Message-Id: <3.0.1.32.19980611145833.01019330@mail.pubweb.net>
Date: Thu, 11 Jun 1998 14:58:33 -0400
To: java-security@web2.javasoft.com, Roland Schemers <Roland.Schemers@Eng>
From: Mike Burati <burati@pubweb.net>
Subject: Re: getSigners()
> In JDK 1.1.x, getSigners will return an array of Identity objects,
> representing the identities that signed the class. In JDK 1.2beta4,
> getSigners will return an array of java.security.cert.Certificate
> objects.
I didn't think that APIs were supposed to change between point releases
(just major releases like 1.x -> 2.x)? Anyway, that's not the point
of this email. The real question is below...
> In JDK1.2 you can do something like:
> java -classpath foo.jar security.Test
>
> And it will verify signatures on the classes loaded from foo.jar. That
> is because 1.2 actually uses a class loader now to load things off of
> the classpath.
We're developing/about to deploy products now, and can't wait for 1.2
(and mgmt won't even consider 1.2 without a solid date for when it's
going to be shipping...). Also, we're heavily dependent on the Java
Web Server and the Sun engs and customers on the JWS mailing list
recommend using nothing later than JDK1.1.4 for deployment of JWS
(1.1.5 has memory leaks that eventually bring down the server, and
1.1.6 doesn't seem to be working too well for customers on the list
either).
Anyway, since we're stuck with JDK1.1.4 for a while, I have a question:
One of our developers has a need to update classes of a particular
type (interface implementations) here, always from a single web server
we own, where we only need one signer (us), via URL()... He's written
the code to download it to the client (which is actually a servlet
that'll be running at a customer site), and a class loader to load
the newly downloaded class. I'm a little paranoid about this, so
I need to figure out how to sign/verify the .jar files he's downloading.
I've been signing/verifying our messages that we pass around the
system via the Signature APIs and DSA functionality provided with the
JDK, but apparently signing/verifying of jar files is supposed to be
supported in a more formal way via javakey and setSigners()/getSigners().
There's amazingly little documentation for setSigners():
"protected final void setSigners(Class cl,
Object signers[])
Sets the signers of a class. This is called after defining a class,
by signature-aware class loading code."
and getSigners():
"public native Object[] getSigners()
Get the signers of this class."
in both the javadocs and the .java files shipped with the JDK.
I've searched the last year's worth of java-security email archives
and most of the last 6 months of the java web server mailing list,
and can't find any more info on this than your above message.
Does *anybody* have more detailed info on how the above methods
are supposed to be used (eg, what steps to take to grab the sig
itself and the exact bytes used for the sig by javakey, from the
jar file manifest; whether the classloader is supposed to do all
the verification first and then call setSigners() with all that
succeeded (or should the class loader fail if any failed...).....?
Again, we cannot wait for 1.2, given it's not shipped yet and
JWS doesn't seem to work well with recent JDKs..., we are not
using Applets so we can't rely on a browser's classloader, and
we are only signing them ourself. Is the support in JDK1.1.4
so limited that we should give up trying this? Should I just
go ahead and do my own signing/verification and ignore javakey
and its use of the .jar manifest?
Thanks in advance,
..Mike