Verify modified jar files
Hi all,
I would like to address a few issues that I have with signed jar files.
1. I have signed a jar file and am still able to open and change in WinZip. Can I encrypt it so that the contents are not visible in WinZip. If I have an XML or a Text file. I can still change it in WinZip and after I verify it, it verifies successfully, even though the file structure and time-stamp changed.
Web Start does not recognize the change in the time-stamp because the time on the client is newer than the timestamp of the jar file on the server and hence It does not update.
Any ones thoughs?
Thank you
Sameer Jaffer
1. I have signed a jar file and am still able to open
and change in WinZip.Which is correct behaviour.
A signed jar is a jar which comes with a list of signatures for
its entries.
The META-INF/MANIFEST.MF lists entries plus their cryptographic hash number.
The idea is not to hide content, but to show that the contents are authentic, by providing others a means to calculate and compare cryptographic hash numbers.
Can I encrypt it so that the
contents are not visible in WinZip. If I have an XML
or a Text file. I can still change it in WinZip and
after I verify it, it verifies successfully, This is strange. I guess that xml or test file doesn't show up in the manifest.
It should look like this:
Manifest-Version: 1.0
Main-Class: com.foo.bar
Created-By: 1.3.0 (IBM Corporation)
Name: org/w3c/dom/html/HTMLDivElement.class
SHA1-Digest: KEGYSI2N6pAlc/5X7uVJu8JgEz0=
Name: com/klg/jclass/util/swing/icons/JCBraceIcon32.gif
SHA1-Digest: WPiVbRyUePXzwDmBwRJVAsrN6Qo=
Because you should have provided a new hash once you changed the entry.
Otherwise Web Start, when verifying the entries (which means it calculates its own hash numbers of the jar entries and then compares them to the hash number listed in the manifest) should complain.
Regards,
Marc
Similar Messages
-
Verifying signed jar files programmatically
Hi,
We need to verify the signatures of jar files without using system commands ( e.g. jarsigner.exe ).
The code below is how I tried to extract the certificates associated with the jar entries:
FileInputStream fileIs = new FileInputStream( somefile );
boolean verify = true;
JarInputStream jarIs = new java.util.jar.JarInputStream( fileIs, verify );
JarEntry entry = null;
while ( ( entry = jarIs.getNextJarEntry() ) != null ) {
if ( !entry.isDirectory() && ! isManifest( entry ) ) {
... read entire the byte stream associated with the entry
Certificate[] certs = entry.getCertificates();
// certs always returns null
I am not able to extract certificates associated with the jarentries this way, because the entry.getCertificates always return null.
What is it that I do not understand? Is there a way to do this?
regards,
jorritI got the same problem. And I have done some experiment. The code below it works. Note: in order to use the code direcctly, the last entry has to be class that has a certificate. You might try with a signed jar that have only one class inside. I am lazy to write for other cases.
try {
File file = new File(jarFilename);
FileInputStream fileIs = new FileInputStream(file);
boolean verify = true;
JarInputStream jarIs =
new java.util.jar.JarInputStream(fileIs, verify);
JarEntry entry = null;
JarEntry Entry = null;
while ((entry = jarIs.getNextJarEntry()) != null ) {
if (!entry.isDirectory()) {
Entry = entry;
Certificate[] certs = Entry.getCertificates();
if(certs == null)
System.out.println("The entry has no certificate.");
else {
System.out.println(Array.getLength(certs));
for(int i = 0; i < Array.getLength(certs); i++)
System.out.println(certs.toString());
} catch (Exception e) {
System.out.println("Something went wrong.");
System.out.println(e.toString());
The problem is that we need to read the jarIs until you reach the last entry before you getCertificates. I sounds stupid, isn't it.
Enjoy your work.
Nawa -
Modifying JAR file using java.util.jar package over the network
Hello,
I am modifying a JAR file programmatically using java.util.jar package. The time taken to save the contents to a local disk is very less (around 1 sec) . When I tried modifying the JAR from a remote machine over the network (from mapped drive or shared folder of WIN NT), the time taken to save is 15-20 times more.
I am recreating the whole JAR while modifying. Is there any way to improve the performance. Or is it possible to write only the changed files?
Thanks,
Prasad Y S.When you "update" a jar file, you must always recreate it from scratch.
-
Verify a jar's manifest class-path
I want to verify a jar file's manifest class-path. By that I mean I want to verify that every import of every class in the jar file is reachable on the classpath specified in the jar file's manifest. I tried using a ClassLoader to load every class in the jar file and that does indeed catch a few errors (imported classes that are not on the classpath), but it does not catch them all -- I have situations where loading the class works fine, but when the code is executed, I get NoClassDefFoundError because an imported class is missing from the classpath. I have tried things like calling getDeclaredMethod() on the loaded class to sortof force all the imports to be resolved, but that apparently does not work.
So, can someone tell me how to sortof "force" a loaded class to reference/validate all its imports?
Thanks,
LeeWell yes, I know that executing the code would do it. But I'm not in a position to execute the code -- I'm doing this during a build and want to verify that I've built all the jars properly and have all the right classpaths. It's actually quite easy to use ANT to compile and create jar files that produce NoClassDefFoundError at runtime, due to leaving needed classes from the jar, or from bogus classpaths in the jar's manifest.
So, I was hoping there was some other way to do this. Perhaps I need to do something ugly like examining the bytecodes of each method...
Thanks,
Lee -
Hi,
I must to modify jar file umelogonbase.jar (in the package com.sapportal.runtime.logon)
To do this I have created a java project with SAP NWDS.
Then into this project, I have done an import of a zip file (umelogonbase.jar) to create a the same tree of directory than in the jar, to keep the .properties ...
With DJ Java Decompiler I got the .java files. I put theses files at the same level then the .class (in the same folders). Then I removed the .class files.
Finally I have added to the project the libraries needed (Properties/Java Build Path).
When I do an export of the project to create a jar file, my jar file is created, but there are only the java sources files and not the class files. It seems that the project is not compilated.
When I use the command Project/Rebuild Project, nothing happen.
My goal is to create a JAR file with an identical architecture that the original. Just some classes will be modified. In this way I will can to replace the original jar file to the modified jar file.
Can you tell me how to process.
Regards
Jean-Philippe DemogetJean,
I'm not sure what you menat by "..have created a java project with...", I done the same so I'll try to explain how:
1. got the <b>com.sapportal.runtime.logon.par.bak</b> and renamed it to <b>.par</b>
2. imported the par into NWDS (<i>File -> Import -> PAR file</i>) = created a project (with a new=custom name)
3. got the <b>.JAR</b> files from the original <b>.PAR</b> and decompiled them somewhere
4. renamed the <b>.JAD</b> to <b>.JAVA</b>, removed <b>.CLASS</b>
5. moved the folder structure of decompiled <b>.JAVA</b> to <b>src.api</b> of the project structure
6. refreshed the project and tried to rebuild (a lot of classpath issues)
7. found the wanted <b>.JAR</b> files and added to the project as external libraries, so my final <b>.classpath</b> file looked like this (for EP6.0 SP2 - it can help you to find the right ones):
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
<classpathentry kind="src" path="src.api"/>
<classpathentry kind="var" path="JRE_LIB" sourcepath="JRE_SRC"/>
<classpathentry kind="src" path="src.core"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/prtapi.jar"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/soapapi.jar"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/inqmyxml.jar"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/inqmysoap.jar"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/prttest.jar"/>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.developmentTools_1.2.0/com.sap.security.api.jar"/>
<classpathentry kind="lib" path="C:/Romano/Develop/java/ep 6.0/lib/com.sap.portal.themes.lafservice/lib/com.sap.portal.themes.lafserviceapi.jar"/>
<classpathentry kind="lib" path="C:/Romano/Develop/java/ep 6.0/lib/servlet.jar"/>
<classpathentry kind="lib" path="C:/Romano/Develop/java/ep 6.0/lib/com/sap/security/api/com.sap.security.core.jar"/>
<classpathentry kind="lib" path="C:/Romano/Develop/java/ep 6.0/lib/jaas.jar"/>
<classpathentry kind="lib" path="C:/Romano/Develop/java/ep 6.0/lib/prtcore.jar"/>
<classpathentry kind="output" path="classes.api"/>
</classpath>
8. rebuilt the projet succesfully
9. deployed
This should work for sure.
Hope this helps,
Romano -
Verifying signed Jar using Java code
Hi,
I have been looking for a way to verify signed or unsigned jar from java code.
I have to use the jar name and from here, I have to verify the digital signature. For this goal I have found some Java classes which can be useful for me. These classes would be JarEntry class, from which I could get the certificates. Signature class, whose methods let me verify the digital signatures, and Certificate class. I also found a class called SignedObject from I could get the signature data which the method getSignature (), but the problem here it is that I need a private key in the SignedObject constructor, which is not possible since I want to verify a signed jar which I am not able to know the private key, just public key. So, could anybody tell me how I could solve this problem?
My code would be some as shown below:
jar = new JarEntry (location);
jarcertificates = jar.getCertificates();
/* We should check all the certificates
if (jarcertificates != null){
for (int i=0;i<jarcertificates.length;i++){
sig.initVerify(jarcertificates);
sig.update(jar.getExtra());
sig.verify( DIGITAL SIGNATURE FROM JAR SHOULD BE HERE);
I guess that I have to use jar.getExtra () in order to get the data to put in Signature.update() method but I am not sure, am I wrong?
Thanks in advanceHere is some sample code to verify a jar file:
JarFile jf = new JarFile(args[0], true);
byte[] buffer = new byte[8192];
Enumeration e = jf.entries();
ArrayList entries = new ArrayList();
while (e.hasMoreElements()) {
JarEntry je = (JarEntry) e.nextElement();
entries.add(je);
InputStream is = jf.getInputStream(je);
while (is.read(buffer, 0, buffer.length) != -1) {
// we just read. this will throw a SecurityException
// if a signature/digest check fails.
is.close();
}To validate the certificate chain, you can call JarEntry.getCertificates(), create a CertPath from the array of Certificates (using a CertificateFactory), and then use the CertPathValidator APIs. For more information, see the PKI Programmer's guide: http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html -
How to modify a specific class in jar file ?
I've downloaded a jar file for applet, the jar file works fine... but when I extract a specific class file from the jar file and just recompie it from my IDE (Eclipse) without even making any change and then compress again jar class files including the new modified class file instead of the old one (without any modifications to other classes)... then I get
(NoSuchMethodError ) exception whenever methods of other classes are invoked from within the modified class !!
...The manifist file of the jar file reads the following line
Created-By: 1.4.0_01 (Sun Microsystems Inc.)
I thought it means that jar class files were built using JDK 1.4.0_01 ...I used JDK 1.5.0_01 in my IDE...
I thought JRE incompatiblity was the reason of the problem so I downloaded JRE 1.4.0_01 and used it to build this class file... but i got the same exception..
so what is the main reason of the problem ? ...should I make changes to IDX files accompanying applet jar files ??
If no, then how can I overcome this problem and be able to change and rebuild a specific class from this jar file ?
(I cannot rebuild all classes in jar because there are errors I cannot resolve !!)Could you please clarify: do you want to run your project or a project from an independent jar?
In the first case just select Run Project from the project context menu or select a class with main method and click Run File in the class context menu.
Regarding the second case:
- I don't think there is such a feature in the IDE (running third party jars is not an IDE function). Could you explain why you need this? -
Error:verifier jar file not found
Hi,
I found problem "verifier jar file not found" while building a package in Aspects Developer Evaluation version.
Pls guide me regarding my problem if any body could.Include the offcardverifier.jar file in your classpath, you will find this file under $java_card_kit-2_2_2\lib
Regards,
Amr. -
Problem when modifying the jar file of a portal component
I get the umelogonbase.jar from the com.sap.portal.runtime.logon component, extract it with winzip, do not make any changes to the source code, then re-create the jar file and add it back to the component. Now, when I deploy the component to the Portal I get the following error:
"Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
com/sap/security/core/logonadmin/IAccessToLogic.
Exception id: 10:30_08/08/07_0012_15067450
See the details for the exception ID in the log file"
any idea what I am doing wrong here?
I am doing this because I need to change the texts in the umelogonbase.jar, so this is the first step to see that the component still runs once I modify the jar file.
Note: I create the jar file by creating a jar-type project in NWDS and then exporting the project as jar.Do you have JDK installed? If not then please install it by downloading from http://java.sun.com/j2se/1.4.2/download.html. Install it in your local machine. Then inside the installation folder\bin folder you will find the jar.exe.
Also create the environment parameter named JAVA_HOME and set the value as the installation directory of JDK for example JAVA_HOME=C:\j2sdk1.4.2_13. Also add the following to your Path environment variable
C:\j2sdk1.4.2_13\bin;C:\j2sdk1.4.2_13\lib;
these path names should vary depending upon your actual JDK installation folder name.
Regards,
Shubho -
Modifying existing jar file, how?
Hi there,
I have a problem trying to modify an existing jar file. When I want to create a jar file, I use something like:
REM build the application on windows, assuming the java/bin
REM directory is in the path environment variable
REM application is just the directory I am using
SET cp = c:\application\TestApp
javac -classpath %cp% TestApp.java
REM ****************************************
REM do packaging and adding manifest
REM ****************************************
jar cvfm App.jar manifest.mf TestApp*.class
REM ****************************************
REM run the jar file
REM ****************************************
javaw -jar App.jar
But now, I have an existing jar file (swingall.jar) and I want to modify a class within that file. So, I modified the .java file, and compiled it to get my new class file.
And the question is, how do I modify the existing file, so that I keep everything the same, except the modified class?
Thanks
FernandoI have just found out that I can't use "u". It seemsthat's only
possible with older versions of jar.Huh? I'm using the 1.4.2-b28 jdk, it's still there,
and I don't see how it could ever possibly be
removed.
Type:
jar
with no arguments to see all the options to jar.I already did, to double check it, and this is what I got:
C:\Documents and Settings\Fernando Sanz>jar
Usage: jar {ctx}[vfm0M] [jar-file] [manifest-file] files ...
Options:
-c create new archive
-t list table of contents for archive
-x extract named (or all) files from archive
-v generate verbose output on standard error
-f specify archive file name
-m include manifest information from specified manifest file
-0 store only; use no ZIP compression
-M Do not create a manifest file for the entries
If any file is a directory then it is processed recursively.
The manifest file name and the archive file name needs to be specified
in the same order the 'm' and 'f' flags are specified.
Example: to archive two class files into an archive called classes.jar:
jar cvf classes.jar Foo.class Bar.class
Note: use the '0' option to create a jar file that can be put in your CLASSPATH
Thanks for trying with jdk 1.4, I don't have it installed in my computer right now, so I'll try tomorrow with another computer at Uni.
Thanks! -
Aspects Developer "Verifier jar file not found error"
Hello all.
I'm working in a Java Card project and I have some troubles.
When I tried to compile, verify and load my solution in Aspects Developer's Software, I achieved the following error message: " could not found Verifier jar file".
So I couldn't test my applet nor simulate it.
Then I compiled myself (with Java Card's commands) and execute the verifier file provided with Java Card, and all was good, so i decided to test my java card applet on the simulator or the real card, both with Aspects Developer SW.
Then the error I got was "Read past end of stream".
What am I doing in the wrong way?What can I do test my applet in a Simulator?
Thank very much for your help.
Regards.
Mike L.Hi,
This error message indicates that an incompatible version of the Java JDK is being used with Developer.
The release notes distributed with Developer are a little misleading. Currently Developer supports Java JDK versions greater than 1.2.2 but not 1.4.x. For example, I have JDK 1.3.1_06 installed on my machine.
Developer currently supports JavaCard development kit 2.1.2 and this specification restricts the versions of JDK that can be used. For more detail look at JCDevKit_User_Guide.pdf which can be found under <JAVA_CARD_INSTALL_DIR>\java_card_kit-2_1_2\doc\en\guides
Cheers,
Alasdair -
Is it possible to verify a signed jar-file from a program?
Is it possible to verify a signed jar-file from a program
(using some API) likewise jarsigner does?Is it possible to verify a signed jar-file from a
program
(using some API) likewise jarsigner does?Hi,
You would have to open the jarfile, read each jar entry and for each of them do a getCertificates() and then in turn verify each certificate with the public key of the enclosed certificates in the jar file.
An easier solution would be to use the verify flag of the JarFile or JarInputStream.
Hope it helps..
Cheers,
Vijay -
How to modify the jar files information for Script Assets??
Hi,
I am using Open Script 9.2. We can add the external JAR files using Script->Script Properties--> Script Assets. I need to change the jar files when ever i am going to execute no of scripts. How can I modify them using JAVA Coding without manual handling. Is there any specific methods existed in OpenScript to serve the above scenario.
Thanks in Advance.
Thanks & Regards,
Siva ThotaHi,
When you say alter the jar file, do you mean alter the contents of the java code within the jar. If this is yes then the simple answer is no. As you are probably aware, a jar file contains pre-compiled java code, which you will not be able to alter. What is it you are trying to achieve?
A simple answer maybe to use a child script which you can include into your main script. You can then change the code in the child script, and when you play back, this 'new' code will be compiled, and included within the replay.
Regards
Wayne. -
Revision: 11717
Author: [email protected]
Date: 2009-11-12 11:54:22 -0800 (Thu, 12 Nov 2009)
Log Message:
Bug Fixing Localized SDK - modified one file xercesSchema.properties in xercesImpl_ja.jar - added " to one JA string.
ANT CLEAN MAIN successful
Modified Paths:
flex/sdk/trunk/lib/xercesImpl_ja.jar -
Update jar file with modified class files
hi all,
I'm developing a jar utility for updating a jar file with modified class files as of now i have reached a point where in i can browse files and set it to required location
i.e i have developed a swings GUI application using JfileChooser and browse the files ..now my requirement is to update the jar files with modified class file
GUI looks like below
....enter the modified class file ----> d:\c.class
....enter the jar file path ---> d:\a.jar
update button now i have the requirement as
1> when i click on the update button ,my jar file (a.jar) should get updated with the latest class file (c.class)
can u help me to achieve this requirement.???
im stuck with this,,,if u can provide me wit the code for updating jar file with latest class file...it will really be helpful
if u can help me with the code on click on update button it will be really helpful
Thanks and expecting a faster response from u all java experts....Please find my query in bolds...i have written the partial code now,i need some help now
hope u guys can help me out...
import javax.swing.*;
import java.awt.*;
import java.awt.event.*;
import java.io.File;
public class FileExplorer extends JDialog implements ActionListener
JTextField txtLocation_class;
JButton btnBrowse_class;
JLabel label_class;
JTextField txtLocation_jar;
JButton btnBrowse_jar;
JLabel label_jar;
JButton updatebutton;
public FileExplorer()
setSize(600,300);
//for class files
label_class = new JLabel("Please select Modified Class File");
txtLocation_class= new JTextField(20);
btnBrowse_class = new JButton("Browse");
btnBrowse_class.addActionListener(this);
//for jar files
label_jar = new JLabel(" Please select the Jar file");
txtLocation_jar= new JTextField(20);
btnBrowse_jar = new JButton("Browse");
btnBrowse_jar.addActionListener(this);
ActionListener updateListener = new ActionListener(){
public void actionPerformed(ActionEvent ae){
if(ae.getActionCommand().equalsIgnoreCase("Update")){
System.out.println("ae.getActionCommand() :: "+ae.getActionCommand());
System.out.println("Update Button is pressed");
*//Query :how do i access FilePath and FilePath1 here which*
* // has been set in public void actionPerformed(ActionEvent ae)*
* //method below*
* // FilePath ---??*
* // FilePath1 ---??*
* // how do i access the above 2 parameters*
* //Query :on click of update button i have to pass*
* //two parameters FilePath and FilePath1 to*
* //perform some functionality. please help me*
* //to achieve this..how do i access Filepath and Filepath1*
* //here which has been set below.*
} // end of if
} // end of actionPerformed
};// end of ActionListener
updatebutton = new JButton("Update");
updatebutton.addActionListener(updateListener);
//adding to the panel
JPanel pnl = new JPanel();
pnl.add(label_class);
pnl.add(txtLocation_class);
pnl.add(btnBrowse_class);
pnl.add(label_jar);
pnl.add(txtLocation_jar);
pnl.add(btnBrowse_jar);
pnl.add(updatebutton);
getContentPane().add(pnl);
public void actionPerformed(ActionEvent ae)
Object obj=ae.getSource();
if(obj==btnBrowse_class)
final JFileChooser fcstudent = new JFileChooser();
int rtrnval = fcstudent.showOpenDialog(this);
if(rtrnval==JFileChooser.APPROVE_OPTION)
try
File file=fcstudent.getSelectedFile();
String path = file.getPath();
System.out.println("This is Path:"+path);
txtLocation_class.setText(""+path);
String FilePath=txtLocation_class.getText();
System.out.println("FilePath is ::"+FilePath);
catch(Exception ex)
ex.printStackTrace();
}else if(obj==btnBrowse_jar){
final JFileChooser fcstudent = new JFileChooser();
int rtrnval = fcstudent.showOpenDialog(this);
if(rtrnval==JFileChooser.APPROVE_OPTION)
try
File file=fcstudent.getSelectedFile();
String path1 = file.getPath();
System.out.println("This is Path:"+path1);
txtLocation_jar.setText(""+path1);
String FilePath1=txtLocation_jar.getText();
System.out.println("FilePath is ::"+FilePath1);
catch(Exception ex)
ex.printStackTrace();
public static void main(String arg[]){
FileExplorer Exm= new FileExplorer();
Exm.setVisible(true);
}
Maybe you are looking for
-
I can't open my Itunes program in my laptop computer with windows 8. the message is "Itunes has stopped working. A problem causess the program to stop working properly. windows will close the program and notify you if a solution is available". I rebo
-
Photoshop CS2 Layer Styles / Blending Options stopped working
I'm running Photoshop CS2 on PC. When right clicking on layers to bring up the Layer Styles / Blending Options palette, I can get the palette okay but the selections won't work when I check the boxes. I try to select different options....drop shadow,
-
TO IGNORE A HEADER IN A FLAT FILE (SENDER) XI
Developing a solution XI in file-jdbc cenario and the file is a flat file with header line and various detail lines. I need to write the jdbc table ignoring the header line of the flat file. How can We do this? Someone can help me? Thanks and regar
-
Iphone6 why can't I save more than one contact?
iphone 6 why can't i save more than one contact?
-
Table will not show mutiple price values
I am unable to go beyond 152 for my property price. I want it to say 152000. This is what I put into Oracle: SELECT * FROM Property; PROPERTY_NUM PROPERTY_ADDRESS PROPERTY_CITY PROPERTY_STATE PROPERTY_ZIP PROPERTY_PRICE PROPERTY_TYPE 0001 245 Benner