The Signature Class
Signature class is an engine class designed
to provide the functionality of a cryptographic digital signature
algorithm such as DSA or RSA with MD5. A cryptographically secure
signature algorithm takes arbitrary-sized input and a private key
and generates a relatively short (often fixed-size) string of bytes,
called the signature, with the following properties: - Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.
- The signature and the public key do not reveal anything about the private key.
A Signature object can be used to sign data. It
can also be used to verify whether or not an alleged signature is
in fact the authentic signature of the data associated with it. See
the Examples section for an
example of signing and verifying data.
SignatureObject StatesSignatureobjects are modal objects which means that aSignatureobject is always in a given state, where it can do only one type of operation. States are represented as final integer constants defined in their respective classes.The three states aSignatureobject can have are:UNINITIALIZEDSIGNVERIFY
When it is first created, a
Signatureobject is in theUNINITIALIZEDstate. TheSignatureclass defines two initialization methods,initSignandinitVerify, which change the state toSIGNandVERIFY, respectively.- Creating a
SignatureObject - The first step for signing or verifying a signature is to create
a
Signatureinstance. As with all engine classes, the way to get aSignatureobject for a particular type of signature algorithm is to call thegetInstancestatic factory method on theSignatureclass:static Signature getInstance(String algorithm)Note: The algorithm name is not case-sensitive.A caller can optionally specify the name of a provider or theProviderclass, which will guarantee that the implementation of the algorithm requested is from the named provider:static Signature getInstance(String algorithm, String provider) static Signature getInstance(String algorithm, Provider provider) - Initializing a
SignatureObject -
A
Signatureobject must be initialized before it is used. The initialization method depends on whether the object is going to be used for signing or for verification.If it is going to be used for signing, the object must first be initialized with the private key of the entity whose signature is going to be generated. This initialization is done by calling the method:final void initSign(PrivateKey privateKey)This method puts the
Signatureobject in theSIGNstate.If instead theSignatureobject is going to be used for verification, it must first be initialized with the public key of the entity whose signature is going to be verified. This initialization is done by calling either of these methods:final void initVerify(PublicKey publicKey) final void initVerify(Certificate certificate)This method puts the
Signatureobject in theVERIFYstate. - Signing
- If the
Signatureobject has been initialized for signing (if it is in theSIGNstate), the data to be signed can then be supplied to the object by making one or more calls to one of theupdatemethods:final void update(byte b) final void update(byte[] data) final void update(byte[] data, int off, int len)Calls to the
updatemethods should be made until all the data to be signed has been supplied to theSignatureobject.To generate the signature, simply call one of thesignmethods:final byte[] sign() final int sign(byte[] outbuf, int offset, int len)The first method returns the signature result in a byte array. The second stores the signature result in the provided buffer outbuf, starting at offset. len is the number of bytes in outbuf allotted for the signature. The method returns the number of bytes actually stored.
Signature encoding is algorithm specific. See Appendix B for more information about the use of ASN.1 encoding in the Java™ Cryptography Architecture.
A call to a
signmethod resets the signature object to the state it was in when it was previously initialized for signing using a call toinitSign. That is, the object is reset and available to generate another signature with the same private key, if desired, using new calls toupdateandsign.Alternatively, a new call can be made to
initSignspecifying a different private key or toinitVerify(to initialize theSignatureobject to verify a signature). - Verifying
- If the
Signatureobject has been initialized for verification (if it is in theVERIFYstate), it can then verify if an alleged signature is in fact the authentic signature of the data associated with it. To start the process, the data to be verified (as opposed to the signature itself) is supplied to the object. The data is passed to the object by calling one of theupdatemethods:final void update(byte b) final void update(byte[] data) final void update(byte[] data, int off, int len)Calls to theupdatemethods should be made until all the data to be verified has been supplied to theSignatureobject. The signature can now be verified by calling one of theverifymethods:final boolean verify(byte[] signature) final boolean verify(byte[] signature, int offset, int length)The argument must be a byte array containing the signature. The argument must be a byte array containing the signature. This byte array would hold the signature bytes that were returned by a previous call to one of the
signmethods.The
verifymethod returns abooleanindicating whether or not the encoded signature is the authentic signature of the data supplied to theupdatemethods.A call to the
verifymethod resets the signature object to its state when it was initialized for verification using a call toinitVerify. That is, the object is reset and available to verify another signature from the identity whose public key was specified in the call toinitVerify.Alternatively, a new call can be made to
initVerifyspecifying a different public key (to initialize theSignatureobject for verifying a signature from a different entity), or toinitSign(to initialize theSignatureobject for generating a signature).