java.security

Class SignedObject

public final class SignedObject extends Object implements Serializable

SignedObject is used for storing runtime objects whose integrity cannot be compromised without being detected.

SignedObject contains a {@link Serializable} object which is yet to be signed and a digital signature of that object.

The signed copy is a "deep copy" (in serialized form) of an original object. Any changes to that original instance are not reflected in the enclosed copy inside this SignedObject.

Several things to note are that, first there is no need to initialize the signature engine as this class will handle that automatically. Second, verification will only succeed if the public key corresponds to the private key used to generate the digital signature inside this SignedObject.

For fexibility, the signature engine can be specified in the constructor or the verify() method. Programmers wishing to verify SignedObjects should be aware of the {@link Signature} engine they use. A malicious or flawed {@link Signature} implementation may always return true on verification thus circumventing the intended secrity check provided by the SignedObject.

The GNU security provider offers an implementation of the standard NIST DSA which uses "DSA" and "SHA-1". It can be specified by "SHA/DSA", "SHA-1/DSA" or its OID. If the RSA signature algorithm is provided then it could be "MD2/RSA". "MD5/RSA", or "SHA-1/RSA". The algorithm must be specified because there is no default.

Since: 1.2

See Also: Signature

Constructor Summary
SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine)
Constructs a new instance of SignedObject from a {@link Serializable} object.
Method Summary
StringgetAlgorithm()
Returns the name of the signature algorithm.
ObjectgetObject()
Returns the encapsulated object.
byte[]getSignature()
Returns the signature bytes of the encapsulated object.
booleanverify(PublicKey verificationKey, Signature verificationEngine)
Verifies the encapsulated digital signature by checking that it was generated by the owner of a designated public key.

Constructor Detail

SignedObject

public SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine)
Constructs a new instance of SignedObject from a {@link Serializable} object. The object is signed with a designated private key and a signature engine.

Parameters: object the object to sign. signingKey the key to use. signingEngine the signature engine to use.

Throws: IOException if a serialization error occurred. InvalidKeyException if the key is invalid. SignatureException if a signing error occurs.

Method Detail

getAlgorithm

public String getAlgorithm()
Returns the name of the signature algorithm.

Returns: the name of the signature algorithm.

getObject

public Object getObject()
Returns the encapsulated object. The object is de-serialized before being returned.

Returns: the encapsulated object.

Throws: IOException if a de-serialization error occurs. ClassNotFoundException if the encapsulated object's class was not found.

getSignature

public byte[] getSignature()
Returns the signature bytes of the encapsulated object.

Returns: the signature bytes of the encapsulated object.

verify

public boolean verify(PublicKey verificationKey, Signature verificationEngine)
Verifies the encapsulated digital signature by checking that it was generated by the owner of a designated public key.

Parameters: verificationKey the public key to use. verificationEngine the signature engine to use.

Returns: true if signature is correct, false otherwise.

Throws: InvalidKeyException if the key is invalid. SignatureException if verification fails.