Topic: 如何对一个JAR包进行message digest?

  Print this page

1.如何对一个JAR包进行message digest? Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-15 14:54

如何对一个JAR包的信息进行message digest,并且将摘要信息保存到
JAR包中,以便以后我可以从JAR包中重新读出此摘要信息来判断此
JAR包的唯一合法性?
message digest的用法会,但如何将信息写到jar包中,不知如何办?
serialized一个object,然后将其加到jar包中吗?

2.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: menzy
Posted on: 2003-04-15 20:00

说了半天你还是享手东管理jar文件

3.Re:如何对一个JAR包进行message digest? [Re: menzy] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-16 09:00

menzy wrote:
说了半天你还是享手东管理jar文件

如果有这样的需求,该如何办?我如何才能将message digest写到jar
包中的某一地方或添加一个serialized的object!

4.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: menzy
Posted on: 2003-04-17 07:39

我不知道,但是可以这样看:
jar文件其实是一个zip格式的压缩文件,所以应当可以用java编程打开,java提供该类。打开以后,寻找manifest.mf文件,找到目标类的MD5, 再抽取目标类的class文件,读文件流然后计算MD5,比较一下

5.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-17 09:43

对于一个已经数字签名的jar包,可以从中读出它有关的证书信息来判断此
jar包的合法性。我只是想自己标示一下jar包,刚开始,也想把每个jar包中的
entries都读出来,然后用md给做一下,这样应该可以,只是没工夫自己试一下!我想知道jarsigner的原理,有没有它的源码吗?
thanks!

6.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: floater
Posted on: 2003-04-17 11:53

You can't! If you do a md5, then any modification could invalidate this value and thus you can't put this value(in a file) in the jar. That's why md5 digest is always seperated from the package.(Linux packages tend to have this file to be verified by the downloaders.)

7.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: menzy
Posted on: 2003-04-17 13:21

写到manifest文件里面应当没有问题吧?
我刚才看了一下,Manifest中用的时sha1
而且digest的目标是单个class文件,而不是整个jar文件

8.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-17 16:06

难道此办法行不通,那么通常情况下,确认jar包合法性的方法,除了
jarsigner,有几种?

9.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: floater
Posted on: 2003-04-18 00:44

1. who comes first, chicken or egg?

2. I don't know how many ways to verify a package's integrity, but the most commonly used method I have seen is this md5, with the digest outside the package.

10.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: floater
Posted on: 2003-04-18 00:45

applets use digital certs.

11.Re:如何对一个JAR包进行message digest? [Re: floater] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-18 09:33

floater wrote:
applets use digital certs.

thanks!

12.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: menzy
Posted on: 2003-04-21 09:40

周末抽空看了一下java文档,可能用java.util.jar也可以解决这些问题

13.Re:如何对一个JAR包进行message digest? [Re: menzy] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-21 14:55

menzy wrote:
周末抽空看了一下java文档,可能用java.util.jar也可以解决这些问题

也看了一下,java.util.jar包可以完成对jar包的灵活操作,可以将每个class文件
读成流,然后对其进行message digest,正在试验中,但是我估计不行,因为
有两点原因:
1)如果用standard message digest,对每个class文件update后的message
digest应写到什么地方?因为我们希望这个文件能够包含在jar包中;
2)如果用mac,除了存在第一条的问题外,还存在secretkeys和secret passphrase的管理问题,有点类似数字签名的证书分发管理的问题,这样又将问题复杂
化了;
原来这个问题,我已经用从jar包中得到certs来判断此jar包的合法性,已经做出来了,但是作为技术问题,这种思路,还是有讨论的必要的,可以使我们理解的更加深刻。
个人觉得:正如floater所说:
1)You can't! If you do a md5, then any modification could invalidate this value and thus you can't put this value(in a file) in the jar. That's why md5 digest is always seperated from the package.(Linux packages tend to have this file to be verified by the downloaders.)
2) I don't know how many ways to verify a package's integrity, but the most commonly used method I have seen is this md5, with the digest outside the package.
可能这种方法从一开始就是不通的。
thanks!

14.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: floater
Posted on: 2003-04-21 23:41

In #2, another 2 reasons for the usage of digital certs:
1. We don't need to admin them, otherwise it's going to have a lot of pain on the admin side.
2. digital certs should be handled by the browsers when downloading jar files so that users don't need to do extra work like in MD5 case(except press the yes button).

15.Re:如何对一个JAR包进行message digest? [Re: feiggle] Copy to clipboard
Posted by: feiggle
Posted on: 2003-04-22 09:12

谢谢!作技术,做程序,始终要有“拿来主义“的精神,这样才能自己少费力,多做事!呵呵!


   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2018 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号
客服电话 0592-8750026    客服信箱 714923@qq.com    客服QQ 714923