0

Is it possible to digitally sign a string (Using JCA) and then compare the same by creating another string which is digitally signed as the previous one.

Scenario: I have a product details which needs to be digitally signed (using JCA or any other API) and passed it to the client. The client which is state-full has to hold this data and then need to pass this on the consecutive calls. The same product details which present in the payload is then passed in the consecutive calls will be retrieved and again the signature is created and then compared it against the previously sent. If both are not same then an error will be thrown. Is this possible ?

souashokraj
  • 81
  • 1
  • 1
  • 4
  • Two signatures for identical content will not, themselves, be identical (as the signature itself will include timing metadata, and potentially other randomly generated content, such as a unique identifier for the individual signing operation); however, they _will_ include a hash of what they sign, and you can compare that. I use GnuPG for my own implementation of this, though, so can't speak to the details for JCA. – Charles Duffy Apr 13 '15 at 17:05
  • Annoyingly, the Signature class doesn't appear to have any way to get to a MessageDigest, so even though the matadata may exist, you might not have a way to get to it without generating and conveying a MessageDigest explicitly. Boo, hiss re: JCA (and lowest-common-denominator APIs in general). You can, of course, explicitly sign a digest. – Charles Duffy Apr 13 '15 at 17:09

0 Answers0