5

I am new to this topic, therefore I hope I use the right vocabulary. Is it possible to get the possibility of Jarsigner within Java self?

I need the possibility to do the following things programatically:

  • verify if a jar is signed with a certain private key from a keystore
  • if the jar is verified: unsign the jar
  • sign the jar with another private key from an official certificate authority, which is in the same or in another keystore

In pseudo-code I imagine something like this:

JarVerifier verifier = new JarVerifier(/*all needed parameters like the location of the keystore*/);
verifier.verify(jarFile); //returns a value which indicates the result (an Enum or an integer value)

Signing the jar should work in a similar way:

JarSigner signer = new JarSigner(/*all needed parameters like the location of the keystore, passwords, alias*/);
signer.sign(jarFile);

I know that this is a duplicate of many other questions, but I am not happy with their answers. The solution of these answers is in most cases a self-written class, a modification of a class found from OpenJDK or a hint that the code needs still to be written and how this can be done. This is not acceptable for me, because they are not maintained (or I have to write and maintain the classes myself), I know nothing about their correctness (especially if I have to write the code myself) and license issues.

What I don't get is that there seems to be no easy solution provided by Oracle, especially as it is such a critical topic, where an error might lead to an insecure system.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
gillesB
  • 1,061
  • 1
  • 14
  • 30
  • Your objections to the other answers don't add up. Your own code has to be maintained too. – user207421 Feb 10 '14 at 20:40
  • Yes, of course. But it makes a difference if I have to maintain my own JarSigner and JarVerifier, like in the other answers. Or if I have only to maintain the code which use the JarSigner and JarVerifier provided by Oracle, Apache, etc... – gillesB Feb 10 '14 at 20:49
  • @EJP: My text was not clear enough. I hope I made it a bit clearer now. Bottom line: I don't want to write these kind of classes myself because it is hard (for me) to prove their correctness. – gillesB Feb 10 '14 at 21:23
  • 1
    Why not use the supplied (with JRE) utilities? Avoid writing it in code at all. – Brian Knoblauch Feb 10 '14 at 21:26
  • @BrianKnoblauch: You are referring to the jarsigner CLI tool? I need an automated way to do the three points (verify, unsign, sign) above. I also considered calling jarsigner with Runtime.getRuntime().exec() but I think that is rather inelegant. – gillesB Feb 10 '14 at 21:37
  • 1
    I think that writing unnecessary code is much less elegant than using provided utilities. :-) Runtime calls aren't sexy, but can avoid unnecessary duplication of function. – Brian Knoblauch Feb 11 '14 at 13:02

1 Answers1

1

I try to answer the question myself.

Verifying

To verify the Jar there seems not be be a good ready-to use solution. Therefore own code needs to be written.

Signing

There is the Ant Task SignJar which is able to sign jars and it is possible to use Ant Tasks inside Java

The class to sign the jars can look like this:

public class JarSigner extends SignJar {

public JarSigner() {
    project = new Project();
    project.init();
    taskType = "signJar";
    taskName = "signJar";
    target = new Target();
}

public static void signJar(File jarToSign, String alias, String keypass, String keystore, String storepass) {
    JarSigner signer = new JarSigner();
    signer.setJar(jarToSign);
    signer.setAlias(alias);
    signer.setKeypass(keypass);
    signer.setKeystore(keystore);
    signer.setStorepass(storepass);
    signer.setSignedjar(jarToSign);
    signer.execute();
}
}

unsigning

Did not need it yet.

gillesB
  • 1,061
  • 1
  • 14
  • 30