java.security
public final class SignedObject extends Object implements Serializable
SignedObject is used for storing runtime objects whose
integrity cannot be compromised without being detected.
SignedObject contains a {@link Serializable} object which is
yet to be signed and a digital signature of that object.
The signed copy is a "deep copy" (in serialized form) of an original
object. Any changes to that original instance are not reflected in the
enclosed copy inside this SignedObject.
Several things to note are that, first there is no need to initialize the
signature engine as this class will handle that automatically. Second,
verification will only succeed if the public key corresponds to the private
key used to generate the digital signature inside this
SignedObject.
For fexibility, the signature engine can be specified in the constructor
or the verify() method. Programmers wishing to verify
SignedObjects should be aware of the {@link Signature} engine
they use. A malicious or flawed {@link Signature} implementation may always
return true on verification thus circumventing the intended secrity check
provided by the SignedObject.
The GNU security provider offers an implementation of the standard NIST DSA which uses "DSA" and "SHA-1". It can be specified by "SHA/DSA", "SHA-1/DSA" or its OID. If the RSA signature algorithm is provided then it could be "MD2/RSA". "MD5/RSA", or "SHA-1/RSA". The algorithm must be specified because there is no default.
Since: 1.2
See Also: Signature
| Constructor Summary | |
|---|---|
| SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine)
Constructs a new instance of SignedObject from a
{@link Serializable} object. | |
| Method Summary | |
|---|---|
| String | getAlgorithm()
Returns the name of the signature algorithm.
|
| Object | getObject()
Returns the encapsulated object. |
| byte[] | getSignature()
Returns the signature bytes of the encapsulated object.
|
| boolean | verify(PublicKey verificationKey, Signature verificationEngine)
Verifies the encapsulated digital signature by checking that it was
generated by the owner of a designated public key.
|
SignedObject from a
{@link Serializable} object. The object is signed with a designated
private key and a signature engine.
Parameters: object the object to sign. signingKey the key to use. signingEngine the signature engine to use.
Throws: IOException if a serialization error occurred. InvalidKeyException if the key is invalid. SignatureException if a signing error occurs.
Returns: the name of the signature algorithm.
Returns: the encapsulated object.
Throws: IOException if a de-serialization error occurs. ClassNotFoundException if the encapsulated object's class was not found.
Returns: the signature bytes of the encapsulated object.
Parameters: verificationKey the public key to use. verificationEngine the signature engine to use.
Returns: true if signature is correct, false
otherwise.
Throws: InvalidKeyException if the key is invalid. SignatureException if verification fails.