如何使用Java代码防止保存jar内的公钥
签署 jar 后,我们可以使用从 jar 中检索公钥
Certificate[] cert = jarentry.getCertificates();
一旦提取证书,我们可以将其保存到新的密钥库作为可信证书。
完成此操作后,第二个用户就可以使用此证书对任何 jar 进行签名,不是吗?
我想将内容作为 jar 分发,内容将包含应用程序 init 的属性文件。
我想确保用户无法使用从 jarentry 中提取的证书重建属性文件。
在读取 jar 内容的代码中,我检查 jar 是否仅使用我的证书签名,并且还检查 jar 没有被篡改。
但我想到了一个问题:如果我能够从 jar 中提取证书,那么为什么第三个人不能呢?
有什么帮助吗?
After signing a jar , we can retrieve the public keys from jar using
Certificate[] cert = jarentry.getCertificates();
Once certificate is extracted we can save this to a new keystore as trusted cert.
Once this is done , then second user can sign any jar using this certificate , isn't ?
I want to distribute content as jars , contents will contain properties files for a application init.
I want to make sure that an user is not capable to rebuilding the property files using the certificate he extracted from jarentry.
In the code which reads the jar contents i am checking that jar is signed with my certificate only and also checking that jar is not tampered with .
But the issue came to my mind that if I am able to extract the certificate from jar then why don;t a third guy ?
Any help?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不,您需要私钥才能签署 JAR。您无法仅使用公钥来签署 JAR。当然私钥不在证书中。
请参阅 Sun 的 Java 教程中的签名和验证 JAR 文件 ,它详细解释了原理以及如何做。
No, you need the private key to be able to sign a JAR. You can't sign a JAR with just the public key. Ofcourse the private key is not in the certificate.
See Signing and Verifying JAR Files in Sun's Java Tutorials, it explains the principles and how to do it in detail.