Jar package Signature

 

1. encryption, digest, and digital signature (1) public key encryption algorithm

For Public key encryption algorithms, refer to the Wikipedia entry Public-key cryptography.

The public key encryption algorithm is also called asymmetric key encryption algorithm because it contains a public key-private key pair called key pair. That is, key pair = private key + public key.

In terms of function, the two keys share the same role. Messages encrypted with one key can only be decrypted with the other key, and vice versa. The difference between the two keys is who owns/knows it: private key is only known by the key pair creator, and public key is made public. Another feature of key pair is that another key cannot be computed from one key.

Common public key encryption algorithms are RSA and DSA. (TODO: What is the difference ?)

(2) Digital Signature

For more information about Digital signatures, see the Wikipedia entry Digital signature.

The digital signature algorithm is based on the public key encryption algorithm. The process is as follows:

• Generate key pair
• Signature: digest the message to obtain its Hash value. Use the private key to encrypt the message Hash to obtain the digital Signature (Signature)
• Verification: digest the message to obtain its Hash value; unbind the digital signature with the public key to obtain the message Hash; and compare the two Hash values.

Because the private key cannot be forged or computed from the public key, the message sender must be the private key owner, thus ensuring the authenticity of the message source (Authentication) and Non-repudiation ). If the message is damaged or tampered during sending, the Hash value after digest must be inconsistent, and the digital signature verification fails, thus ensuring the Integrity of the message content ).

(3) Message Summary

For more information, see the Wikipedia entry Cryptographic hash function.

The message digest algorithm uses a Hash function to process input data of any length and output data of a fixed length. The output data is called a message digest. The message content cannot be reversed from the message digest. Common message digest algorithms are MD5 and SHA-1. (TODO: What is the difference ?)

2. Jar package signature and Verification

The digital signature and verification process for the Jar package are the same as those described above. The Jar package is the message to be sent. After signing, the Jar package has a built-in digital signature and public key, which can be used by the validators for verification.

In fact, the signed Jar package contains the following content:

• Class files and resource files in the original Jar package
• Signature File META-INF/*. SF: this is a text file that contains the class file in the original Jar package and the Hash of the resource file
• Signature block file META-INF/*. DSA: This is a data file that contains the signer's certificate and digital signature. Certificate contains information about the signatory and the public key. The digital signature is obtained by encrypting the Hash value in the *. SF file with the private key.

(1) Use keytool and jarsigner tools for Jar package signature and Verification

JDK provides keytool and jarsigner tools for Jar package signature and verification.

Keytool is used to generate and manage keystore. Keystore is a data file that stores two types of data related to key pair: private key and certificate, and certificate contains the public key. The entire keystore is protected by a password, and each pair of key pair in the keystore is protected by a separate password. Each pair of key pair is specified with an alias, and alias is case insensitive.

Keytool supports the following algorithms:

• If the public key algorithm is DSA, the Digest algorithm uses SHA-1. This is the default
• If the public key algorithm is RSA, the Digest algorithm uses MD5

Jarsigner reads the keystore and digitally signs the Jar package. Jarsigner can also verify the signed Jar package.

The following uses the tools. jar package in JDK as an example to use keytool and jarsigner to sign and verify it.

Step 2: Use keytool to generate a keystore

Run the following command to generate the keystore named test. ks and the key pair whose alias is testkey.

keytool -keystore test.ks -genkey -alias testkey

Enter information as prompted

=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=<testkey>

Step 2: Use jarsigner to sign the Jar package

Run the command and enter the password of keystore and testkey as prompted. Then, you can sign tools. jar and output it as tools_signed.jar.

jarsigner -keystore test.ks -signedjar tools_signed.jar tools.

 Step 2: Use jarsigner to verify the Jar package

Run the following command to verify whether the Jar package signature is valid:

jarsigner - tools_signed.

Output

Note that the preceding command only uses the signature file in the Jar package to verify whether the public key and the private key generated for the signature are valid key pair, and whether the Jar package content is complete, and does not compare with the keystore. If you need to verify whether the Jar package is signed using a key in a keystore, you can specify the following commands and options:

jarsigner - -verbose -keystore test.ks tools_signed.

The output is as follows. Note that for each class or resource file, the previous status mark contains k, indicating that the matched certificate is found in the keystore, that is, the matched public key is found. To print the certificate details of each class file or resource file, you can add the-certs option.

 ...3384 Tue Jul 19 02:02:54 CST 2011 sun/tools/attach/HotSpotAttachProvider.4597 Tue Jul 19 01:52:50 CST 2011 sun/tools/attach/HotSpotVirtualMachine.3487 Tue Jul 19 02:02:54 CST 2011 sun/tools/attach/WindowsAttachProvider.1001 Tue Jul 19 02:02:54 CST 2011 sun/tools/attach/WindowsVirtualMachine$PipedInputStream.2796 Tue Jul 19 02:02:54 CST 2011 sun/tools/attach/WindowsVirtualMachine.0 Tue Jul 19 01:52:50 CST 2011 sun/tools/jstack/4113 Tue Jul 19 01:52:50 CST 2011 sun/tools/jstack/JStack.0 Tue Jul 19 01:53:02 CST 2011 sun/tools/jinfo/4325 Tue Jul 19 01:53:02 CST 2011 sun/tools/jinfo/JInfo.0 Tue Jul 19 01:52:56 CST 2011 sun/tools/jmap/8177 Tue Jul 19 01:52:56 CST 2011 sun/tools/jmap/JMap.====

(2) program the Jar package Signature Verification

You can use the following API to sign the Jar package at runtime:

• Java. util. jar. JarFile
• Java. util. jar. JarEntry
• Java. security. KeyStore
• Java. security. cert. Certificate

Read certificate in the keystore:

 String ksPath = ...
 String ksPass = ...final HashMap<String, Certificate> certMap = new HashMap<String, Certificate>();
InputStream in = =<String> aliases ===    certMap.put(alias, cert);
}

Verify the Jar package:

 String jarPath = "G:\\tmp\\jar_sign_test\\tools_signed.jar"=  JarFile(jarPath, <JarEntry> entries ==    InputStream in == ( != certs && certs.length > 0= ( ==

According to the JarEntry. getCertificates () method Java doc, the JarEntry data must be fully read before calling. Therefore, a drain () method is called in the code snippet above:

       drain(InputStream in) [] buf =  [512 (-1 !=

The verify () method is used to check whether certificate matches a certificate in the keystore. It mainly uses the Certificate. verify (PublicKey) method:

      String verify(Certificate cert, HashMap<String, Certificate><String> it ==