Accessing the public key stored in a signed jar

[Peter Mueller]

Hello,

I signed a jar file and a document (later on) with the same private
key.

Now I want to use the public key that keysiger stored in the jar file
to verify the
signed document. I want to do the verification with code stored in the
jar file.
Is there a class available in the SDK to access the private key in the
jar's *.dsa file?
Is there a way to access the Jar file the code is currently running
from?

Or do I miss someting and this makes no sense?

Thanks,
Peter

 

[Roedy Green]

I want to do the verification with code stored in the
jar file.
Is there a class available in the SDK to access the private key in the
jar's *.dsa file?

you can the jar or zip classes to get at the files
META-INF/MANIFEST.MF
META-INF/MINDPROD.DSA
META-INF/MINDPROD.SF

That is probably lower level than you wanted.


manifest.mf gives the sha1 digests of each member e.g.

Manifest-Version: 1.0
Created-By: Jakarta Ant 1.7.0 (December 13 2006)
Main-Class: com.mindprod.setclock.SetClock

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: kGqocqQUkOGLBQtEjBjPm6a8FNA=
Last-Modified: Tue, 11 Mar 2008 10:25:33 PDT
Content-Location: E:\com\mindprod\inwords\TimeInterval.class

Name: com/mindprod/common11/Misc.class
SHA1-Digest: p7J0gVoPf1KAMW4PuoMtkncNnME=
Last-Modified: Tue, 11 Mar 2008 10:25:19 PDT
Content-Location: E:\com\mindprod\common11\Misc.class

MINDPROD.DSA is the public key

MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
for each member plus a digest for the the combined digests. Possibly
it is a digest of the digest/date time entry/location.


Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: aL3d4UOM690jmWDCsc9XT6uLjq4=
Created-By: 1.6.0_05 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: 9TyEat69V3T5iRyK9e5VpFl2ro0=

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: fLlFOiYTObeknHZMeFD58Maf8KM=

Name: com/mindprod/common11/Misc.class
SHA1-Digest: l2uzaq9egG4VjCqKyBsOoDeTWe0=

 

[Roedy Green]

MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
for each member plus a digest for the the combined digests. Possibly
it is a digest of the digest/date time entry/location.

I checked my notes at http://mindprod.com/jgloss/jarsignerexe.html
and discovered these *.SF digests are the digests encrypted with your
private code-signing key. The loader can decrypt them with the public
key included in the jar. It can then verify that the jar contents have
the advertised digest to make sure they have not been tampered with.

 

[Peter Mueller]

Hello,

you can the jar or zip classes to get at the files
META-INF/MANIFEST.MF
META-INF/MINDPROD.DSA
META-INF/MINDPROD.SF

That is probably lower level than you wanted.

manifest.mf gives the sha1 digests of each member e.g.

Manifest-Version: 1.0
Created-By: Jakarta Ant 1.7.0 (December 13 2006)
Main-Class: com.mindprod.setclock.SetClock

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: kGqocqQUkOGLBQtEjBjPm6a8FNA=
Last-Modified: Tue, 11 Mar 2008 10:25:33 PDT
Content-Location: E:\com\mindprod\inwords\TimeInterval.class

Name: com/mindprod/common11/Misc.class
SHA1-Digest: p7J0gVoPf1KAMW4PuoMtkncNnME=
Last-Modified: Tue, 11 Mar 2008 10:25:19 PDT
Content-Location: E:\com\mindprod\common11\Misc.class

MINDPROD.DSA is the public key

MINDPROD.SF is the digital signature.It gives a different SHA-1 digest
for each member plus a digest for the the combined digests. Possibly
it is a digest of the digest/date time entry/location.

Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: aL3d4UOM690jmWDCsc9XT6uLjq4=
Created-By: 1.6.0_05 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: 9TyEat69V3T5iRyK9e5VpFl2ro0=

Name: com/mindprod/inwords/TimeInterval.class
SHA1-Digest: fLlFOiYTObeknHZMeFD58Maf8KM=

Name: com/mindprod/common11/Misc.class
SHA1-Digest: l2uzaq9egG4VjCqKyBsOoDeTWe0=

the problem I have is that it seems not to be possible to recreate the
public key stored in the *.DSA file. Is there a way to do this?

I can store the public key in the jar file. But I thought I can use
the one added by jarsigner.

Any idea,
Peter

 

[EJP]

the problem I have is that it seems not to be possible to recreate the
public key stored in the *.DSA file. Is there a way to do this?

On a class you know is in the JAR, call
Class.getProtectionDomain().getCodeSource().getCertificates()[0].getPublicKey().