java.security
Class SignedObject
java.lang.Object
|
+--java.security.SignedObject
All Implemented Interfaces:
Serializable
SignedObject is used for storing rutime objects whose integrity
cannot be compromised without being detected.
SignedObject contains a Serializable object which is yet to be
signed and its signature.
The signed copy is a "deep copy" (in serialized form) of the
original object. Any changes to the original will not affect
the original.
Several things to note are that, first there is no need to
initialize the signature engine as this class will handle that
automatically. Second, verification will only succeed if the
public key corresponds to the private key used to generate
the SignedObject.
For fexibility, the signature engine can be specified in the
constructor or the verify method. The programmer who writes
code that verifies the SignedObject has not changed should be
aware of the Signature engine they use. A malicious Signature
may choose to always return true on verification and
bypass the secrity check.
The GNU provider provides the NIST standard DSA which uses DSA
and SHA-1. It can be specified by SHA/DSA, SHA-1/DSA or its
OID. If the RSA signature algorithm is provided then
it could be MD2/RSA. MD5/RSA, or SHA-1/RSA. The algorithm must
be specified because there is no default.
Since:Author:- Mark Benvenuto <ivymccough@worldnet.att.net>
SignedObject
public SignedObject(java.io.Serializable object, java.security.PrivateKey signingKey, java.security.Signature signingEngine)
Constructs a new SignedObject from a Serializeable object. The
object is signed with private key and signature engine
Parameters:
Throws:
getAlgorithm
public String getAlgorithm()
Returns the name of the signature algorithm.
Returns:
- the name of the signature algorithm.
getObject
public Object getObject()
Returns the encapsulated object. The object is
de-serialized before being returned.
Returns:
Throws:
getSignature
public byte[] getSignature()
Returns the signature of the encapsulated object.
Returns:
- a byte array containing the signature
verify
public boolean verify(java.security.PublicKey verificationKey, java.security.Signature verificationEngine)
Verifies the SignedObject by checking that the signature that
this class contains for the encapsulated object.
Parameters:
Returns:
- true if signature is correct, false otherwise
Throws: