Java JVM Learning Note Eight (implementing code signing for a jar package)

Welcome loading Please indicate Source: http://blog.csdn.net/yfqnihao/article/details/8267669

Course Source: http://download.csdn.net/detail/yfqnihao/4866500

This section, practice-oriented, before I do the corresponding operation, I hope you have been able to understand the concept mentioned in note Seven, at least you should be aware of the big picture of note seven.

All right! For those of you who are accustomed to using ecplise today, you have to force you to build the JDK environment! Let's take a look at the jar and sign it!

The first step is to configure the JDK environment variables first, if your computer is already configured, skip this step directly

path=%java_home%/binjava_home=c:/java/jdk1.6. 0_01classpath=.; %java_home%/lib/dt.jar;%java_home%/lib/tools.jar    

Configure the environment parameters for these JDK, OK, finish, try to run Java,javac in CMD and see if the command is in effect, if the configuration succeeds in performing the second step.

The second step, to write a few simple classes, simple is everyone's. You can directly copy my code, some do not understand, ignore it, do experiments, the jar file signature is not signed, this example code logic is used later, do not read

The first class of doer

 Package com.yfq.test;  Public Abstract Interface Doer {    void  doyourthing ();}

A second class

 PackageCom.yfq.test.friend;ImportJava.security.AccessController;Importjava.security.PrivilegedAction;ImportCom.yfq.test.Doer; Public classFriendImplementsdoer{PrivateDoer Next; Private BooleanDirect;  PublicFriend (Doer Next,BooleanDirect) {         This. next=Next;  This. direct=Direct; } @Override Public voiddoyourthing () {System.out.println ("Im a Friend"); if(direct) {next.doyourthing (); } Else{accesscontroller.doprivileged (Newprivilegedaction () {@Override PublicObject Run () {next.doyourthing (); return NULL;        }            }); }    }}

a third class

 PackageCom.yfq.test.stranger;ImportJava.security.AccessController;Importjava.security.PrivilegedAction;ImportCom.yfq.test.Doer; Public classStrangerImplementsDoer {PrivateDoer Next; Private BooleanDirect;  PublicStranger (Doer Next,BooleanDirect) {         This. Next =Next;  This. Direct =Direct; } @Override Public voiddoyourthing () {System.out.println ("Im A Stranger"); if(direct) {next.doyourthing (); } Else{accesscontroller.doprivileged (Newprivilegedaction () {@Override PublicObject Run () {next.doyourthing (); return NULL;        }            }); }    }}

Well, compile, compile with powerful ecplise, project-Right--build project (tools are used, don't waste these powerful features!) )

The third step, hit Jar package, with Ecplise can have exported the function of jar package , I still the old saying, there are tools, not cows, is stupid.

Step one, project-right-click-export-java-jar file-next

Step two, expand directory Listing-Com.yfq.tes.friend and Com.yfq.test.stranger are packaged separately (Friend.jar, Stranger.jar), wherever you go, as long as you remember, I suppose it is placed in the root of the D disk

Fourth step, use Java Keytool generate key pair, with Java Jarsigner do signature (remember note Seven we said that the encryption of Hash digest is asymmetric encryption?) You need two different keys here), step by step with me.

Step one, cmd window, enter into the directory where Friend.jar and Stranger.jar are stored, assuming that my jar file is placed under the D disk, directly enter the drive letter D: Yes.

Step two, enter Keytool-genkey-keystore ijvmkeys.keystore-keyalg rsa-validity 10000-alias friend.keystore in the cmd window

Generate the first key pair, the alias of this key pair is Friend.keystore, the encryption algorithm used is RSA, the expiration time of the key pair is 10,000 days, The key pair stores the file name Ijvmkeys.keystore, while viewing the Ijvmkeys.keystore password and the Friend.keystore key pair's view password we set to 123456

Note: Here in the setting of the first name and last name to pay special attention, do not casually scribble, otherwise it will lead to the subsequent signature failure, generally we write the form of network domain name such as: Www.keycoding.com.

Step three, in the cmd window input, Keytool-genkey-keystore ijvmkeys.keystore-keyalg rsa-validity 10000-alias stranger.keystore

Follow step 2, step by step, and this step is to generate a key pair with an alias of Stranger.keystore.

OK, the key pair is finished, and see if your jar file directory has more than one file Ijvmkeys.keystore, is a drop, here generates a file to hold the key pair.

Step four, view the generated key file, enter Keytool-list-v-keystore in the cmd window Ijvmkeys.keystore

Step five, digest the jar and encrypt the hash digest to generate the signature, placed at the tail of the jar file structure

                                             enter   in the cmd window;
                                             Jarsigner- Verbose-keystore ijvmkeys.keystore Friend.jar friend.keystore
                                             Jarsigner- Verbose-keystore Ijvmkeys.keystore Stranger.jar Stranger.keystore

Step six, right-click Frend.jar and Stranger.jar to see if they have generated two additional files in the Meta-inf directory by using the RAR decoder

As for the usefulness of these two additional files, here I also briefly explain, first of all, from the name of the eight characters, he will default to our key pair name of the first eight characters to do the name and because our key pair name is Friend.keystore so the generated name is replaced by the drop line. If you want to specify the name yourself after Keytool add-sigfile xxxx This parameter

In addition FRIEND_K.SF This file we are simply unfolding

Signature-version:1.0sha1-digest-manifest-main-attributes:qhukayw2mtcop4vlrhjjddro1fq=created-by:1.6.0_12 (Sun Microsystems INC) sha1-digest-manifest:yepdyfc1+fvdy1picj6wvutjafe=name:com/yfq/test/friend/friend$1.classsha1-digest:mj79v3+ yksrazxghpyfghody4du=name:com/yfq/test/friend/friend.classsha1-digest:tqpff2lz4ol8ej3tq2ibvvtduj0=

It contains the signed version, the signer, the name of the class being signed, and the hash summary for this class, and the fourth line is a summary of the entire file for the validation of the jar package.
The friend_k.dsa file, the SF file is signed, and the signature is placed. DSA file: The DSA file also contains a certificate or chain of certificates (encoded into it) from the key warehouse, which identifies the public key corresponding to the private key used for signing.

Step seven, verify that the jar package enters Jarsigner-verify Friend.jar and jarsigner-verify Stranger.jar in cmd

Here, the JAR signature experiment is complete!!!!!

Looking at step four above, let's verify what was said in the note.

1. We said Hash digest is a value of 128, right, look at the certificate fingerprint that line, MD5: ....

You count the total number of hexadecimal digits, 32, a hexadecimal number with 4 bits can be expressed, then a total of several, 32*4=128, but there is a SHA1, how he seems to be more than 128, is dripping, hash functions are various, in the end with that hash function, MD5 or SHA1 this depends on you like, and to use which hash function can be specified, keytool parameters-keyalg "DSA", this parameter is used to specify what hash algorithm, the default is DSA, the average 128-bit hash number is already safe.

2. In note Seven, remember the bottom of the chart, there is a certification authority to decrypt the signature (encrypted hash digest) of the public key authentication (that is, the encryption of the public key), and issued a certificate, we do not have a certification body, do you have this question?

The Keytool program generates a self-signed certificate when it generates a key (self-signed refers to: if there is no certification authority nearby, you can use the private key to sign the public key, generate a self-signed certificate)

Summarize:

In this chapter we learn to sign a jar, a jar can be signed by multiple agencies or authors at the same time, and it seems that the experiment is very complex and simple. If you still want to know more about Jar package signature, I recommend an article here (http://blog.csdn.net/yangxt/article/details/1796965), I myself in the study jar package signature time also from this article the profit is shallow, hoped it is helpful to you.

Disclaimer: The above article describes a summary of the borrowing of other authors, only for the purpose of learning and communication

Java JVM Learning Note Eight (implementing code signing for a jar package)