File Signing Using Java

Tutorial Overview. This tutorial will guide you through the steps required to sign a JAR using Java. To complete this tutorial you must have a basic understating of java and PKI and be able to use the command window. This tutorial is broken down into three sections. The first section is a brief explanation of the java tools used in the entire signing and verification process. The second section covers installing Java and the steps the signer must complete to sign and send a JAR. The final section covers the steps the recipient must complete to verify the signature and access the file.  This tutorial is used in IS2771 Security in E-Commerce.

Java 2. Java is an object oriented, platform netural, secure language that was designed to be easier to learn than C++ and harder to misuse. When Sun releases a new version it also makes a free development kit available. You will need a Java2 SDK to complete this tutorial. J2SDK v 1.4.2 was used for this tutorial, which can be downloaded here.

Key Tool. The key tool handles the generation and management of keys and certificates. Java stores keys and certificates in a keystore database, which the key tool accesses to complete its functions. This tool will be used by both parties to create, export, and import certificates.

Jar Signer. The jar signer handles the signing of JAR files and the verification of signatures found on signed JAR files. The jar signer also requires access to the keystore in order to obtain information about certificates stored on the recipients computer in order to verify any signed file.

Policy Tool. The policy tool allows for the creation of security policies, which will grant specific permissions to a certificate, allowing a piece of code to perform dangerous operations. The security policy will reference a particular certificate that is used to verify the dangerous operations it can perform.

Security Manager. The security manager protects assets external to the Java Virtual Machine by keeping track of what code is allowed to perform dangerous operations. When a dangerous call is made to the Java library it will query the security manager to check the access methods for that particular call. If the call is dangerous the security manager will then check a security policy that states what dangerous operations a specific piece of code can perform. A piece of code or certificate can can have multiple security policies. You will use the security manager to verify the validity of the security policy you created, which will allow the test application to run. Without the security policy the security manager will prevent the application from running.