|
|
Recommended: Sing it, brah! 5 fabulous songs for developers
JW's Top 5
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Signed and sealed objects deliver secure serialized content
Protect information with the SignedObject and SealedObject classes
Page 2 of 2
The first example reads a file into a byte array and wraps that byte array in a SignedObject instance.
// Read a file from disk.
File fileIn = new File(...);
FileInputStream fileinputstream = new FileInputStream(fileIn);
byte [] rgb = new byte [(int)fileIn.length()];
fileinputstream.read(rgb);
// Assume the private key comes from somewhere, is created, or is
// deserialized from the file on disk.
PrivateKey privatekey = ...
// For this example, we'll use the "DSA" algorithm, which is part
// of Sun's standard library.
Signature signature = Signature.getInstance("DSA");
SignedObject signedobject = new SignedObject(rgb, privatekey, signature);
The accompanying example shows how to verify the signed object and obtain the wrapped object.
// Read the serialized signed object from disk.
File fileIn = new File(...);
FileInputStream fileinputstream = new FileInputStream(fileIn);
ObjectInputStream objectinputstream = new
ObjectInputStream(fileinputstream);
SignedObject signedobject = (SignedObject)objectinputstream.readObject();
// Assume the public key comes from somewhere, is created, or is
// deserialized from the file on disk. It should correspond
// to the private key used to sign the object.
PublicKey publickey = ...
// For this example, we'll use the "DSA" algorithm, which is part
// of Sun's standard library.
Signature signature = Signature.getInstance("DSA");
signedobject.verify(publickey, signature);
byte [] rgb = (byte [])signedobject.getObject();
The next example illustrates how to read a file into a byte array and wrap that byte array in a SealedObject instance. Note the similarities in usage.
// Read a file from disk.
File fileIn = new File(...);
FileInputStream fileinputstream = new FileInputStream(fileIn);
byte [] rgb = new byte [(int)fileIn.length()];
fileinputstream.read(rgb);
// Assume the key comes from somewhere, is created, or is
// deserialized from the file on disk.
Key key = ...
// For this example, we'll use the "DES" algorithm, which is part of
// Sun's standard library.
Cipher cipher = Cipher.getInstance("DES");
cipher.init(Cipher.ENCRYPT_MODE, key);
SealedObject sealedobject = new SealedObject(rgb, cipher);
The final example demonstrates how to obtain the wrapped object.
// Read the serialized sealed object from disk.
File fileIn = new File(...);
FileInputStream fileinputstream = new FileInputStream(fileIn);
ObjectInputStream objectinputstream = new
ObjectInputStream(fileinputstream);
SealedObject sealedobject = (SealedObject)objectinputstream.readObject();
// Assume the key comes from somewhere, is created, or is
// deserialized from the file on disk.
Key key = ...
// For this example, we'll use the "DES" algorithm, which is part of
// Sun's standard library.
Cipher cipher = Cipher.getInstance("DES");
cipher.init(Cipher.DECRYPT_MODE, key);
byte [] rgb = (byte [])sealedobject.getObject(cipher);
You can download the complete source code for these four examples in Resources.
Conclusion
Both the SignedObject class and the SealedObject class are useful additions to any developer's toolbox. They will serve you well whenever you need to ensure that nothing
tampers with serialized instances stored in untrusted media (or even examines them, in the case of the SealedObject).
Next month, I will present two more extremely handy classes, the GuardedObject class and the AccessControlContext class, both of which are useful when making security decisions outside of the caller's current context.
About the author
Todd Sundsted has been writing programs since computers became available in convenient desktop models. Though originally interested in building distributed applications in C++, Todd moved on to the Java programming language when it became the obvious choice for that sort of thing. In addition to writing, Todd also serves as principal architect at Gig.com.Read more about Tools & Methods in JavaWorld's Tools & Methods section.
- Feedback
More from JavaWorld
Resources
- Download the source code for this article
http://www.javaworld.com/jw-11-2000/howto/jw-1117-howto.zip - Details of the
SignedObjectclass
http://java.sun.com/products/jdk/1.2/docs/api/java/security/SignedObject.html - Details of the
SealedObject
http://java.sun.com/products/jce/doc/apidoc/javax/crypto/SealedObject.html - Check out JavaWorld's Java Security discussion
http://forums.itworld.com/webx?14@@.ee6b80e
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.