Java key re-Encryption

Document directory

 

Jar files can be usedjarsignerTool or directly throughjava.securityAPI signature. A signed JAR file is exactly the same as the original JAR file, but it updates its manifest and adds two files, one signature file and one signature block file to the META-INF directory.

Jar files are stored inKeystoreThe certificate signature in the database. The certificate stored in the keystore is password-protected and must be directedjarsignerThe tool provides this password to sign the JAR file.

 

Each signatory of the jar is represented by a signature file with the. SF extension in the META-INF directory of the JAR file. The file format is similar to the manifest file-a set of RFC-822 headers. As shown below, its composition includes a main part, which includes information provided by the signatory, but not specifically for any specific JAR file items, and a series of separate items, these items must also be included in the menifest file. When verifying a signed JAR file, compare the digest value of the signature file with the digest value calculated for the corresponding items in the jar file.

Contents of signature file META-INF/MANIFEST.MFManifest-Version: 1.0Created-By: 1.3.0 (Sun Microsystems Inc.)Name: Sample.javaSHA1-Digest: 3+DdYW8INICtyG8ZarHlFxX0W6g=Name: Sample.classSHA1-Digest: YJ5yQHBZBJ3SsTNcHJFqUkfWEmI=Contents of signature file META-INF/JAMES.SFSignature-Version: 1.0SHA1-Digest-Manifest: HBstZOJBuuTJ6QMIdB90T8sjaOM=Created-By: 1.3.0 (Sun Microsystems Inc.)Name: Sample.javaSHA1-Digest: qipMDrkurQcKwnyIlI3Jtrnia8Q=Name: Sample.classSHA1-Digest: pT2DYby8QXPcCzv2NwpLxd8p4G4=

 

 

A digital signature is the signed version of The. SF signature file. A digital signature file is a binary file and has the same file name as a. SF file, but its extension is different. There are different extensions based on the digital signature type-RSA, DSA, or PGP-and the certificate type used to sign the jar.

To sign a jar file, you must first have a private key. The private key and Its Related Public Key Certificates are stored inkeystoresIn a password-protected database. JDK includes tools for creating and modifying keystores. Each key in the keystore can be identified by an alias. It is usually the name of the signatory who owns the key.

All keystore items (key and trusted Certificate items) are accessed with a unique alias. Alias is in usekeytool -genkeyCommand to generate the key pair (Public Key and private key) and specify it when adding an entry to the keystore. AfterkeytoolThe command must use the same alias to reference this item.

For example, to use the alias "James" to generate a new public/private key pair and wrap the public key into a self-signed certificate, run the following command:

 

keytool -genkey -alias james -keypass jamespass -validity 80 -keystore jamesKeyStore -storepass jamesKeyStorePass

 

 

This command sequence specifies an initial password "jamespass". Subsequent commands require this password when accessing the private key associated with the alias "James" in the keystore "jameskeystore. If the keystore "jameskeystore" does not existkeytoolIt is automatically created.

jarsignerThe tool uses keystore to generate or verify the digital signature of the JAR file.

Assume that the keystore "jameskeystore" is created as in the preceding example and contains a key named "James". You can use the following command to sign a jar file:

 

jarsigner -keystore jamesKeyStore -storepass jamesKeyStorePass -keypass jamespass -signedjar SSample.jar Sample.jar james

 

 

This command uses the password "jameskeystorepass" to extract the key with the alias "James" and the password "jamespass" from the keystore named "jameskeystore" and sample the key. JAR file signature, create a signed JAR -- ssample. jar.

jarsignerThe tool can also verify a signed JAR file, which is much simpler than the signed JAR file. You only need to execute the following command:

 

jarsigner -verify SSample.jar

 

 

If the signed JAR file has not been tamperedjarsignerThe tool will tell you that the jar has passed the verification. Otherwise, it will throwSecurityExceptionIndicates which files have not been verified.

You can also usejava.util.jarAndjava.securityThe API signs the jar program programmatically (for more information, see references ). You can also use tools like Netscape Object Signing tool.

Clear the signed JAR package and re-sign it.

1. Resign. Sh script (strips key, adds key, add index )#! /Bin/sh
 
# $ ID: Resign. Sh, V 1.3 2002/07/02 13:57:32 mvw exp $
# This script resigns the jars
# (Remove old signature, add new signature)
 
# Settings for present Foo Server
JDK =/usr/Java/j2sdk1.4.0
 
Keystore =.../../frontend/WebStart/key/fookeystore
 
../Files. Sh
 
For I in $ unsigned_files
Do
Echo "---"
Echo "unpacking $ I .."
TMP = TMP-$ I
Mkdir $ TMP
CD $ TMP
Unzip-Q ../$ I
Chmod-r u + rwx *
Find.-Type F | xargs chmod U-x
Echo & quot; changing META-INF stuff .. & quot .."
CD META-INF
Rm-f *. SF
Rm-f *. DSA
# This will determine the line number of the first blank line in manifest. MF
# (A blank line here is anything that has no letter/number)
Cut = 'egrep-NV '^. * [A-z | A-Z | 0-9] +. * $ 'manifest. mf | sed S/: // | head-1 | tr-d ""'
If [-z "$ cut"];
Then
Echo "no cut detected ";
Else
Echo "cutting manifest. MF at line $ cut .."&&
Head-$ cut manifest. MF> M. MF &&
Rm-F manifest. MF &&
Mv m. MF manifest. MF &&
Cat manifest. MF;
Fi
Echo "repacking $ I .."
CD ..
Rm-f ../$ I
Zip-q9r ../$ I.
CD ..
Rm-RF $ TMP
Echo "signing $ I .."
$ JDK/bin/jarsigner-keystore $ keystore-storepass foopassword $ I fookeyname
Echo "verifying the signatures of $ I .."
$ JDK/bin/jarsigner-verify $ I
Echo indexing $ I ..
$ JDK/bin/jar-I $ I
Done


2. Files. Sh (a list of files to treat)

# $ ID: files. Sh, v 1.1 2002/05/07 16:35:18 mvw exp $
# Files list

# Watch out
#-The double quotes,
#-The trailing space inside the quoted string,
#-The backslash immediatly following the closing quote

Unsigned_files =
"Foo1.jar"
"Foo2.jar"
"Foo3.jar"
Foo-help.jar"
[Code] for the original post, see:

Http://blog.csdn.net/hunterK/archive/2006/09/06/1186742.aspx