Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Platinum Edition Using HTML 4, XML, and Java 1.2
(Publisher: Macmillan Computer Publishing)
Author(s): Eric Ladd
ISBN: 078971759x
Publication Date: 11/01/98

Bookmark It

Search this book:
 
Previous Table of Contents Next



NOTE:  If you used to use javakey (the forerunner of keytool), you’ll have to get a new keypair and certificate. jarsigner has no backward compatibility with the javakey database.

The simplest way to use jarsigner is to type

jarsigner MyJarFile.jar

In this case jarsigner will use the default keystore (.keystore in your home directory) and will prompt you for the passwords to the keystore and the password. jarsigner will also use the default alias, mykey. The output will be written to the file named MyJarFile.jar, overwriting the original file. You can specify more information on the command line:

jarsigner -keystore C:\JDK\projects\.keystore -signedjar
⇒MySignedJarFile.jar MyJarFile.jar mike

tells jarsigner to sign the file MyJarFile.jar by using the certificate associated with the alias mike. The keystore is located at C:\JDK\projects\.keystore. The output is written to MySignedJarFile.jar, and the original file (MyJarFile.jar) is left unchanged.


NOTE:  When you run jarsigner, it computes a message digest of the JAR file (using either the MD5 or the SHA-1 algorithm, depending upon your certificate) and then encodes that message digest by using your private key. It writes two new files—a signature file with an .SF suffix and a signature block file (with a .DSA or .RSA suffix)—into the JAR file. The base name used in these two files is based on the alias you used to sign the file.

Working with Encryption from Inside Your Program

You can write Java to do everything we’ve just done from the command line. Look at the documentation in java.security and its subpackages, java.security.cert, java.security.interfaces, and java.security.spec. These packages provide you with such classes as KeyPairGenerator, Signature, and MessageDigest, and the interface Key.

You can read more about the new JDK 1.2 security architecture in your JDK documentation at docs/guide/security/spec/security-spec.doc.html. You can also get detailed information about using the jar and javakey tools in the JDK 1.2 documentation.

ON THE WEB
http://java.sun.com/products/jdk/1.2/docs/guide/security/index.html You can read more about JDK 1.2 security features, including the Java Security API and new classes, at Sun’s JDK 1.2 security site.

Open Issues on Security

In the case of Java, the security is only as good as its runtime implementation. Holes have been found and fixed in various implementations, but these same issues may arise again in future implementations as Java is ported to other platforms. After all, each version of the JVM needs to be written in a platform-specific programming language, such as C, and can have its own flaws and weaknesses.

Aside from that, many types of malicious behavior are difficult (if not impossible) to avoid. No matter what is done to the Java security model, for instance, it will not stop someone from putting rude or obscene material in an applet or starting long, resource-intensive processes. Such actions are not defects but will continue to be nuisances.

For links to and discussions of current problems and a chronology of security-related bugs, see the Java Security FAQ at http://java.sun.com/sfaq/index.html. Every implementation of Java has its own open issues, and Sun’s is no exception. The best thing to do is to keep on top of the issues for the implementation you are using.

Further References on Java and Security

The following references can help you keep up with the changing world of Java security. It is by no means a comprehensive list, but it should get you started on researching the topic further and give you some valuable starting places from which to continue your research.

  UseNet:
alt.2600
comp.risks
comp.lang.java.* (especially comp.lang.java.security)
comp.infosystems.www.*
  WWW:
Sun’s Java Security site, with a wealth of links about Java security bug chronology, the Applet Security FAQ, Security API information, applet and code signing, JDK 1.2 features, JDK 1.2 security documentation, the Java security model, Java cryptographic architecture, the Java Security Q&A archives, the Java Cryptography Extension (JCE) to the JDK 1.2, and more. Highly recommended:
http://java.sun.com/security/index.html
Slides from a presentation by Li Gong, Sun’s Java security architect, at JavaOne 1997, on the future and direction of Java security:
http://java.sun.com/javaone/sessions/slides/TT03/TT03.zip
The Java Security Q&A archives:
http://java.sun.com/security/hypermail/java-security-archive/index.html
The Java Security FAQ:
http://java.sun.com/sfaq/index.html
Sun’s recommendations for security policies:
http://java.sun.com/security/policy.html
Sun’s Jar Guide, about using the new JAR file format and tools:
http://java.sun.com/products/jdk/1.2/docs/guide/jar/jarGuide.html
etscape Navigator Security FAQ:
http://developer.netscape.com:80/support/faqs/champions/security.html
“Java Security,” the December 1995 classic paper by Joseph A. Bank, MIT:
http://www-swiss.ai.mit.edu/~jbank/javapaper/javapaper.html


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement.