[YBA] sign a jar without Java?

[YBA] sign a jar without Java?

Jonathan Ben Avraham yba at tkos.co.il
Sun Oct 23 00:16:33 IST 2011 

Hi Shachar,
So far I have managed to write a C program using libarchive and the 
OpenSSL libcrypto API that creates a jarfile with the exact same manifest 
and .SF as jarfile does - I can reproduce the exact same MD5 or SHA1 
hashes. I made my own CA and signed the "JETTY.SF" file but jarsigner 
verification fails when it finds a DER encoding that it cannot handle in 
the signature. The signature looks identical to the signature produced by 
jarsigner when viewed with openssl pkcs7 -inform DER -in JETTY.RSA 
-print_certs -text. I instrumented my own build of openjdk to find exactly 
where the problem happens. At this point in the game I either have to find 
someone who knows the "secret" or I am going to have to get serious about 
understanding the jar verification at the binary (DER) level. AFAIK no one 
has published a C/C++ jarsigner equivalent.

  - yba



On Sat, 22 Oct 2011, Shachar Shemesh wrote:

> Date: Sat, 22 Oct 2011 23:55:00 +0200
> From: Shachar Shemesh <shachar at shemesh.biz>
> To: linux-il at cs.huji.ac.il
> Subject: Re: [YBA] sign a jar without Java?
> 
> On 10/22/2011 11:15 PM, Jonathan Ben Avraham wrote:
>       Dear Linux-IL colleagues,
>       Anyone know how to create a signature for a jarfile manifest using OpenSSL (or anything other
>       than Java security tools) that Jarsigner will verify?
>       Shavua tov,
>
>        - yba
> 
> 
> Not only do I NOT know how to do that, I don't even know how to verify the signature myself. The hashes
> claim to be MD5 (or whatever other standard hashing algorithm), but an MD5 of the signed files do not
> yield the same hash. I have no idea what is, in fact, signed there.
> 
> If you can calculate the has, I may be able to help you with the actual signature, however.
> 
> Shachar
> 
>

-- 
  EE 77 7F 30 4A 64 2E C5  83 5F E7 49 A6 82 29 BA    ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
      - yba at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
-------------- next part --------------
_______________________________________________
Linux-il mailing list
Linux-il at cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

More information about the Linux-il mailing list