Tutorial Overview. This tutorial will guide you through the
steps required to sign a JAR using Java. To complete this tutorial you
must have a basic understating of java and PKI and be able to use the
command window. This tutorial is broken down into three sections. The
first section is a brief explanation of the java tools used in the
entire signing and verification process. The second section covers
installing Java and the steps the signer must complete to sign and send
a JAR. The final section covers the steps the recipient must complete to
verify the signature and access the file. This tutorial is used in
IS2771 Security in E-Commerce.
Java 2. Java is an object oriented, platform netural, secure
language that was designed to be easier to learn than C++ and harder to
misuse. When Sun releases a new version it also makes a free development
kit available. You will need a Java2 SDK to complete this tutorial.
J2SDK v 1.4.2 was used for this tutorial, which can be downloaded here.
Key Tool. The key tool handles the generation and management of
keys and certificates. Java stores keys and certificates in a keystore
database, which the key tool accesses to complete its functions. This
tool will be used by both parties to create, export, and import
Jar Signer. The jar signer handles the signing of JAR files and
the verification of signatures found on signed JAR files. The jar signer
also requires access to the keystore in order to obtain information
about certificates stored on the recipients computer in order to verify
any signed file.
Policy Tool. The policy tool allows for the creation of security
policies, which will grant specific permissions to a certificate,
allowing a piece of code to perform dangerous operations. The security
policy will reference a particular certificate that is used to verify
the dangerous operations it can perform.
Security Manager. The security manager protects assets external
to the Java Virtual Machine by keeping track of what code is allowed to
perform dangerous operations. When a dangerous call is made to the Java
library it will query the security manager to check the access methods
for that particular call. If the call is dangerous the security manager
will then check a security policy that states what dangerous operations
a specific piece of code can perform. A piece of code or certificate can
can have multiple security policies. You will use the security manager
to verify the validity of the security policy you created, which will
allow the test application to run. Without the security policy the
security manager will prevent the application from running.