java.security
Class SignedObject

java.lang.Object
  extended by java.security.SignedObject
All Implemented Interfaces:
Serializable

public final class SignedObject
extends Object
implements Serializable

SignedObject is used for storing runtime objects whose integrity cannot be compromised without being detected.

SignedObject contains a Serializable object which is yet to be signed and a digital signature of that object.

The signed copy is a "deep copy" (in serialized form) of an original object. Any changes to that original instance are not reflected in the enclosed copy inside this SignedObject.

Several things to note are that, first there is no need to initialize the signature engine as this class will handle that automatically. Second, verification will only succeed if the public key corresponds to the private key used to generate the digital signature inside this SignedObject.

For fexibility, the signature engine can be specified in the constructor or the verify() method. Programmers wishing to verify SignedObjects should be aware of the Signature engine they use. A malicious or flawed Signature implementation may always return true on verification thus circumventing the intended secrity check provided by the SignedObject.

The GNU security provider offers an implementation of the standard NIST DSA which uses "DSA" and "SHA-1". It can be specified by "SHA/DSA", "SHA-1/DSA" or its OID. If the RSA signature algorithm is provided then it could be "MD2/RSA". "MD5/RSA", or "SHA-1/RSA". The algorithm must be specified because there is no default.

Since:
1.2
See Also:
Signature, Serialized Form

Constructor Summary
SignedObject(Serializable object, PrivateKey signingKey, Signature signingEngine)
          Constructs a new instance of SignedObject from a Serializable object.
 
Method Summary
 String getAlgorithm()
          Returns the name of the signature algorithm.
 Object getObject()
          Returns the encapsulated object.
 byte[] getSignature()
          Returns the signature bytes of the encapsulated object.
 boolean verify(PublicKey verificationKey, Signature verificationEngine)
          Verifies the encapsulated digital signature by checking that it was generated by the owner of a designated public key.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SignedObject

public SignedObject(Serializable object,
                    PrivateKey signingKey,
                    Signature signingEngine)
             throws IOException,
                    InvalidKeyException,
                    SignatureException
Constructs a new instance of SignedObject from a Serializable object. The object is signed with a designated private key and a signature engine.

Parameters:
object - the object to sign.
signingKey - the key to use.
signingEngine - the signature engine to use.
Throws:
IOException - if a serialization error occurred.
InvalidKeyException - if the key is invalid.
SignatureException - if a signing error occurs.
Method Detail

getObject

public Object getObject()
                 throws IOException,
                        ClassNotFoundException
Returns the encapsulated object. The object is de-serialized before being returned.

Returns:
the encapsulated object.
Throws:
IOException - if a de-serialization error occurs.
ClassNotFoundException - if the encapsulated object's class was not found.

getSignature

public byte[] getSignature()
Returns the signature bytes of the encapsulated object.

Returns:
the signature bytes of the encapsulated object.

getAlgorithm

public String getAlgorithm()
Returns the name of the signature algorithm.

Returns:
the name of the signature algorithm.

verify

public boolean verify(PublicKey verificationKey,
                      Signature verificationEngine)
               throws InvalidKeyException,
                      SignatureException
Verifies the encapsulated digital signature by checking that it was generated by the owner of a designated public key.

Parameters:
verificationKey - the public key to use.
verificationEngine - the signature engine to use.
Returns:
true if signature is correct, false otherwise.
Throws:
InvalidKeyException - if the key is invalid.
SignatureException - if verification fails.