Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Java Security  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
作者 如何对一个JAR包进行message digest?
feiggle





发贴: 70
积分: 20
于 2003-04-15 14:54 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
如何对一个JAR包的信息进行message digest,并且将摘要信息保存到
JAR包中,以便以后我可以从JAR包中重新读出此摘要信息来判断此
JAR包的唯一合法性?
message digest的用法会,但如何将信息写到jar包中,不知如何办?
serialized一个object,然后将其加到jar包中吗?

feiggle edited on 2003-04-15 15:36

作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-15 20:00 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
说了半天你还是享手东管理jar文件


作者 Re:如何对一个JAR包进行message digest? [Re:menzy]
feiggle





发贴: 70
积分: 20
于 2003-04-16 09:00 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
menzy wrote:
说了半天你还是享手东管理jar文件

如果有这样的需求,该如何办?我如何才能将message digest写到jar
包中的某一地方或添加一个serialized的object!


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-17 07:39 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
我不知道,但是可以这样看:
jar文件其实是一个zip格式的压缩文件,所以应当可以用java编程打开,java提供该类。打开以后,寻找manifest.mf文件,找到目标类的MD5, 再抽取目标类的class文件,读文件流然后计算MD5,比较一下


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
feiggle





发贴: 70
积分: 20
于 2003-04-17 09:43 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
对于一个已经数字签名的jar包,可以从中读出它有关的证书信息来判断此
jar包的合法性。我只是想自己标示一下jar包,刚开始,也想把每个jar包中的
entries都读出来,然后用md给做一下,这样应该可以,只是没工夫自己试一下!我想知道jarsigner的原理,有没有它的源码吗?
thanks!


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-04-17 11:53 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
You can't! If you do a md5, then any modification could invalidate this value and thus you can't put this value(in a file) in the jar. That's why md5 digest is always seperated from the package.(Linux packages tend to have this file to be verified by the downloaders.)

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-17 13:21 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
写到manifest文件里面应当没有问题吧?
我刚才看了一下,Manifest中用的时sha1
而且digest的目标是单个class文件,而不是整个jar文件


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
feiggle





发贴: 70
积分: 20
于 2003-04-17 16:06 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
难道此办法行不通,那么通常情况下,确认jar包合法性的方法,除了
jarsigner,有几种?


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-04-18 00:44 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
1. who comes first, chicken or egg?

2. I don't know how many ways to verify a package's integrity, but the most commonly used method I have seen is this md5, with the digest outside the package.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-04-18 00:45 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
applets use digital certs.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:如何对一个JAR包进行message digest? [Re:floater]
feiggle





发贴: 70
积分: 20
于 2003-04-18 09:33 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
floater wrote:
applets use digital certs.

thanks!


作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-21 09:40 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
周末抽空看了一下java文档,可能用java.util.jar也可以解决这些问题


作者 Re:如何对一个JAR包进行message digest? [Re:menzy]
feiggle





发贴: 70
积分: 20
于 2003-04-21 14:55 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
menzy wrote:
周末抽空看了一下java文档,可能用java.util.jar也可以解决这些问题

也看了一下,java.util.jar包可以完成对jar包的灵活操作,可以将每个class文件
读成流,然后对其进行message digest,正在试验中,但是我估计不行,因为
有两点原因:
1)如果用standard message digest,对每个class文件update后的message
digest应写到什么地方?因为我们希望这个文件能够包含在jar包中;
2)如果用mac,除了存在第一条的问题外,还存在secretkeys和secret passphrase的管理问题,有点类似数字签名的证书分发管理的问题,这样又将问题复杂
化了;
原来这个问题,我已经用从jar包中得到certs来判断此jar包的合法性,已经做出来了,但是作为技术问题,这种思路,还是有讨论的必要的,可以使我们理解的更加深刻。
个人觉得:正如floater所说:
1)You can't! If you do a md5, then any modification could invalidate this value and thus you can't put this value(in a file) in the jar. That's why md5 digest is always seperated from the package.(Linux packages tend to have this file to be verified by the downloaders.)
2) I don't know how many ways to verify a package's integrity, but the most commonly used method I have seen is this md5, with the digest outside the package.
可能这种方法从一开始就是不通的。
thanks!

feiggle edited on 2003-04-21 14:59

作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-04-21 23:41 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
In #2, another 2 reasons for the usage of digital certs:
1. We don't need to admin them, otherwise it's going to have a lot of pain on the admin side.
2. digital certs should be handled by the browsers when downloading jar files so that users don't need to do extra work like in MD5 case(except press the yes button).

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:如何对一个JAR包进行message digest? [Re:feiggle]
feiggle





发贴: 70
积分: 20
于 2003-04-22 09:12 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
谢谢!作技术,做程序,始终要有“拿来主义“的精神,这样才能自己少费力,多做事!呵呵!



flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923