public final class SignedObject extends Object implements Serializable
SignedObject
is used for storing runtime objects whose
integrity cannot be compromised without being detected.
SignedObject
contains a Serializable
object which is
yet to be signed and a digital signature of that object.
The signed copy is a "deep copy" (in serialized form) of an original
object. Any changes to that original instance are not reflected in the
enclosed copy inside this SignedObject
.
Several things to note are that, first there is no need to initialize the
signature engine as this class will handle that automatically. Second,
verification will only succeed if the public key corresponds to the private
key used to generate the digital signature inside this
SignedObject
.
For fexibility, the signature engine can be specified in the constructor
or the verify()
method. Programmers wishing to verify
SignedObject
s should be aware of the Signature
engine
they use. A malicious or flawed Signature
implementation may always
return true on verification thus circumventing the intended secrity check
provided by the SignedObject
.
The GNU security provider offers an implementation of the standard NIST DSA which uses "DSA" and "SHA-1". It can be specified by "SHA/DSA", "SHA-1/DSA" or its OID. If the RSA signature algorithm is provided then it could be "MD2/RSA". "MD5/RSA", or "SHA-1/RSA". The algorithm must be specified because there is no default.
Signature
,
Serialized FormConstructor and Description |
---|
SignedObject(Serializable object,
PrivateKey signingKey,
Signature signingEngine)
Constructs a new instance of
SignedObject from a
Serializable object. |
Modifier and Type | Method and Description |
---|---|
String |
getAlgorithm()
Returns the name of the signature algorithm.
|
Object |
getObject()
Returns the encapsulated object.
|
byte[] |
getSignature()
Returns the signature bytes of the encapsulated object.
|
boolean |
verify(PublicKey verificationKey,
Signature verificationEngine)
Verifies the encapsulated digital signature by checking that it was
generated by the owner of a designated public key.
|
public SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine) throws IOException, InvalidKeyException, SignatureException
SignedObject
from a
Serializable
object. The object is signed with a designated
private key and a signature engine.object
- the object to sign.signingKey
- the key to use.signingEngine
- the signature engine to use.IOException
- if a serialization error occurred.InvalidKeyException
- if the key is invalid.SignatureException
- if a signing error occurs.public Object getObject() throws IOException, ClassNotFoundException
IOException
- if a de-serialization error occurs.ClassNotFoundException
- if the encapsulated object's class was not found.public byte[] getSignature()
public String getAlgorithm()
public boolean verify(PublicKey verificationKey, Signature verificationEngine) throws InvalidKeyException, SignatureException
verificationKey
- the public key to use.verificationEngine
- the signature engine to use.true
if signature is correct, false
otherwise.InvalidKeyException
- if the key is invalid.SignatureException
- if verification fails.