Prev Class | Next Class | Frames | No Frames |
Summary: Nested | Field | Method | Constr | Detail: Nested | Field | Method | Constr |
java.lang.Object
java.security.SignedObject
SignedObject
is used for storing runtime objects whose
integrity cannot be compromised without being detected.
SignedObject
contains a Serializable
object which is
yet to be signed and a digital signature of that object.
The signed copy is a "deep copy" (in serialized form) of an original
object. Any changes to that original instance are not reflected in the
enclosed copy inside this SignedObject
.
Several things to note are that, first there is no need to initialize the
signature engine as this class will handle that automatically. Second,
verification will only succeed if the public key corresponds to the private
key used to generate the digital signature inside this
SignedObject
.
For fexibility, the signature engine can be specified in the constructor
or the verify()
method. Programmers wishing to verify
SignedObject
s should be aware of the Signature
engine
they use. A malicious or flawed Signature
implementation may always
return true on verification thus circumventing the intended secrity check
provided by the SignedObject
.
The GNU security provider offers an implementation of the standard NIST DSA which uses "DSA" and "SHA-1". It can be specified by "SHA/DSA", "SHA-1/DSA" or its OID. If the RSA signature algorithm is provided then it could be "MD2/RSA". "MD5/RSA", or "SHA-1/RSA". The algorithm must be specified because there is no default.
Signature
, Serialized FormConstructor Summary | |
|
Method Summary | |
String |
|
Object |
|
byte[] |
|
boolean |
Methods inherited from class java.lang.Object | |
clone , equals , extends Object> getClass , finalize , hashCode , notify , notifyAll , toString , wait , wait , wait |
public SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine) throws IOException, InvalidKeyException, SignatureException
Constructs a new instance ofSignedObject
from aSerializable
object. The object is signed with a designated private key and a signature engine.
- Parameters:
object
- the object to sign.signingKey
- the key to use.signingEngine
- the signature engine to use.
- Throws:
IOException
- if a serialization error occurred.InvalidKeyException
- if the key is invalid.SignatureException
- if a signing error occurs.
public String getAlgorithm()
Returns the name of the signature algorithm.
- Returns:
- the name of the signature algorithm.
public Object getObject() throws IOException, ClassNotFoundException
Returns the encapsulated object. The object is de-serialized before being returned.
- Returns:
- the encapsulated object.
- Throws:
IOException
- if a de-serialization error occurs.ClassNotFoundException
- if the encapsulated object's class was not found.
public byte[] getSignature()
Returns the signature bytes of the encapsulated object.
- Returns:
- the signature bytes of the encapsulated object.
public boolean verify(PublicKey verificationKey, Signature verificationEngine) throws InvalidKeyException, SignatureException
Verifies the encapsulated digital signature by checking that it was generated by the owner of a designated public key.
- Parameters:
verificationKey
- the public key to use.verificationEngine
- the signature engine to use.
- Returns:
true
if signature is correct,false
otherwise.
- Throws:
InvalidKeyException
- if the key is invalid.SignatureException
- if verification fails.