jwall.org - Security

Since this is currently only a small project, I currently do not have an official CA certificate. However, I set up an internal authority for signing the web servers certificate for subversion-access https://secure.jwall.org (currently public access to the subversion repository is not allowed). My personal certificate is also signed by that CA.

GPG Key

There is a GPG public key available for sending encrytped mails and signing. The key is has the ID C5C3953C and is associated with the address chris (at) jwall.org.

		    
		

CA Certificate

The CA certificate is available here: jwall-ca.pem
The certificate's fingerprint is:

MD5 Fingerprint=91:32:65:27:35:17:5C:27:69:94:E5:18:77:C6:B2:88

The CA's distinguished name is

C=DE, ST=NRW, O=jwall.org, OU=Security
CN=ca.jwall.org/emailAddress=security@jwall.org

Code-Signing

In todays times it has become quite common to download programs and libraries from the internet. Security of mobile code is an important issue since you are encouraged to only run code that is supposed to be clean and trustable.

For these reasons I will provide signed versions of the jars available from this site. Though you cannot really trust my CA certificate unless you verified it or have it checked against some authority that you trust (obtaining an officially signed CA certificate is a goal for me, though pending near the end of my todo-list), the signed jars are at least somewhat affiliated to this site. You can verify them by checking the archives against the CA certificate jwall-ca.pem, which is the same CA certificate that was used to sign the site-cert of https://secure.jwall.org.

The jars are signed using Sun's keytool. The certificate that used for digitally signing the released jar-files can be obtained here: chris-jwall.org.pem. This certificate has the following fingerprint:

MD5 Fingerprint=01:66:F0:24:F6:FA:9E:01:4C:84:A5:EA:3B:0C:15:05

The distinguished name is the same as the CA with different cannonical name (CN):

C=DE, ST=NRW, O=jwall.org, OU=Security
CN=Christian Bockermann/emailAddress=chris@jwall.org

Verifying the jar-Archives

The simplest way of verifying a signed archive without importing the above CA certificate into you systems trusted certificate-cache is probably to create a small temporal java-based keystore by importing the CA certificate into an emtpy one using the keytool provided by SUN:

    keytool -import -keystore jwall.keystore -file jwall-ca.pem

Next you are promtped for a password that is used for that keystore. You can now use the jarsigner tool that comes with your Java environment to verify a signed archive as following (verifying the web-audit library in this example):

    jarsigner -verify -keytore jwall.keystore org.jwall.web.audit-0.2.9-signed.jar