Accessing the public key stored in a signed jar

Discussion in 'Java' started by Peter Mueller, Mar 15, 2008.

  1. Hello,

    I signed a jar file and a document (later on) with the same private
    key.

    Now I want to use the public key that keysiger stored in the jar file
    to verify the
    signed document. I want to do the verification with code stored in the
    jar file.
    Is there a class available in the SDK to access the private key in the
    jar's *.dsa file?
    Is there a way to access the Jar file the code is currently running
    from?

    Or do I miss someting and this makes no sense?

    Thanks,
    Peter
     
    Peter Mueller, Mar 15, 2008
    #1
    1. Advertising

  2. Peter Mueller

    Roedy Green Guest

    On Sat, 15 Mar 2008 00:32:39 -0700 (PDT), Peter Mueller
    <> wrote, quoted or indirectly quoted someone
    who said :

    >I want to do the verification with code stored in the
    >jar file.
    >Is there a class available in the SDK to access the private key in the
    >jar's *.dsa file?


    you can the jar or zip classes to get at the files
    META-INF/MANIFEST.MF
    META-INF/MINDPROD.DSA
    META-INF/MINDPROD.SF

    That is probably lower level than you wanted.


    manifest.mf gives the sha1 digests of each member e.g.

    Manifest-Version: 1.0
    Created-By: Jakarta Ant 1.7.0 (December 13 2006)
    Main-Class: com.mindprod.setclock.SetClock

    Name: com/mindprod/inwords/TimeInterval.class
    SHA1-Digest: kGqocqQUkOGLBQtEjBjPm6a8FNA=
    Last-Modified: Tue, 11 Mar 2008 10:25:33 PDT
    Content-Location: E:\com\mindprod\inwords\TimeInterval.class

    Name: com/mindprod/common11/Misc.class
    SHA1-Digest: p7J0gVoPf1KAMW4PuoMtkncNnME=
    Last-Modified: Tue, 11 Mar 2008 10:25:19 PDT
    Content-Location: E:\com\mindprod\common11\Misc.class

    MINDPROD.DSA is the public key

    MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
    for each member plus a digest for the the combined digests. Possibly
    it is a digest of the digest/date time entry/location.


    Signature-Version: 1.0
    SHA1-Digest-Manifest-Main-Attributes: aL3d4UOM690jmWDCsc9XT6uLjq4=
    Created-By: 1.6.0_05 (Sun Microsystems Inc.)
    SHA1-Digest-Manifest: 9TyEat69V3T5iRyK9e5VpFl2ro0=

    Name: com/mindprod/inwords/TimeInterval.class
    SHA1-Digest: fLlFOiYTObeknHZMeFD58Maf8KM=

    Name: com/mindprod/common11/Misc.class
    SHA1-Digest: l2uzaq9egG4VjCqKyBsOoDeTWe0=
    --

    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
     
    Roedy Green, Mar 15, 2008
    #2
    1. Advertising

  3. Peter Mueller

    Roedy Green Guest

    On Sat, 15 Mar 2008 09:10:12 GMT, Roedy Green
    <> wrote, quoted or indirectly quoted
    someone who said :

    >MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
    >for each member plus a digest for the the combined digests. Possibly
    >it is a digest of the digest/date time entry/location.


    I checked my notes at http://mindprod.com/jgloss/jarsignerexe.html
    and discovered these *.SF digests are the digests encrypted with your
    private code-signing key. The loader can decrypt them with the public
    key included in the jar. It can then verify that the jar contents have
    the advertised digest to make sure they have not been tampered with.

    --

    Roedy Green Canadian Mind Products
    The Java Glossary
    http://mindprod.com
     
    Roedy Green, Mar 15, 2008
    #3
  4. Hello,

    On 15 Mrz., 10:10, Roedy Green <>
    wrote:
    > On Sat, 15 Mar 2008 00:32:39 -0700 (PDT), Peter Mueller
    > <> wrote, quoted or indirectly quoted someone
    > who said :
    >
    > >I want to do the verification with code stored in the
    > >jar file.
    > >Is there a class available in the SDK to access the private key in the
    > >jar's *.dsa file?

    >
    > you can the jar or zip classes to get at the files
    > META-INF/MANIFEST.MF
    > META-INF/MINDPROD.DSA
    > META-INF/MINDPROD.SF
    >
    > That is probably lower level than you wanted.
    >
    > manifest.mf gives the sha1 digests of each member e.g.
    >
    > Manifest-Version: 1.0
    > Created-By: Jakarta Ant 1.7.0 (December 13 2006)
    > Main-Class: com.mindprod.setclock.SetClock
    >
    > Name: com/mindprod/inwords/TimeInterval.class
    > SHA1-Digest: kGqocqQUkOGLBQtEjBjPm6a8FNA=
    > Last-Modified: Tue, 11 Mar 2008 10:25:33 PDT
    > Content-Location: E:\com\mindprod\inwords\TimeInterval.class
    >
    > Name: com/mindprod/common11/Misc.class
    > SHA1-Digest: p7J0gVoPf1KAMW4PuoMtkncNnME=
    > Last-Modified: Tue, 11 Mar 2008 10:25:19 PDT
    > Content-Location: E:\com\mindprod\common11\Misc.class
    >
    > MINDPROD.DSA is the public key
    >
    > MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
    > for each member plus a digest for the the combined digests. Possibly
    > it is a digest of the digest/date time entry/location.
    >
    > Signature-Version: 1.0
    > SHA1-Digest-Manifest-Main-Attributes: aL3d4UOM690jmWDCsc9XT6uLjq4=
    > Created-By: 1.6.0_05 (Sun Microsystems Inc.)
    > SHA1-Digest-Manifest: 9TyEat69V3T5iRyK9e5VpFl2ro0=
    >
    > Name: com/mindprod/inwords/TimeInterval.class
    > SHA1-Digest: fLlFOiYTObeknHZMeFD58Maf8KM=
    >
    > Name: com/mindprod/common11/Misc.class
    > SHA1-Digest: l2uzaq9egG4VjCqKyBsOoDeTWe0=
    > --
    >
    > Roedy Green Canadian Mind Products
    > The Java Glossaryhttp://mindprod.com


    the problem I have is that it seems not to be possible to recreate the
    public key stored in the *.DSA file. Is there a way to do this?

    I can store the public key in the jar file. But I thought I can use
    the one added by jarsigner.

    Any idea,
    Peter
     
    Peter Mueller, Mar 16, 2008
    #4
  5. Peter Mueller

    EJP Guest

    Peter Mueller wrote:
    > the problem I have is that it seems not to be possible to recreate the
    > public key stored in the *.DSA file. Is there a way to do this?


    On a class you know is in the JAR, call
    Class.getProtectionDomain().getCodeSource().getCertificates()[0].getPublicKey().
     
    EJP, Mar 16, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles A. Lackman
    Replies:
    1
    Views:
    1,447
    smith
    Dec 8, 2004
  2. SpamProof
    Replies:
    0
    Views:
    643
    SpamProof
    Oct 21, 2003
  3. Arnold Peters
    Replies:
    0
    Views:
    632
    Arnold Peters
    Jan 5, 2005
  4. Replies:
    0
    Views:
    349
  5. Bob Rock
    Replies:
    2
    Views:
    195
    Michel Gallant
    May 16, 2004
Loading...

Share This Page