorithm - the signature algorithm

signatureProvider - the security provider for the specified algorithm

Returns:

the current signer

Since:

2.0

withSignatureAlgorithm

public AuthenticodeSigner withSignatureAlgorithm(String signatureAlgorithm,
                                                 String signatureProvider)

Explicitly sets the signature algorithm and provider to use.

Parameters:

signatureAlgorithm - the signature algorithm

signatureProvider - the security provider for the specified algorithm

Returns:

the current signer

Since:

2.0

withSignatureProvider

public AuthenticodeSigner withSignatureProvider(Provider signatureProvider)

Set the signature provider to use.

Parameters:

signatureProvider - the security provider for the signature algorithm

Returns:

the current signer

Since:

2.0

withSignaturesReplaced

public AuthenticodeSigner withSignaturesReplaced(boolean replace)

Enable or disable the replacement of the previous signatures (disabled by default).

Parameters:

replace - true if the new signature should replace the existing ones, false to append it

Returns:

the current signer

Since:

2.0

withTimestamper

public AuthenticodeSigner withTimestamper(Timestamper timestamper)

Set the Timestamper implementation.

Parameters:

timestamper - the timestamper implementation to use

Returns:

the current signer

withTimestamping

public AuthenticodeSigner withTimestamping(boolean timestamping)

Enable or disable the timestamping (enabled by default).

Parameters:

timestamping - true to enable timestamping, false to disable it

Returns:

the current signer

withTimestampingAuthority

public AuthenticodeSigner withTimestampingAuthority(String... urls)

Set the URLs of the timestamping authorities. Both RFC 3161 (as used for jar signing) and Authenticode timestamping services are supported.

Parameters:

urls - the URLs of the timestamping authorities

Returns:

the current signer

Since:

2.1

withTimestampingAuthority

public AuthenticodeSigner withTimestampingAuthority(String url)

Set the URL of the timestamping authority. Both RFC 3161 (as used for jar signing) and Authenticode timestamping services are supported.

Parameters:

url - the URL of the timestamping authority

Returns:

the current signer

Since:

2.1

withTimestampingMode

public AuthenticodeSigner withTimestampingMode(TimestampingMode tsmode)

RFC3161 or Authenticode (Authenticode by default).

Parameters:

tsmode - the timestamping mode

Returns:

the current signer

Since:

1.3

withTimestampingRetries

public AuthenticodeSigner withTimestampingRetries(int timestampingRetries)

Set the number of retries for timestamping.

Parameters:

timestampingRetries - the number of retries

Returns:

the current signer

withTimestampingRetryWait

public AuthenticodeSigner withTimestampingRetryWait(int timestampingRetryWait)

Set the number of seconds to wait between timestamping retries.

Parameters:

timestampingRetryWait - the wait time between retries (in seconds)

Returns:

the current signer