Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
SignedObject (Serializable object, PrivateKey signingKey, Signature signingEngine)
Is it safe to serialize and deliver this object to a client application? Is there a way that they might get hold of the PrivateKey through reflection?
I want to use this object to hold a digital signature as well as the data that was signed.
The serialized objects include only the object itself and the signature (and the algorithm used for signing purposes), as noted here:
http://java.sun.com/j2se/1.4.2/docs/api/serialized-form.html#java.security.SignedObject
As a result, it is safe to pass these around. Not only can the private key not be determined through that object alone, but it also cannot be tampered along the way, so the object will remain trusted (so long as the client verifies it).