Digital Signatures in Java

In public key cryptography, there are two keys. One is used by the sender and is usually private. One is used by the receiver and is usually public.

The sender uses the private key to encode a message or data, and the receiver uses the public key to decode the message.

Digital signatures work just like public key cryptography. The signer encodes data with his own private key, and then anyone with his public key can decode it. This allows any receiver to verify the source or signer of data as accurate and guarantee its integrity and authenticity.

To set up a digital signature in Java, you first need to set up a private key, usually by using keytool or the security API methods. Programmers often use the Java Certificate feature to securely verify public key authenticity.

After you have a public key, you generate a digital signature using the jarsigner tool or the API methods. Use the Signature class to sign the data by creating the signature object, initialize it for signing, processing the data, and then sign it. After it's signed, you export the objects into files for shipping to the receiver.

Once the data is signed, you send the receiver the data and signature. You must supply the receiver with the public key corresponding to the private key you used to generate the signature. The receiver imports the public key then uses the key to verify integrity. The receiver can verify by grabbing the object, initializing it for verification, processing the data, and then comparing the signature.

You need two applications to use Java's digital signature feature. One application generates the digital signature (the sender). The other application verifies authenticity (the receiver).

The Sender Code
The methods for the sending code are part of the java.security package and are usually placed between try and catch blocks. The first step is to produce the public and private keys.

In order to create a digital signature, you need a private key. The program needs to generate a key pair by using the KeyPairGenerator class. First, you need to create the key pair generator, by calling the getInstance method on the KeyPairGenerator class. You can use a number of different signature algorithms for the generator (Sun Microsystems actually provides a Digital Signature Algorithm, or DSA).

After creating the key pair generator you must initialize it. The KeyPairGenerator class has an initialize method that takes two types of arguments, one for keysize and one for randomness. The keysize is the key length (in bits). The source of randomness must be an instance of the SecureRandom class. Finally, you generate the pair of keys and store them in Privatekey and Publickey objects.

/* create a key pair generator */

KeyPairGenerator instance = KeyPairGenerator.getInstance("signaturealgorithm");

/* Initialize the keypair generator */

SecureRandom random = SecureRandom.getInstance("algorithm", "provider");Instance.initialize(sizeinbits, randomsource);

/* store the pair of keys */

KeyPair pair = instance.generateKeyPair();PrivateKey private = pair.getPrivate();PublicKey public = pair.getPublic();

Signing the data is the second step. A digital signature is created and verified using an instance of the Signature class. First you create a Signature object using the signature algorithm you chose (for example Sun Microsystem's DSA). You must then use a private key to initialize the signature object. You then supply the data to be signed to the Signature object by calling the update method.

Once all of the data has been given to the Signature object, you generate the signature of the data. Then you save the Signature bytes in one file and the public key bytes in another so you can send them. You will have three pieces to send; the data, the signature, and the public key. The signature is placed in a byte array. The public key is placed in a PublicKey object. You can get the encoded key bytes by calling the getEncoded method and store the bytes in a file.

/* create signature object */

Signature signaturealgorythm = Signature.getInstance("algorithm", "provider")

/* initialize signature object */

signaturealgorythm.initializeSignature(private);

/* call for update methods belong here*/

/* generate signature */

Byte[] realSignature = signaturealgorythm.signature();

/* save the signature and public key in files */

The Receiver
To verify the signature and file, a receiver needs the data, the signature, and the public key. The methods for verifying data are part of the java.security package, and are usually placed between try and catch blocks.

The code needs to import the encoded public key bytes and convert them to PublicKey. PublicKey is necessary because that is what the Signature initVerify method requires to initialize the Signature object for verification. Once you hold the encoded public key bytes, you can then use the KeyFactory class to instantiate a public key from it's encoding. You need a key specification, a KeyFactory object to do the conversion, and then you use the KeyFactory object to generate a PublicKey from the key specification.

The signature is verified using an instance of the Signature class. You need to create a Signature object that uses the same algorithm that was used to generate the signature. Then you need to initialize the signature object and give the Signature object the data that needs to be verified by again calling the update method.

Once the Signature object has all of the data, you can verify the signature. The signature was read into a byte array, and a Boolean verifies value can be set to true if the alleged signature is the actual signature of the specified data file generated by the private key corresponding to the public key.