aspose file tools*
The moose likes Security and the fly likes Signing questions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Signing questions" Watch "Signing questions" New topic
Author

Signing questions

Tom Landry
Ranch Hand

Joined: May 26, 2013
Posts: 76
If a jar file is signed for a web application at what level does the verification occur (web server, browser....)?

What does it look for? Does it verify that all components (CN, OU, O, L, ST, C) are all entered in?

How does it know that it is valid and tell the difference that some random person didn't sign it?
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39416
    
  28
I think this question is too difficult for us “beginners”, so I shall move it (I hope to the right place ‍).
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18662
    
    8

I'm not sure what "verification" you are referring to but let me try answering that question assuming it means what I think it does.

When you create a certificate, you can put anything you like in those places. It's just information. No verification takes place, as far as I know. And if the jar is part of a web application, there's nothing to look at the certificate anyway. That would only happen when the Java environment on the client side had to use the jar file to run an applet or a Java Web Start application.

And if you were talking about the client-side situation, the verification is done by the user. The browser plugin pops up a security box saying "This application was signed by Tom Landry, do you want to run it?" and it's up to the user to say yea or nay to that.

That's if you create your own certificate and sign it. If you get a certificate from one of the companies that sell them, and use that to sign your jar, then the browsers already have that certificate in their trust store and they'll give you a much less scary security box.

Are we going in the right direction with that answer?
Tom Landry
Ranch Hand

Joined: May 26, 2013
Posts: 76
That actually does help.

I do recall running a application that was failing and after reviewing the error stack it stated the jar file was not signed.

If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18662
    
    8

Tom Landry wrote:If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?


Usually the client doing the verification is a human being. So it's up to that human to decide whether they approve of what they see of the signed jar.

If you're asking about a hypothetical situation where an application would (in an automated way) check whether a jar was signed or not, then presumably it was programmed to do that check. It may be that there was supposed to be a client certificate in place, or something like that, but that may or may not have anything to do with the situation you observed.
Christine Kasavetova
Greenhorn

Joined: Oct 28, 2013
Posts: 6
@Paul really useful post, thanks
 
jQuery in Action, 2nd edition
 
subject: Signing questions