O
only you
Unregistered / Unconfirmed
GUEST, unregistred user!
怎么作出对应的公钥和私钥对?做出的公钥和私钥有法律效力吗?(100分)
如何给用户分发公钥和私钥?类似网上银行的处理(100分)
请用java实现。谢绝灌水
如何给用户分发公钥和私钥?类似网上银行的处理(100分)
请用java实现。谢绝灌水
C
chenzhongshan
Unregistered / Unconfirmed
GUEST, unregistred user!
认识电子签名
□张丽萍/文
电子签名并非是书面签名的数字图像化。它其实是一种电子代码,利用它,收件人便能在网上轻松验证发件人的身份和签名。它还能验证出文件的原文在传输过程中有无变动。
如果有人想通过网络把一份重要文件发送给外地的人,收件人和发件人都需要首先向一个许可证授权机构(CA)申请一份电子许可证。这份加密的证书包括了申请者在网上的公共钥匙即“公共电脑密码”,用于文件验证。
在收到加密的电子文件后,收件人使用CA发布的公共钥匙把文件解密并阅读。
电子签名立法
美国总统克林顿于2000年6月30日正式签署的《电子签名法案》是网络时代的重大立法,它使电子签名和传统方式的亲笔签名具有同等法律效力,被看作是美国迈向电子商务时代的一个重要标志。
6月30日,克林顿使用一个电子卡片在电脑荧屏上签署这项法令,而密码就是他爱犬的名字。不过,为了避免引起不必要的法律效力问题,他又按传统习惯用钢笔在法律文书上签下了自己的名字。
克林顿在签署这项法律时说:“不久以后,美国人民就可以使用带有数字签名的电子卡片做他们想要做的事情了,电子签名将会应用在各个领域之中,从聘请律师到抵押贷款,无所不能。在这项具有划时代意义的法律正式生效后,人们将可以使用电子签名签订在线合同和进行电子商务,这对于新经济的发展无疑具有巨大的推动作用。”
2000年-2001年,爱尔兰、德国、日本、波兰等国政府也先后通过各自的电子签名法案。
电子签名模式
不过,电子签名法并没有具体限定未来网上签名使用何种模式。目前美国使用的电子签名主要有三种模式。
智慧卡式。使用者拥有一个像信用卡一样的的磁卡,内储有关自己的数字信息,使用时只要在电脑扫描器上一扫,然后加入自己设定的密码即成。上面克林顿“表演”用的就是这一种。
密码式。就是使用者设定一个密码,由数字或字符组合而成。有的公司提供硬件,让使用者利用电子笔在电子板上签名后存入电脑。电子板不仅记录下了签名的形状,而且对使用者签名时用的力度、定字的速度都有记载。如有人想盗用签名,肯定会露出马脚。
生物测定式。就是以使用者的身体特征为基础,通过某种设备对使用者的指纹、面部、视网膜或眼球进行数字识别,从而确定对象是否与原使用者相同。许多公司的电脑程序实际运用的大都是将两种或三种技术结合在一起,这样可以大大提高电子签名的安全可靠性。
电子签名和加密技术
电子签名和加密技术,电子签名技术的实现需要使用到非对称加密(RSA算法)和报文摘要(HASH算法)。
非对称加密是指用户有两个密钥,一个是公钥,一个是私钥,公钥是公开的,任何人可以使用,私钥是保密的,只有用户自己可以使用。该用户可以用私钥加密信息,并传送给对方,对方可以用该用户的公钥将密文解开,对方应答时可以用该用户的公钥加密,该用户收到后可以用自己的私钥解密。公私钥是互相解密的,而且绝对不会有第三者能插进来。
报文摘要利用HASH算法对任何要传输的信息进行运算,生成128位的报文摘要,而不同内容的信息一定会生成不同的报文摘要,因此报文摘要就成了电子信息的“指纹”。
有了非对称加密技术和报文摘要技术,就可以实现对电子信息的电子签名了。
电子签名的软件应实现的功能
文档电子签名软件是一种电子盖章和文档安全系统,可以实现电子盖章(即数字签名)、文档加密、签名者身份验证等多项功能。对于签名者的身份确认、文档内容的完整性和签名不可抵赖性等问题的解决具有重要作用。
使用数字证书对Word文档进行数字签名,保证签名者的签名信息和被签名的文档不被非法篡改。签名者可以在签名时对文档签署意见,数字签名同样可以保证此意见不被篡改。
软件应嵌入Word环境,集成为应用组件,使用简便,界面友善。操作生成的数字签名和意见以对象方式嵌入Word文档,直观明了。
软件还应支持多人多次签名,每个签名可以在文档中的任意位置生成,完全由签名者控制。
软件避免采用宏技术,从而避免因用户禁用宏而导致软件失效。
数字签名使用的数字证书可以存储在智能卡和USB电子令牌之类的硬件设备中,这些存储介质自身有安全性高、携带方便等特点,进一步提高了系统的安全性。
在企业中,对于往来的需审批的重要文档,必须保持其安全、有效,并要求留下审批者的意见及签名,如果采用传统的方法如传真,势必造成大量的扫描文件需要存储,且不好管理,而电子签名在安全体系的保证下,将为文档管理的效率带来显著的提高。由此看来,采用先进的IT技术,能推动我们的办公无纸化进一步的向前发展。■
□张丽萍/文
电子签名并非是书面签名的数字图像化。它其实是一种电子代码,利用它,收件人便能在网上轻松验证发件人的身份和签名。它还能验证出文件的原文在传输过程中有无变动。
如果有人想通过网络把一份重要文件发送给外地的人,收件人和发件人都需要首先向一个许可证授权机构(CA)申请一份电子许可证。这份加密的证书包括了申请者在网上的公共钥匙即“公共电脑密码”,用于文件验证。
在收到加密的电子文件后,收件人使用CA发布的公共钥匙把文件解密并阅读。
电子签名立法
美国总统克林顿于2000年6月30日正式签署的《电子签名法案》是网络时代的重大立法,它使电子签名和传统方式的亲笔签名具有同等法律效力,被看作是美国迈向电子商务时代的一个重要标志。
6月30日,克林顿使用一个电子卡片在电脑荧屏上签署这项法令,而密码就是他爱犬的名字。不过,为了避免引起不必要的法律效力问题,他又按传统习惯用钢笔在法律文书上签下了自己的名字。
克林顿在签署这项法律时说:“不久以后,美国人民就可以使用带有数字签名的电子卡片做他们想要做的事情了,电子签名将会应用在各个领域之中,从聘请律师到抵押贷款,无所不能。在这项具有划时代意义的法律正式生效后,人们将可以使用电子签名签订在线合同和进行电子商务,这对于新经济的发展无疑具有巨大的推动作用。”
2000年-2001年,爱尔兰、德国、日本、波兰等国政府也先后通过各自的电子签名法案。
电子签名模式
不过,电子签名法并没有具体限定未来网上签名使用何种模式。目前美国使用的电子签名主要有三种模式。
智慧卡式。使用者拥有一个像信用卡一样的的磁卡,内储有关自己的数字信息,使用时只要在电脑扫描器上一扫,然后加入自己设定的密码即成。上面克林顿“表演”用的就是这一种。
密码式。就是使用者设定一个密码,由数字或字符组合而成。有的公司提供硬件,让使用者利用电子笔在电子板上签名后存入电脑。电子板不仅记录下了签名的形状,而且对使用者签名时用的力度、定字的速度都有记载。如有人想盗用签名,肯定会露出马脚。
生物测定式。就是以使用者的身体特征为基础,通过某种设备对使用者的指纹、面部、视网膜或眼球进行数字识别,从而确定对象是否与原使用者相同。许多公司的电脑程序实际运用的大都是将两种或三种技术结合在一起,这样可以大大提高电子签名的安全可靠性。
电子签名和加密技术
电子签名和加密技术,电子签名技术的实现需要使用到非对称加密(RSA算法)和报文摘要(HASH算法)。
非对称加密是指用户有两个密钥,一个是公钥,一个是私钥,公钥是公开的,任何人可以使用,私钥是保密的,只有用户自己可以使用。该用户可以用私钥加密信息,并传送给对方,对方可以用该用户的公钥将密文解开,对方应答时可以用该用户的公钥加密,该用户收到后可以用自己的私钥解密。公私钥是互相解密的,而且绝对不会有第三者能插进来。
报文摘要利用HASH算法对任何要传输的信息进行运算,生成128位的报文摘要,而不同内容的信息一定会生成不同的报文摘要,因此报文摘要就成了电子信息的“指纹”。
有了非对称加密技术和报文摘要技术,就可以实现对电子信息的电子签名了。
电子签名的软件应实现的功能
文档电子签名软件是一种电子盖章和文档安全系统,可以实现电子盖章(即数字签名)、文档加密、签名者身份验证等多项功能。对于签名者的身份确认、文档内容的完整性和签名不可抵赖性等问题的解决具有重要作用。
使用数字证书对Word文档进行数字签名,保证签名者的签名信息和被签名的文档不被非法篡改。签名者可以在签名时对文档签署意见,数字签名同样可以保证此意见不被篡改。
软件应嵌入Word环境,集成为应用组件,使用简便,界面友善。操作生成的数字签名和意见以对象方式嵌入Word文档,直观明了。
软件还应支持多人多次签名,每个签名可以在文档中的任意位置生成,完全由签名者控制。
软件避免采用宏技术,从而避免因用户禁用宏而导致软件失效。
数字签名使用的数字证书可以存储在智能卡和USB电子令牌之类的硬件设备中,这些存储介质自身有安全性高、携带方便等特点,进一步提高了系统的安全性。
在企业中,对于往来的需审批的重要文档,必须保持其安全、有效,并要求留下审批者的意见及签名,如果采用传统的方法如传真,势必造成大量的扫描文件需要存储,且不好管理,而电子签名在安全体系的保证下,将为文档管理的效率带来显著的提高。由此看来,采用先进的IT技术,能推动我们的办公无纸化进一步的向前发展。■
C
chenzhongshan
Unregistered / Unconfirmed
GUEST, unregistred user!
Code Signing Digital IDs for Sun Java Signing
Realizing the Possibilities of Internet Software Distribution
What Is Code Signing?
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products.
When customersdo
wnload software from the Internet, the most they see is a message warning them about the dangers of using the software. The Internet lacks the subtle information provided by packaging, shelf space, and shrink-wrap. Without any assurance of the software's integrity, and without knowing who published the software, it's difficult for customers to know how much to trust softwaredo
wnloaded from the Internet.
The solution to these issues is Sun Java Object Signing coupled with VeriSign®
Code Signing Digital IDs. Object Signing, through the use of digital signatures, enables software developers to include information about themselves and their code with their software.
When customersdo
wnload software signed with a Sun Java Code Signing Digital ID issued by VeriSign, they can be assured of:
Content Source: End users can confirm that the software really comes from the publisher who signed it.
Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.
Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong deterrent to the distribution of harmful code.
Developers and Web masters benefit from Object Signing because it builds trust in their names and makes it more difficult to falsify their products. By signing their code, developers build a trusted relationship with users, who learn they cando
wnload software signed by that publisher or Web site with confidence. With Sun Java Signing, developers can create exciting Web pages using signed Java applets, plug-ins, or other executables. And users can make educated decisions about what software they want todo
wnload.
Who Needs a Code Signing Digital ID?
Any software publisher planning to distribute code or content over the Internet or through an extranet risks impersonation and tampering. VeriSign Code Signing Digital IDs for Sun Java Signing protect against these hazards.
VeriSign offers Code Signing Digital IDs designed for commercial software developers: companies and other organizations that publish software. This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a business license, and is designed to represent the level of assurance provided today by retail channels for software.
Whatdo
es Object Signing Look Like to End Users?
Applications that run Java Applets and applications on the Java Runtime Environment (JRE) come with security features that recognize Object Signing. For example, when users visit a Web page that uses Java applets to provide animation or sound, their browsersdo
wnload code to their machines to achieve the desired effects. While this may provide substantial value, users run the risk ofdo
wnloading viruses or other unwanted code.
When an application running on the JRE encounters a software component that is trying to gain access to the user's machine, it automatically checks to see if there is a recognized digital signature with that software. If the code is signed with Sun Java Signing, JRE prompts the application to display a warning dialog box similar to the following:
--------------------------------------------------------------------------------
Image 1: The Java Plug-in Security Warning dialog box launched by the WebStart launcher.
The warning dialog box informs the end user:
Of the true identity of the publisher
Of the type of access requested by the software
That VeriSign has authen
ticated the identity of the code signer.
The end user can choose to grant or deny the requested privileges, or to view the Digital ID used to sign the code. The warning dialogs also provide the user with an estimated level of the risk (high, medium, or low) associated with the requested privileges and a means for viewing the details included in the software developer's Digital ID.
--------------------------------------------------------------------------------
Image 2: The Certificate Properties dialog box launched by the WebStart launcher.
Technical Background
What is a Digital ID?
A Digital ID (also known as a digital certificate or Code Signing Digital ID) is a form of electronic credential for the Internet. Similar to a drive's license, employee ID card, or business license, a Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues the Digital ID is known as a Certification Authority (CA).
Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys—a public key and a private key—which function only when they are held together. Public keys are widely distributed to users, while private keys are kept safe and only used by their owner. Any code digitally signed with the publisher's private key, can be successfully verified only with the complementary public key. Another way to look at this is that code that is successfully verified using the publisher's public key (which is sent along with the digital signature) can only have been digitally signed using the publisher's private key (thus authen
ticating the source of the code), and has not been tampered with. For more information on public keys and private keys, please see the VeriSign white paper, "Introduction to Public Key Cryptography.")
The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA such as VeriSign issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues you a passport it is officially vouching for the fact that you are who you say you are, when a CA issues you a Digital ID, it is putting its name behind the statement that you are the rightful owner of your public/private key pair.
A Digital ID is valid only for the period of time specified by VeriSign. The ID contains information about its begin
ning and expiration dates. VeriSign can also revoke (cancel) any Digital ID it has issued and maintains a list of revoked Code Signing IDs. This list of revoked Code Signing Digital IDs, called a Code Signing Digital ID Revocation List (CRL), is published by VeriSign so anyone can determine the validity of any Digital ID.
Certification Authorities
Certification Authorities, such as VeriSign, are organizations that issue Digital IDs to applicants whose identities they are willing to vouch for. Each Digital ID is linked to the Code Signing Digital ID of the CA that signed it.
As the Internet's leading Certification Authority, VeriSign has the following responsibilities:
Publishing the criteria for granting, revoking, and managing Digital IDs
Granting Digital IDs to applicants who meet the published criteria
Managing Digital IDs (for example, enrolling, renewing, and revoking them)
Storing VeriSign's root keys in an exceptionally secure manner.
Verifying evidence submitted by applicants
Providing tools for enrollment
Accepting the liability associated with these responsibilities
Howdo
es Object Signing Work with VeriSign Code Signing Digital IDs?
Sun Java Signing relies on industry-standard cryptography techniques such as X.509 v3 Code Signing IDs and PKCS #7 and #10 signature standards. These well-proven cryptography protocols ensure a robust implementation of code signing technology.
Object Signing uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature and the corresponding public key validates it. To save time, the Object Signing protocols use a cryptographic digest, which is a one-way hash of thedo
cument.
Note: Java Runtime Environment (JRE) version 1.3 or newer must be installed on the end user's machine.
The Code Signing Process:
Publisher creates code.
Publisher obtains a Sun Java Code Signing Digital ID from VeriSign.
Using the Java 2 Software Development Kit, the publisher:
Creates a hash of the code, using an algorithm such as MD5 or SHA
Encrypts the hash using their private key
Creates a package containing the code, the encrypted hash, and the publisher's Code Signing Digital ID
The end-user's Java Runtime Environment (JRE) encounters the package.
The end-user's JRE examines the publisher's Code Signing Digital ID. Using the VeriSign root public key that is already embedded in the end-user JRE trusted root store, the end-user JRE verifies the authen
ticity of the Code Signing Digital ID (which is itself signed by the VeriSign root private key).
Using the publisher's public key contained within the publisher's Digital ID, the end-user JRE decrypts the signed hash.
The end-user JRE runs the code through the same hashing algorithm as the publisher, creating a new hash.
The end-user JRE compares the two hashes. If they are identical, the JRE sends a message stating that the content has been verified by VeriSign. The end user is assured that the code was signed by the publisher identified in the Digital ID and that the code hasn't been altered since it was signed.
--------------------------------------------------------------------------------
Image 3: Verifying the Code Signing Digital ID on the end user's computer.
The entire process is transparent to end users, who see only a message that the content was signed by its publisher and verified by VeriSign.
The Six Steps to Signing Code
These instructions provide an overview of obtaining and using Sun Java Signing and a Code Signing Digital ID from VeriSign.
Step 1:do
wnload the Java 2 Software Development Kit (SDK).
The Java2 SDK for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms is available free of charge from java.sun.com.
You will be using the following tools to apply for your Code Signing Digital ID and sign your code: keytool, jar, and jarsigner.
Step 2: Generate a public/private key pair.
Enter the following code, specifying an alias for your keystore, to generate a public/private key pair.
C:/>C:/jdk1.3/bin/keytool -genkey -keyalg rsa -alias MyCert
--------------------------------------------------------------------------------
In this string, the keystore alias is MyCert.
Keytool responds with prompts to enter a password for your keystore, your name, organization, and address information. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and Applications.
Note: Your private key is never sent to VeriSign, so if you lose it, you will be unable to sign code. If your private key is lost or stolen, please contact VeriSign to cancel your Code Signing Digital ID.
Step 3: Generate a Code Signing Digital ID Signing Request (CSR).
Enter the following code to generate a CSR:
C:/>C:/jdk1.3/bin/keytool -certreq -alias MyCert
--------------------------------------------------------------------------------
In this string, keytool is requested to create a CSR for the key pair in the keystore MyCert.
After prompting you to enter the password for your keystore, keytool will generate a CSR.
-----begin
NEW CODE SIGNING ID REQUEST-----
MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwE
AYDVQQHEwlDdXBlcnRpbm8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbX
MxFjAUBgNVBAsTDUphdmEgU29mdHdhcmUxEzARBgNVBAMTClN0YW5sZXk
gSG8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTgU8PovA4y59eb
oPjY65BwCSc/zPqtOZKJlaW4WP+UhmebE+T2Mho7P5zXjGf7elo3tV5uI
3vzgGfnhgpf73EoMow8EJhly4w/YsXKqeJEqqvNogzAD+qUv7Ld6dLOv0
CO5qvpmBAO6mfaI1XAgx/4xU/6009jVQe0TgIoocB5AgMBAAGgADANBgk
qhkiG9w0BAQQFAAOBgQAWmLrkifKiUYtd4ykhBtPWSwW/IKkgyfIuNMML
dF1DH8neSnXf3ZLI32f2yXvs7u3/xn6chnTXh4HYCJoGYOAbB3WNbAoQR
i6u6TLLOvgv9pMNUo6v1qB0xly1faizjimVYBwLhOenkA3Bw7S8UIVfdv
84cO9dFUGcr/Pfrl3GtQ==
-----END NEW CODE SIGNING ID REQUEST-----
--------------------------------------------------------------------------------
This string is an example of a CSR generated using keytool. A CSR contains a copy of the requestor's public key and a hash of the data entered in step 2 signed with the requestor's private key.
Copy the CSR and paste it into the VeriSign Sun Java Signing Digital ID application form, accessible at http://www.verisign.com/products/signing/index.html.
When your request is approved, VeriSign will attach your Sun Java Code Signing Digital ID to your confirmation e-mail.
Upon receipt, the attached Code Signing Digital ID is saved to a file on your computer.
A Code Signing Digital ID is a "trust path" or "chain" back to the VeriSign root certificate. This "trust path" allows your code to be validated on any standard JRE without installing any additional files.
Note: VeriSign takes a number of steps to verify your identity. For commercial publishers, VeriSigndo
es a considerable amount deal of background checking. As a result, it will take approximately 3-5 business days to verify your information and issue a Code Signing Digital ID.
Step 4: Import your Sun Java Signing Code Signing Digital ID.
Enter the following code, with the path to your Code Signing Digital ID, to import the chain into your keystore.
C:/>C:/jdk1.3/bin/keytool -import -alias MyCert -file VSSStanleyNew.cer
--------------------------------------------------------------------------------
In this string, keytool is requested to import the Code Signing Digital ID "VSSStanleyNew.cer" into the keystore MyCert.
Step 5: Bundle your applet into a JAR file.
Use jar to bundle your Applets or applications as a JAR file.
C:>C:/jdk1.3/bin/jar cvf C:/TestApplet.jar .
--------------------------------------------------------------------------------
This string creates a JAR file C:/TestApplet.jar. The JAR file contains all the files under the current directory and its sub-directories.
Jar responds with:
added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)
Step 6: Sign your applet.
Use jarsigner to sign the JAR file, using the private key you saved in your keystore.
C:/>C:/jdk1.3/bin/jarsigner C:/TestApplet.jar MyCert
At the prompt, enter the password to your keystore.
Jarsigner hashes your Applet or Application, and stores the hash in the JAR file created in step 5 with a copy of your Code Signing Digital ID.
Verify the output of your signed JAR file.
C:>C:/jdk1.3/bin/jarsigner -verify -verbose -certs d:/TestApplet.jar
--------------------------------------------------------------------------------
This string verifies that the files have been saved to the JAR file and that the signature is correct.
When the signed JAR file isdo
wnloaded, the Java Runtime Environment will display your Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.
For more in-depth instructions on the use of the Java 2 Software Development Kit, please see the JavaTM 2 Platform, Standard Edition, v 1.3do
cumentation, available at http://www.javasoft.com/j2se/1.3/docs.html.
Conclusion
Sun Microsystems and VeriSign are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Sun Java Object Signing and a VeriSign Code Signing ID, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.
For more information about VeriSign Code Signing Digital IDs for Sun Java Signing, including pricing, availability, and Frequently Asked Questions, please visit www.verisign.com/developers.
Realizing the Possibilities of Internet Software Distribution
What Is Code Signing?
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products.
When customersdo
wnload software from the Internet, the most they see is a message warning them about the dangers of using the software. The Internet lacks the subtle information provided by packaging, shelf space, and shrink-wrap. Without any assurance of the software's integrity, and without knowing who published the software, it's difficult for customers to know how much to trust softwaredo
wnloaded from the Internet.
The solution to these issues is Sun Java Object Signing coupled with VeriSign®
Code Signing Digital IDs. Object Signing, through the use of digital signatures, enables software developers to include information about themselves and their code with their software.
When customersdo
wnload software signed with a Sun Java Code Signing Digital ID issued by VeriSign, they can be assured of:
Content Source: End users can confirm that the software really comes from the publisher who signed it.
Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.
Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong deterrent to the distribution of harmful code.
Developers and Web masters benefit from Object Signing because it builds trust in their names and makes it more difficult to falsify their products. By signing their code, developers build a trusted relationship with users, who learn they cando
wnload software signed by that publisher or Web site with confidence. With Sun Java Signing, developers can create exciting Web pages using signed Java applets, plug-ins, or other executables. And users can make educated decisions about what software they want todo
wnload.
Who Needs a Code Signing Digital ID?
Any software publisher planning to distribute code or content over the Internet or through an extranet risks impersonation and tampering. VeriSign Code Signing Digital IDs for Sun Java Signing protect against these hazards.
VeriSign offers Code Signing Digital IDs designed for commercial software developers: companies and other organizations that publish software. This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a business license, and is designed to represent the level of assurance provided today by retail channels for software.
Whatdo
es Object Signing Look Like to End Users?
Applications that run Java Applets and applications on the Java Runtime Environment (JRE) come with security features that recognize Object Signing. For example, when users visit a Web page that uses Java applets to provide animation or sound, their browsersdo
wnload code to their machines to achieve the desired effects. While this may provide substantial value, users run the risk ofdo
wnloading viruses or other unwanted code.
When an application running on the JRE encounters a software component that is trying to gain access to the user's machine, it automatically checks to see if there is a recognized digital signature with that software. If the code is signed with Sun Java Signing, JRE prompts the application to display a warning dialog box similar to the following:
--------------------------------------------------------------------------------
Image 1: The Java Plug-in Security Warning dialog box launched by the WebStart launcher.
The warning dialog box informs the end user:
Of the true identity of the publisher
Of the type of access requested by the software
That VeriSign has authen
ticated the identity of the code signer.
The end user can choose to grant or deny the requested privileges, or to view the Digital ID used to sign the code. The warning dialogs also provide the user with an estimated level of the risk (high, medium, or low) associated with the requested privileges and a means for viewing the details included in the software developer's Digital ID.
--------------------------------------------------------------------------------
Image 2: The Certificate Properties dialog box launched by the WebStart launcher.
Technical Background
What is a Digital ID?
A Digital ID (also known as a digital certificate or Code Signing Digital ID) is a form of electronic credential for the Internet. Similar to a drive's license, employee ID card, or business license, a Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues the Digital ID is known as a Certification Authority (CA).
Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys—a public key and a private key—which function only when they are held together. Public keys are widely distributed to users, while private keys are kept safe and only used by their owner. Any code digitally signed with the publisher's private key, can be successfully verified only with the complementary public key. Another way to look at this is that code that is successfully verified using the publisher's public key (which is sent along with the digital signature) can only have been digitally signed using the publisher's private key (thus authen
ticating the source of the code), and has not been tampered with. For more information on public keys and private keys, please see the VeriSign white paper, "Introduction to Public Key Cryptography.")
The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA such as VeriSign issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues you a passport it is officially vouching for the fact that you are who you say you are, when a CA issues you a Digital ID, it is putting its name behind the statement that you are the rightful owner of your public/private key pair.
A Digital ID is valid only for the period of time specified by VeriSign. The ID contains information about its begin
ning and expiration dates. VeriSign can also revoke (cancel) any Digital ID it has issued and maintains a list of revoked Code Signing IDs. This list of revoked Code Signing Digital IDs, called a Code Signing Digital ID Revocation List (CRL), is published by VeriSign so anyone can determine the validity of any Digital ID.
Certification Authorities
Certification Authorities, such as VeriSign, are organizations that issue Digital IDs to applicants whose identities they are willing to vouch for. Each Digital ID is linked to the Code Signing Digital ID of the CA that signed it.
As the Internet's leading Certification Authority, VeriSign has the following responsibilities:
Publishing the criteria for granting, revoking, and managing Digital IDs
Granting Digital IDs to applicants who meet the published criteria
Managing Digital IDs (for example, enrolling, renewing, and revoking them)
Storing VeriSign's root keys in an exceptionally secure manner.
Verifying evidence submitted by applicants
Providing tools for enrollment
Accepting the liability associated with these responsibilities
Howdo
es Object Signing Work with VeriSign Code Signing Digital IDs?
Sun Java Signing relies on industry-standard cryptography techniques such as X.509 v3 Code Signing IDs and PKCS #7 and #10 signature standards. These well-proven cryptography protocols ensure a robust implementation of code signing technology.
Object Signing uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature and the corresponding public key validates it. To save time, the Object Signing protocols use a cryptographic digest, which is a one-way hash of thedo
cument.
Note: Java Runtime Environment (JRE) version 1.3 or newer must be installed on the end user's machine.
The Code Signing Process:
Publisher creates code.
Publisher obtains a Sun Java Code Signing Digital ID from VeriSign.
Using the Java 2 Software Development Kit, the publisher:
Creates a hash of the code, using an algorithm such as MD5 or SHA
Encrypts the hash using their private key
Creates a package containing the code, the encrypted hash, and the publisher's Code Signing Digital ID
The end-user's Java Runtime Environment (JRE) encounters the package.
The end-user's JRE examines the publisher's Code Signing Digital ID. Using the VeriSign root public key that is already embedded in the end-user JRE trusted root store, the end-user JRE verifies the authen
ticity of the Code Signing Digital ID (which is itself signed by the VeriSign root private key).
Using the publisher's public key contained within the publisher's Digital ID, the end-user JRE decrypts the signed hash.
The end-user JRE runs the code through the same hashing algorithm as the publisher, creating a new hash.
The end-user JRE compares the two hashes. If they are identical, the JRE sends a message stating that the content has been verified by VeriSign. The end user is assured that the code was signed by the publisher identified in the Digital ID and that the code hasn't been altered since it was signed.
--------------------------------------------------------------------------------
Image 3: Verifying the Code Signing Digital ID on the end user's computer.
The entire process is transparent to end users, who see only a message that the content was signed by its publisher and verified by VeriSign.
The Six Steps to Signing Code
These instructions provide an overview of obtaining and using Sun Java Signing and a Code Signing Digital ID from VeriSign.
Step 1:do
wnload the Java 2 Software Development Kit (SDK).
The Java2 SDK for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms is available free of charge from java.sun.com.
You will be using the following tools to apply for your Code Signing Digital ID and sign your code: keytool, jar, and jarsigner.
Step 2: Generate a public/private key pair.
Enter the following code, specifying an alias for your keystore, to generate a public/private key pair.
C:/>C:/jdk1.3/bin/keytool -genkey -keyalg rsa -alias MyCert
--------------------------------------------------------------------------------
In this string, the keystore alias is MyCert.
Keytool responds with prompts to enter a password for your keystore, your name, organization, and address information. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and Applications.
Note: Your private key is never sent to VeriSign, so if you lose it, you will be unable to sign code. If your private key is lost or stolen, please contact VeriSign to cancel your Code Signing Digital ID.
Step 3: Generate a Code Signing Digital ID Signing Request (CSR).
Enter the following code to generate a CSR:
C:/>C:/jdk1.3/bin/keytool -certreq -alias MyCert
--------------------------------------------------------------------------------
In this string, keytool is requested to create a CSR for the key pair in the keystore MyCert.
After prompting you to enter the password for your keystore, keytool will generate a CSR.
-----begin
NEW CODE SIGNING ID REQUEST-----
MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwE
AYDVQQHEwlDdXBlcnRpbm8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbX
MxFjAUBgNVBAsTDUphdmEgU29mdHdhcmUxEzARBgNVBAMTClN0YW5sZXk
gSG8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTgU8PovA4y59eb
oPjY65BwCSc/zPqtOZKJlaW4WP+UhmebE+T2Mho7P5zXjGf7elo3tV5uI
3vzgGfnhgpf73EoMow8EJhly4w/YsXKqeJEqqvNogzAD+qUv7Ld6dLOv0
CO5qvpmBAO6mfaI1XAgx/4xU/6009jVQe0TgIoocB5AgMBAAGgADANBgk
qhkiG9w0BAQQFAAOBgQAWmLrkifKiUYtd4ykhBtPWSwW/IKkgyfIuNMML
dF1DH8neSnXf3ZLI32f2yXvs7u3/xn6chnTXh4HYCJoGYOAbB3WNbAoQR
i6u6TLLOvgv9pMNUo6v1qB0xly1faizjimVYBwLhOenkA3Bw7S8UIVfdv
84cO9dFUGcr/Pfrl3GtQ==
-----END NEW CODE SIGNING ID REQUEST-----
--------------------------------------------------------------------------------
This string is an example of a CSR generated using keytool. A CSR contains a copy of the requestor's public key and a hash of the data entered in step 2 signed with the requestor's private key.
Copy the CSR and paste it into the VeriSign Sun Java Signing Digital ID application form, accessible at http://www.verisign.com/products/signing/index.html.
When your request is approved, VeriSign will attach your Sun Java Code Signing Digital ID to your confirmation e-mail.
Upon receipt, the attached Code Signing Digital ID is saved to a file on your computer.
A Code Signing Digital ID is a "trust path" or "chain" back to the VeriSign root certificate. This "trust path" allows your code to be validated on any standard JRE without installing any additional files.
Note: VeriSign takes a number of steps to verify your identity. For commercial publishers, VeriSigndo
es a considerable amount deal of background checking. As a result, it will take approximately 3-5 business days to verify your information and issue a Code Signing Digital ID.
Step 4: Import your Sun Java Signing Code Signing Digital ID.
Enter the following code, with the path to your Code Signing Digital ID, to import the chain into your keystore.
C:/>C:/jdk1.3/bin/keytool -import -alias MyCert -file VSSStanleyNew.cer
--------------------------------------------------------------------------------
In this string, keytool is requested to import the Code Signing Digital ID "VSSStanleyNew.cer" into the keystore MyCert.
Step 5: Bundle your applet into a JAR file.
Use jar to bundle your Applets or applications as a JAR file.
C:>C:/jdk1.3/bin/jar cvf C:/TestApplet.jar .
--------------------------------------------------------------------------------
This string creates a JAR file C:/TestApplet.jar. The JAR file contains all the files under the current directory and its sub-directories.
Jar responds with:
added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)
Step 6: Sign your applet.
Use jarsigner to sign the JAR file, using the private key you saved in your keystore.
C:/>C:/jdk1.3/bin/jarsigner C:/TestApplet.jar MyCert
At the prompt, enter the password to your keystore.
Jarsigner hashes your Applet or Application, and stores the hash in the JAR file created in step 5 with a copy of your Code Signing Digital ID.
Verify the output of your signed JAR file.
C:>C:/jdk1.3/bin/jarsigner -verify -verbose -certs d:/TestApplet.jar
--------------------------------------------------------------------------------
This string verifies that the files have been saved to the JAR file and that the signature is correct.
When the signed JAR file isdo
wnloaded, the Java Runtime Environment will display your Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.
For more in-depth instructions on the use of the Java 2 Software Development Kit, please see the JavaTM 2 Platform, Standard Edition, v 1.3do
cumentation, available at http://www.javasoft.com/j2se/1.3/docs.html.
Conclusion
Sun Microsystems and VeriSign are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Sun Java Object Signing and a VeriSign Code Signing ID, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.
For more information about VeriSign Code Signing Digital IDs for Sun Java Signing, including pricing, availability, and Frequently Asked Questions, please visit www.verisign.com/developers.
C
chenzhongshan
Unregistered / Unconfirmed
GUEST, unregistred user!
package com.mainet.security.mercury.target;
import java.security.Signature;
import java.security.SignatureException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.Provider;
import java.io.*;
import sun.misc.*;
/**
* 仅用于测试,不属于工程的一部分
* <p>Title: </p>
* <p>Description: </p>
* <p>Copyright: Copyright (c) 2002</p>
* <p>Company: </p>
* @author unascribed
* @version 1.0
*/
public class TestSign {
public static void main(String[] args)throws Exception{
/**
* get the RSA KeyPair;1024;
*/
//------------------------generate key pairs-------------------------
// System.out.println("Generating RSA key pair.");
// KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
// kpg.initialize(1024);
// KeyPair keyPair = kpg.genKeyPair();
// System.out.println("Done generator");
System.out.println("Now generating RSA key pair ....");
try{
Provider provider = (Provider)Class.forName("au.net.aba.crypto.provider.ABAProvider").newInstance();
Security.addProvider(provider);
}
catch(ClassNotFoundException classnotfoundexception){
}
catch(InstantiationException instantiationexception){
}
catch(IllegalAccessException illegalaccessexception){
}
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1withRSA");
// OOP-Research 中规定
kpg.initialize(1024);
KeyPair keyPair = kpg.genKeyPair();
System.out.println("Nowdo
ne generating key pair...");
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();
//-------------------------写入硬盘, 写入public key------------------
ObjectOutputStream objectoutputstream = new ObjectOutputStream(new FileOutputStream("d:/public.keystore"));
objectoutputstream.writeObject(publicKey);
objectoutputstream.flush();
objectoutputstream.close();
//再次写入硬盘
// this.private_key.put(s,privateKey);
// this.private_key_date.put(s,Calendar.getInstance().getTime());
// this.public_key.put(s,publicKey);
// this.public_key_date.put(s,Calendar.getInstance().getTime());
//------------------------generate key pairs--------------------------
File file = new File("D:/cc.txt");
//输入文件流
FileInputStream fileInputStream = new FileInputStream(file);
//由于存放的是二进制的文件流,所以可以使用ByteArrayOutputStream来转换,转换为
//二进制的文件流
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
//使用i来标志读入的字符是否为回车符号
//由于需要写入字符到bytearrayoutputstream中,故,每次读入1个byte
for(int i = 1;
i != -1
{
byte newByte[] = new byte[1];
i = fileInputStream.read(newByte, 0, 1);
if(i != -1)
byteArrayOutputStream.write(newByte);
}
//关闭流
fileInputStream.close();
//取得二进制的文件内容,使用byteArrayOutputStream输入
byte [] data = byteArrayOutputStream.toByteArray();
//关闭流
byteArrayOutputStream.close();
// byte[] data = textToTest.toString().getBytes();
//get the
//------------------------------OOP-Research
// Signature signature = Signature.getInstance(getSignAlg(), key_prov);
// signature.initSign(privatekey);
//00--research
Signature sig = Signature.getInstance("MD5WithRSA","ABA");
TestSignature ss = new TestSignature();
ss.setSignature(data);
objectoutputstream = new ObjectOutputStream(new FileOutputStream("d:/signature.signature"));
objectoutputstream.writeObject(ss);
objectoutputstream.flush();
objectoutputstream.close();
sig.initSign(privateKey);
sig.update(data);
byte[] signatureBytes = sig.sign();
// System.out.println("/nSignature:/n"+new BASE64Encoder().encode(signatureBytes));
//读出硬盘,读出public key
FileInputStream fileinputstream = new FileInputStream("d:/public.keystore");
ObjectInputStream objectinputstream = new ObjectInputStream(fileinputstream);
publicKey = (PublicKey)objectinputstream.readObject();
objectinputstream.close();
//读出硬盘
fileinputstream = new FileInputStream("d:/signature.signature");
objectinputstream = new ObjectInputStream(fileinputstream);
ss = (TestSignature)objectinputstream.readObject();
objectinputstream.close();
data = ss.getSignature();
sig = Signature.getInstance("MD5WithRSA","ABA");
sig.initVerify(publicKey);
sig.update(data);
boolean verified = false;
try{
verified = sig.verify(signatureBytes);
}catch(SignatureException se){
verified =false;
}
if(verified){
System.out.println("/nSignature verified.");
}else
{
System.out.println("/n Signature did not verified");
}
}
}
import java.security.Signature;
import java.security.SignatureException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.Provider;
import java.io.*;
import sun.misc.*;
/**
* 仅用于测试,不属于工程的一部分
* <p>Title: </p>
* <p>Description: </p>
* <p>Copyright: Copyright (c) 2002</p>
* <p>Company: </p>
* @author unascribed
* @version 1.0
*/
public class TestSign {
public static void main(String[] args)throws Exception{
/**
* get the RSA KeyPair;1024;
*/
//------------------------generate key pairs-------------------------
// System.out.println("Generating RSA key pair.");
// KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
// kpg.initialize(1024);
// KeyPair keyPair = kpg.genKeyPair();
// System.out.println("Done generator");
System.out.println("Now generating RSA key pair ....");
try{
Provider provider = (Provider)Class.forName("au.net.aba.crypto.provider.ABAProvider").newInstance();
Security.addProvider(provider);
}
catch(ClassNotFoundException classnotfoundexception){
}
catch(InstantiationException instantiationexception){
}
catch(IllegalAccessException illegalaccessexception){
}
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1withRSA");
// OOP-Research 中规定
kpg.initialize(1024);
KeyPair keyPair = kpg.genKeyPair();
System.out.println("Nowdo
ne generating key pair...");
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();
//-------------------------写入硬盘, 写入public key------------------
ObjectOutputStream objectoutputstream = new ObjectOutputStream(new FileOutputStream("d:/public.keystore"));
objectoutputstream.writeObject(publicKey);
objectoutputstream.flush();
objectoutputstream.close();
//再次写入硬盘
// this.private_key.put(s,privateKey);
// this.private_key_date.put(s,Calendar.getInstance().getTime());
// this.public_key.put(s,publicKey);
// this.public_key_date.put(s,Calendar.getInstance().getTime());
//------------------------generate key pairs--------------------------
File file = new File("D:/cc.txt");
//输入文件流
FileInputStream fileInputStream = new FileInputStream(file);
//由于存放的是二进制的文件流,所以可以使用ByteArrayOutputStream来转换,转换为
//二进制的文件流
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
//使用i来标志读入的字符是否为回车符号
//由于需要写入字符到bytearrayoutputstream中,故,每次读入1个byte
for(int i = 1;
i != -1
{byte newByte[] = new byte[1];
i = fileInputStream.read(newByte, 0, 1);
if(i != -1)
byteArrayOutputStream.write(newByte);
}
//关闭流
fileInputStream.close();
//取得二进制的文件内容,使用byteArrayOutputStream输入
byte [] data = byteArrayOutputStream.toByteArray();
//关闭流
byteArrayOutputStream.close();
// byte[] data = textToTest.toString().getBytes();
//get the
//------------------------------OOP-Research
// Signature signature = Signature.getInstance(getSignAlg(), key_prov);
// signature.initSign(privatekey);
//00--research
Signature sig = Signature.getInstance("MD5WithRSA","ABA");
TestSignature ss = new TestSignature();
ss.setSignature(data);
objectoutputstream = new ObjectOutputStream(new FileOutputStream("d:/signature.signature"));
objectoutputstream.writeObject(ss);
objectoutputstream.flush();
objectoutputstream.close();
sig.initSign(privateKey);
sig.update(data);
byte[] signatureBytes = sig.sign();
// System.out.println("/nSignature:/n"+new BASE64Encoder().encode(signatureBytes));
//读出硬盘,读出public key
FileInputStream fileinputstream = new FileInputStream("d:/public.keystore");
ObjectInputStream objectinputstream = new ObjectInputStream(fileinputstream);
publicKey = (PublicKey)objectinputstream.readObject();
objectinputstream.close();
//读出硬盘
fileinputstream = new FileInputStream("d:/signature.signature");
objectinputstream = new ObjectInputStream(fileinputstream);
ss = (TestSignature)objectinputstream.readObject();
objectinputstream.close();
data = ss.getSignature();
sig = Signature.getInstance("MD5WithRSA","ABA");
sig.initVerify(publicKey);
sig.update(data);
boolean verified = false;
try{
verified = sig.verify(signatureBytes);
}catch(SignatureException se){
verified =false;
}
if(verified){
System.out.println("/nSignature verified.");
}else
{
System.out.println("/n Signature did not verified");
}
}
}
C
chenzhongshan
Unregistered / Unconfirmed
GUEST, unregistred user!
package com.mainet.security.mercury.target;
import java.io.Serializable;
/**
* 仅用于测试,不属于工程的一部分
* <p>Title: </p>
* <p>Description: </p>
* <p>Copyright: Copyright (c) 2002</p>
* <p>Company: </p>
* @author unascribed
* @version 1.0
*/
public class TestSignature implements java.io.Serializable {
private byte[] signature;
public TestSignature() {
}
public byte[] getSignature() {
return signature;
}
public void setSignature(byte[] signature) {
this.signature = signature;
}
}
import java.io.Serializable;
/**
* 仅用于测试,不属于工程的一部分
* <p>Title: </p>
* <p>Description: </p>
* <p>Copyright: Copyright (c) 2002</p>
* <p>Company: </p>
* @author unascribed
* @version 1.0
*/
public class TestSignature implements java.io.Serializable {
private byte[] signature;
public TestSignature() {
}
public byte[] getSignature() {
return signature;
}
public void setSignature(byte[] signature) {
this.signature = signature;
}
}
C
chenzhongshan
Unregistered / Unconfirmed
GUEST, unregistred user!
以上是两个小例子
上面的文章是从其他地方找到的,比较经典,我在这里感谢作者[
]
上面的文章是从其他地方找到的,比较经典,我在这里感谢作者[
]
O
only you
Unregistered / Unconfirmed
GUEST, unregistred user!
接受答案了.
