Hi Shachar,
So far I have managed to write a C program using libarchive and the OpenSSL libcrypto API that creates a jarfile with the exact same manifest and .SF as jarfile does - I can reproduce the exact same MD5 or SHA1 hashes. I made my own CA and signed the "JETTY.SF" file but jarsigner verification fails when it finds a DER encoding that it cannot handle in the signature. The signature looks identical to the signature produced by jarsigner when viewed with openssl pkcs7 -inform DER -in JETTY.RSA -print_certs -text. I instrumented my own build of openjdk to find exactly where the problem happens. At this point in the game I either have to find someone who knows the "secret" or I am going to have to get serious about understanding the jar verification at the binary (DER) level. AFAIK no one has published a C/C++ jarsigner equivalent.

 - yba



On Sat, 22 Oct 2011, Shachar Shemesh wrote:

Date: Sat, 22 Oct 2011 23:55:00 +0200
From: Shachar Shemesh <[email protected]>
To: [email protected]
Subject: Re: [YBA] sign a jar without Java?

On 10/22/2011 11:15 PM, Jonathan Ben Avraham wrote:
      Dear Linux-IL colleagues,
      Anyone know how to create a signature for a jarfile manifest using 
OpenSSL (or anything other
      than Java security tools) that Jarsigner will verify?
      Shavua tov,

       - yba


Not only do I NOT know how to do that, I don't even know how to verify the 
signature myself. The hashes
claim to be MD5 (or whatever other standard hashing algorithm), but an MD5 of 
the signed files do not
yield the same hash. I have no idea what is, in fact, signed there.

If you can calculate the has, I may be able to help you with the actual 
signature, however.

Shachar



--
 EE 77 7F 30 4A 64 2E C5  83 5F E7 49 A6 82 29 BA    ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
     - [email protected] - tel: +972.2.679.5364, http://www.tkos.co.il -
_______________________________________________
Linux-il mailing list
[email protected]
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
_______________________________________________
Linux-il mailing list
[email protected]
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Reply via email to