验证Jar签名 [英] Verifying Jar Signature

问题描述

我正在尝试以编程方式验证jar文件是否未被明显篡改。我有2个用例我想阻止。
1）现有类的修改
2）在jar中添加新类

I'm trying to programmatically verify that a jar file has not been obviously tampered with. I have 2 use cases I want to prevent. 1) Modifications of existing classes 2) additions of new classes in the jar

我使用jarsigner签署了jar。当我用jarsigner验证上述任何一种情况时，它的工作方式与我预期的一样。

I signed the jar using jarsigner. When I verify either of the above cases with jarsigner it works like I would expect.

当我尝试以编程方式使用
如何以编程方式验证使用jarsigner签名的jar
或
如何验证自签名jar上的签名？
但是，我没有获得任何SecurityExceptions ...或任何例外。

When I try to do it programmatically using the samples in How to verify a jar signed with jarsigner programmatically or How to verify signature on self signed jar? however, I don't get any SecurityExceptions...or any exceptions at all for that matter.

不确定我做错了什么，因为这些片段似乎适用于其他人。有任何想法吗？这是JDK 1.6 BTW。

Not sure what I am doing wrong since those snippets seemed to work for other people. Any ideas? This is JDK 1.6 BTW.

编辑：
如下所述，代码示例...提供您自己的修改后的jar :)

As requested below, a sample of the code...supply your own modified jar :)

    JarFile myJar;

    try
    {
        //Insert the full path to the jar here      
        String libPath =  ""
        stature = new JarFile(libPath,true);

        //Don't really need this right now but was using it to inspect the SHA1 hashes

        InputStream is = myJar.getInputStream(myJar.getEntry("META-INF/MANIFEST.MF"));
        Manifest man = myJar.getManifest();            
        is.close();

        verifyJar(myJar);

    }
    catch (IOException ioe)
    {
        throw new Exception("Cannot load jar file", ioe);
    }


private void verifyJar(JarFile jar) throws Exception
{
    Enumeration<java.util.jar.JarEntry> entries = jar.entries();
    while (entries.hasMoreElements())
    {
        java.util.jar.JarEntry entry = entries.nextElement();

        try
        {
            jar.getInputStream(entry);

            //Also tried actually creating a variable from the stream in case it was discarding it before verification
            //InputStream is = jar.getInputStream(entry);
            //is.close();
        }
            catch (SecurityException se)
            {
                /* Incorrect signature */                    
                throw new Exception("Signature verification failed", se);
            }
            catch (IOException ioe)
            {
                throw new Exception("Cannot load jar file entry", ioe);
            }
    }
}

推荐答案

我弄清楚为什么会发生这种情况......这是一个愚蠢的错误。

I figured out why this was happening to me...it was a stupid mistake.

我有被篡改的签名jar，但我也编译了所有相同的类，因为这是我的开发环境。因此，类加载器在jar类中选择了已编译的类。编译的类没有清单，因此没有生成安全性错误。

I had my tampered signed jar, but I also had all the same classes compiled since this was my dev env. So the classloader picked up the compiled classes over the jar classes. There is no manifest for the compiled classes, so no security errors were generated.

删除编译后的类后，我得到了预期的安全性异常。

Once I deleted my compiled classes I got the expected security exceptions.

这篇关于验证Jar签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！