Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / March 2008

Tip: Looking for answers? Try searching our database.

Accessing the public key stored in a signed jar

Thread view: 
Enable EMail AlertsStart New Thread
Peter Mueller - 15 Mar 2008 08:32 GMT
Hello,

I signed a jar file and a document (later on) with the same private
key.

Now I want to use the public key that keysiger stored in the jar file
to verify the
signed document. I want to do the verification with code stored in the
jar file.
Is there a class available in the SDK to access the private key in the
jar's *.dsa file?
Is there a way to access the Jar file the code is currently running
from?

Or do I miss someting and this makes no sense?

Thanks,
Peter
Reply to this Message
Roedy Green - 15 Mar 2008 10:10 GMT
On Sat, 15 Mar 2008 00:32:39 -0700 (PDT), Peter Mueller
<peter.o.mueller@gmx.de> wrote, quoted or indirectly quoted someone
who said :

>I want to do the verification with code stored in the
>jar file.
>Is there a class available in the SDK to access the private key in the
>jar's *.dsa file?

you can the jar or zip classes to get at the files
META-INF/MANIFEST.MF
META-INF/MINDPROD.DSA
META-INF/MINDPROD.SF

That is probably lower level than you wanted.

manifest.mf gives the sha1 digests of each member e.g.

Manifest-Version: 1.0
Created-By: Jakarta Ant 1.7.0 (December 13 2006)
Main-Class: com.mindprod.setclock.SetClock

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: kGqocqQUkOGLBQtEjBjPm6a8FNA=
Last-Modified: Tue, 11 Mar 2008 10:25:33 PDT
Content-Location: E:\com\mindprod\inwords\TimeInterval.class

Name: com/mindprod/common11/Misc.class
SHA1-Digest: p7J0gVoPf1KAMW4PuoMtkncNnME=
Last-Modified: Tue, 11 Mar 2008 10:25:19 PDT
Content-Location: E:\com\mindprod\common11\Misc.class

MINDPROD.DSA is the public key

MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
for each member plus a digest for the the combined digests.  Possibly
it is a digest of the digest/date time entry/location.

Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: aL3d4UOM690jmWDCsc9XT6uLjq4=
Created-By: 1.6.0_05 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: 9TyEat69V3T5iRyK9e5VpFl2ro0=

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: fLlFOiYTObeknHZMeFD58Maf8KM=

Name: com/mindprod/common11/Misc.class
SHA1-Digest: l2uzaq9egG4VjCqKyBsOoDeTWe0=
Signature


Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com

Reply to this Message
Roedy Green - 15 Mar 2008 10:22 GMT
On Sat, 15 Mar 2008 09:10:12 GMT, Roedy Green
<see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted
someone who said :

>MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
>for each member plus a digest for the the combined digests.  Possibly
>it is a digest of the digest/date time entry/location.

I checked my notes at http://mindprod.com/jgloss/jarsignerexe.html 
and discovered these *.SF digests are the digests encrypted with your
private code-signing key.  The loader can decrypt them with the public
key included in the jar. It can then verify that the jar contents have
the advertised digest to make sure they have not been tampered with.

Signature

Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com

Reply to this Message
Peter Mueller - 16 Mar 2008 14:25 GMT
Hello,

On 15 Mrz., 10:10, Roedy Green <see_webs...@mindprod.com.invalid>
wrote:
> On Sat, 15 Mar 2008 00:32:39 -0700 (PDT), Peter Mueller
> <peter.o.muel...@gmx.de> wrote, quoted or indirectly quoted someone
[quoted text clipped - 48 lines]
> Roedy Green Canadian Mind Products
> The Java Glossaryhttp://mindprod.com

the problem I have is that it seems not to be possible to recreate the
public key stored in the *.DSA file. Is there a way to do this?

I can store the public key in the jar file. But I thought I can use
the one added by jarsigner.

Any idea,
Peter
Reply to this Message
EJP - 17 Mar 2008 00:22 GMT
> the problem I have is that it seems not to be possible to recreate the
> public key stored in the *.DSA file. Is there a way to do this?

On a class you know is in the JAR, call
Class.getProtectionDomain().getCodeSource().getCertificates()[0].getPublicKey().
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.