1

I am writing a piece of software that needs licensing from government authority, there are more modules of the same kind (but doing different work - math algorithms). I need to secure that anytime anyone (mostly a representative of government authority) comes to this software and asks for it (via network), the checksum for that particular module is printed out. I am writing this server in Java. I looked into Serialization but it only cares about the data (attributes) in the object and not the object behaviour or other logical structure - which this absolutely needs to care about. Hence I need to access the .class from within the running jar file and perform a checksum on it. The current structure is like this:

abstract class Module {
    public abstract void run();
    public String chsum ();
}

abstract class SimpleGame extends Module {
    /* not that important */
}

class GameX extends SimpleGame {
    public void run() {
        /* some magic */
    }
}

And when needed, upon receiving the proper message the network stack might call something like:

GameX gx = new GameX();
String checkSum = gx.chsum();

My current progress got me nowhere, I tried to access the .class file but without any luck - it works only if it is not a jar archive. And I need to supply the Class instance which is not a dealbreaker but it sure is not that handy. If I could get an array of bytes containing the compiled .class file that would be more than enough - to perform a checksum on that is a piece of cake using MessageDigest

sDoky
  • 338
  • 3
  • 14
  • You can open the Jar file and read the entry. It wont be very secure, but thats the whole notiob of this checksum. A bit better would be to have your own classloader it can access the bytes at define time. I think it would be best to check a whole JAR even when it has only one class, then you can use the normal jar signer code. – eckes Jan 03 '15 at 17:35
  • I'm not very good at this sort of thing, but if you let your class be loaded by mechanism A and access the class file (in a jar or elsewhere) by mechanism B and calculate the digest from that: How is it guaranteed that the loaded class is from the file used by B? A safe way is to fetch a byte[] bytecode, calculate the checksum and then load from that (ClassLoader.defineClass). – laune Jan 03 '15 at 17:36
  • What about going a step further and [sign your `.jar` file](http://stackoverflow.com/questions/9275780/is-it-possible-to-have-sha1-digest-in-java-manifest-file-without-actually-using)? You could also retrieve the hash values from the manifest file of the `.jar`. – Maarten Bodewes Jan 03 '15 at 17:50
  • Well I need to be able to change stuff (code) within the jar file without changing the checksum - because that's all that the government cares about. – sDoky Jan 03 '15 at 17:53
  • It is a good point that I should load it myself and I can do the checksum there. I like this approach ... I'll have a look into that. – sDoky Jan 03 '15 at 17:54

0 Answers0