Speed up jarsigner with hardware token?
I previously signed jar files using a locally installed keystore as part of an auto build. I am now faced with the need to use a hardware device due to recent changes in the minimum code signing requirements, and although I figured out how to do it, I see extreme slowdowns.
As one example, a jar file with 180 classes that I could previously sign in about half a second now takes about 30 seconds. As this happens, I see the device token access indicator flashing several times per second, apparently once for each class in the jar file.
Is there a way to speed up this eg. Is there some way to reduce token access to one access for the whole jar file?
source to share
This was not an answer, but it is too long to comment:
If your assumption about access to the token for any file is correct, it means that the hash of the files is also calculated on the device, not just the signature.
Does your PKCS11 device have a logging option that can show which pkcs11 calls are device receive (hash operations are named C_Digest in PKCS11) to confirm? Perhaps with the option mentioned in java keytool with opensc pkcs # 11 the vendor only works with the debug option enabled (I haven't tried it)
Since I don't know if there is a way to tell the jarsigner to the hash by the software and sign with the hardware, if you can't find a better answer, you can probably write your own provider: ( http://docs.oracle.com/javase/ 7 / docs / technotes / guides / security / crypto / HowToImplAProvider.html ):
- software hash implementation (MessageDigestSpi, just call forwarding to the default Java application provider)
- and device signature (SignatureSpi, just call forwarding to PKCS11 provider configured in java). I think it was
Signature signature = Signature.getInstance("SHA1withRSA", "SunPKCS11")
and so on. And analog for KeyStoreSpi.
And then call jarsigner with your provider as a parameter.
source to share