jar tvf target.jar觀看其內容,其中會產生一signature檔案.SF與.DSA
MANIFEST.MF內容如下:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
X-COMMENT: Main-Class will be added automatically by build
Class-Path: lib/httpclient-4.0.jar lib/httpmime-4.0.jar lib/httpcore-4
.0.1.jar lib/commons-logging-1.1.1.jar lib/json_simple-1.1.jar lib/ro
me-1.0.jar lib/jdom.jar lib/commons-codec-1.4.jar lib/commons-lang-2.
4.jar lib/commons-pool.jar lib/commons-beanutils.jar lib/commons-coll
ections-3.2.jar lib/commons-dbcp.jar
Created-By: 14.0-b16 (Sun Microsystems Inc.)
Main-Class: plurkbot.PlurkBot
Name: util/rsa/Enc_RSA.class
SHA1-Digest: ijuZMiZBZsFI2uzaEPS21BEAlUA=
Name: plurkbot/PlurkBot.class
SHA1-Digest: gWtRJzsWc6y4tpyojSLZayItgqE=
Name: plurkbot/RSSReader.class
SHA1-Digest: RuN4Yplm+osh1Gl2SQUSNc9ayhQ=
Name: plurkbot/KeyFinder.class
SHA1-Digest: DOlsuXgpTd5+WqjEF43THJwTCDU=
Name: util/rsa/Dec_RSA.class
SHA1-Digest: Xr+XbYnikxc5nb4NSuHrhNK0JQ0=
Name: util/rsa/Skey_RSA.class
SHA1-Digest: qSpAs93F+pAn03E43+/MidO2/Ig=
.SF檔案內容如下:
Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: m0AqR3Yv7Ue3Ktu7XcBNksOBR9o=
Created-By: 1.6.0_14 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: RowSgzBOLnT02SP9Rp22mDeWZZ8=
Name: util/rsa/Enc_RSA.class
SHA1-Digest: zBTBXQToj5H/0IFeao2C+oklyAM=
Name: plurkbot/PlurkBot.class
SHA1-Digest: Ei29dS5puQcnJUjrUvGiUtNXAEU=
Name: plurkbot/RSSReader.class
SHA1-Digest: z20rQN0mplLb05oHMUuBO9mAsCY=
Name: plurkbot/KeyFinder.class
SHA1-Digest: ywdvBXjuycDOjEhLOZpFezEx6mQ=
Name: util/rsa/Dec_RSA.class
SHA1-Digest: lLcZO+xugO/S5hxLhWHn+aGGJZQ=
Name: util/rsa/Skey_RSA.class
SHA1-Digest: eqrG/z+pwfT6dxodDvNzbikRRFw=
而欲檢驗jar檔則使用
jarsigner -verify -verbose target.jar (-verbose會列出詳細資訊)
驗證步驟如下:
1.以public key驗證digital signature block file(.DSA),同時確保為該簽章使用該對應private key,此時亦會使用(.SF檔)來驗證
2.檢驗.SF檔案裡面的hash vaule是否與MANIFEST.MF檔案的hash值相同
3.檢驗.SF檔案中與MANIFEST.MF檔案中各個檔案的hash值是否相同
D:\jar>jarsigner -verify -verbose target.jar
976 Wed May 19 13:39:20 CST 2010 META-INF/MANIFEST.MF
648 Wed May 19 13:39:20 CST 2010 META-INF/SIGNATUR.SF
1007 Wed May 19 13:39:20 CST 2010 META-INF/SIGNATUR.DSA
0 Tue Dec 15 10:50:00 CST 2009 META-INF/
0 Tue Dec 15 10:50:00 CST 2009 plurkbot/
0 Tue Dec 15 10:50:00 CST 2009 util/
0 Tue Dec 15 10:50:00 CST 2009 util/rsa/
sm 1993 Tue Dec 15 10:50:00 CST 2009 plurkbot/KeyFinder.class
sm 7898 Tue Dec 15 10:50:00 CST 2009 plurkbot/PlurkBot.class
sm 3519 Tue Dec 15 10:50:00 CST 2009 plurkbot/RSSReader.class
sm 2812 Tue Dec 15 10:50:00 CST 2009 util/rsa/Dec_RSA.class
sm 1922 Tue Dec 15 10:50:00 CST 2009 util/rsa/Enc_RSA.class
sm 1433 Tue Dec 15 10:50:00 CST 2009 util/rsa/Skey_RSA.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
驗證失敗的話則產生Security Exception
如果要結合Signed jar與policy file
則可參考下列指令:
.Export public certificate
keytool -export -keystore myKeys.jks -alias myKeys -file myPublicKey.cer
*查看憑證資訊
-keytool printcert -file myPublicKey.cer
.套用public certificate
keytool -import -alias myPublicKey file myPublicKey.cer -keystore myPublicKey.jks
.將keystore加入policy檔案
keystore "file:filepath/myPublicKey.jks"
.將signedBy加入grant statement
grant signedBy "myPublicKey", codeBase
"file:/filepath/target.jar" {permission java.io.FilePermission "/directory/*", "write"}
沒有留言:
張貼留言