Signed Code Sources

• Code signing is a security mechanism that performs digital signing of Java scripts and executables using cryptography algorithms to prevent malicious activities
• The object java.security.CodeSource includes a piece of code, SecureClassLoader (along with its sublcasses) and CodeSoucre class are related with generating, modifying and handling code source objects
• The CodeSource class represents an original code execution point that includes (applets) codebase to encapsulate URL locations along with certificates used for verification of signed code

• Some implementation methods of the CodeSource class:

public CodeSource (URL url, Certificate cers[])

• Creates a codesource for a set of certificates in a specified location
• Creates a codesource for a set of code signers in a specified code location

Insecure Code for Signed Code Sources

• The jarClassLoader verifies the signature using the public key contained in a JAR file although the authenticity of this signature is still insufficient

Secure Code for Signed Code Sources

1. Secure code using Jarsigner
   – In the code, -verify option (jarsigner) is used explicitly to check the JAR file signature at the command line
   – jarsigner -verify signed -updates-jar-file.jar
2. Secure code using Certificate Chain
   – Invoke class method is used to verify the signature i.e., by obtaining a chain of certificates from CodeSource class