Signing with pfx

#1

I am using the module signer tool and I cannot get pfx to work. The github readme.md indicates that pfx should work.

Blockquote The path to the keystore containing your code signing certificate. Can be either JKS or PFX format.

However i get this error

Exception in thread "main" java.io.IOException: Invalid keystore format
        at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:664)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
        at java.base/java.security.KeyStore.load(KeyStore.java:1479)
        at com.inductiveautomation.ignitionsdk.ModuleSigner$Main.main(ModuleSigner.java:135)

I did export my pfx as a jks and it ran but when loaded into ignition it is saying that it is a self signed cert which makes me think something about the jks I exported is not correct. Is there a way to use the pfx format with the module signer (java-11) branch.

0 Likes

#2

I dug into this a bit and its a problem with this line

String keyStoreType = keyStoreFile.toPath().endsWith("pfx") ? "pkcs12" : "jks";

ends with is looking for the ending path segment not filename or extension

endsWith

boolean endsWith(String other)
Tests if this path ends with a Path, constructed by converting the given path string, in exactly the manner specified by the endsWith(Path) method. On UNIX for example, the path “foo/bar” ends with “foo/bar” and “bar”. It does not end with “r” or “/bar”. Note that trailing separators are not taken into account, and so invoking this method on the Path"foo/bar" with the String “bar/” returns true.

1 Like

#3

@Kevin.Herron tagging you as you are the author in git.

I ended up fixing this issue as well as another one being that the default registered security providers do not handle HmacPBESHA256. Let me know if you would like to talk about this.

0 Likes

#4

Thanks I’ll get this fixed up.

0 Likes

#5

I merged the Java 11 branch into master and fixed the bug preventing PFX from being selected.

Why did you need to do anything with HmacPBESHA256?

0 Likes

#6

@Kevin.Herron I am not an expert in certificates and signing but my keystore required that algorithm. With the default crypto provider I was getting an exception when getting the instance of the keystore.

0 Likes

#7

What software did you use to create your keystore? What JRE are you using?

HmacPBESHA256 is not uncommon so I’m surprised the default provider doesn’t support it.

0 Likes

#8

The .pfx keystore was created with windows tools.

I used the Bouncy Castle provider which resolved the issue.

0 Likes

#9

Well, sure enough…

Supported in JDK 12: https://docs.oracle.com/en/java/javase/12/security/oracle-providers.html#GUID-A47B1249-593C-4C38-A0D0-68FA7681E0A7

But not in JDK 11: https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-A47B1249-593C-4C38-A0D0-68FA7681E0A7

0 Likes