[jboss-dev] certs and verified signers
Adrian Brock
abrock at redhat.com
Tue Sep 15 11:13:14 EDT 2009
Read the fine manual :-)
http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCertificates()
i.e. you have to read() the entire stream before asking
for the certs/signers.
The classloader will have already done that when it loaded the byte
code, see BaseClassLoader.loadClassLocally():
// Load the bytecode
byte[] byteCode = ClassLoaderUtils.loadByteCode(name, is);
// Let the policy do things before we define the class
BaseClassLoaderPolicy basePolicy = policy;
ProtectionDomain protectionDomain = basePolicy.getProtectionDomain(name,
resourcePath);
where the last line will expect the VFSClassLoaderPolicy to
get the certificates for the "resource path".
But the real reason for JBCL-67 - besides having a
mechanism to do a VirtualFile.getCertificates() - is how to do it for
non-jar files, e.g. unpacked deployments?
On Tue, 2009-09-15 at 16:26 +0200, Ales Justin wrote:
> WRT JBCL-67.
>
> I have a jar which I signed with
>
> keytool -genkeypair -alias mycert -keystore keystore -keypass ambam123
>
> jarsigner -keystore keystore -storepass ambam123
> ..\DIFramework\dist\another.jar mycert
>
> keytool -exportcert -keystore keystore -alias mycert -file mare_cert.cer
>
> keytool -importcert -file mare_cert.cer -keystore ales_store -storepass
> ambam5
>
> java -Djavax.net.ssl.trustStore=ales_store
> -Djavax.net.ssl.trustStorePassword=ambam5
>
> This jar includes com/acme/X.class.
>
> So, I would now expect when I access this class in jar via JarEntry
> to be able to get its certificates: JarEntry::getCertificates.
> But I get null.
>
> I guess I'm missing a list of verified signers?
>
> JarVerfier.class:
>
> /**
> * Return an array of java.security.cert.Certificate objects for
> * the given file in the jar.
> */
> public java.security.cert.Certificate[] getCerts(String name)
> {
> CodeSigner[] signers = getCodeSigners(name);
> // Extract the certs in each code signer's cert chain
> if (signers != null) { // <----- THIS is null in my case
>
> How do I add this signers?
> I already hacked out my security knowledge, w/o any success. ;-(
> _______________________________________________
> jboss-development mailing list
> jboss-development at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-development
--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Adrian Brock
Chief Scientist
JBoss by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
More information about the jboss-development
mailing list