Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Comparing a jar'd class to the runtime class

Reply
Thread Tools

Comparing a jar'd class to the runtime class

 
 
James D Carroll
Guest
Posts: n/a
 
      06-26-2004
I'm looking for a way to do the following:

1. Inspect a jar and find out the contents of it. Having identified classes
I would like to get an MD5 hash of them.

2. Verify that the class I found in the jar and loaded via Class.forName()
is that same as the one in the jar.



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.711 / Virus Database: 467 - Release Date: 6/26/2004


 
Reply With Quote
 
 
 
 
Sudsy
Guest
Posts: n/a
 
      06-26-2004
James D Carroll wrote:
> I'm looking for a way to do the following:
>
> 1. Inspect a jar and find out the contents of it. Having identified classes
> I would like to get an MD5 hash of them.
>
> 2. Verify that the class I found in the jar and loaded via Class.forName()
> is that same as the one in the jar.


Well, duh! Jeesh!! What were you thinking ?!?

(direct quote from a previous response of yours...)

 
Reply With Quote
 
 
 
 
James D Carroll
Guest
Posts: n/a
 
      06-26-2004
HAHAHAHAHA!!!! Well played.

But then I bow to their knowledge of COM, etc.

I bow now to yours....

Any ideas?



"Sudsy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> James D Carroll wrote:
> > I'm looking for a way to do the following:
> >
> > 1. Inspect a jar and find out the contents of it. Having identified

classes
> > I would like to get an MD5 hash of them.
> >
> > 2. Verify that the class I found in the jar and loaded via

Class.forName()
> > is that same as the one in the jar.

>
> Well, duh! Jeesh!! What were you thinking ?!?
>
> (direct quote from a previous response of yours...)
>



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.711 / Virus Database: 467 - Release Date: 6/26/2004


 
Reply With Quote
 
Sudsy
Guest
Posts: n/a
 
      06-26-2004
James D Carroll wrote:
> HAHAHAHAHA!!!! Well played.
>
> But then I bow to their knowledge of COM, etc.
>
> I bow now to yours....
>
> Any ideas?


As of 1.4.2, there wasn't a Class#toBytes method. It would still have
required some convolutions to generate an MD5 hash...
Can't you use Object#hashCode().equals()?
Trust me, the JCE is no place for the faint-of-heart!

 
Reply With Quote
 
Liz
Guest
Posts: n/a
 
      06-26-2004

"James D Carroll" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm looking for a way to do the following:
>
> 1. Inspect a jar and find out the contents of it. Having identified

classes
> I would like to get an MD5 hash of them.


This will get you a list of the files in the jar file.
unzip -t filename.jar
But you will need to extract them to compute the md5.
Then for each file you can do this.
md5 filename
Where md5 is the well known program

>
> 2. Verify that the class I found in the jar and loaded via Class.forName()
> is that same as the one in the jar.


Don't know this one.

>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.711 / Virus Database: 467 - Release Date: 6/26/2004
>
>



 
Reply With Quote
 
Chris Uppal
Guest
Posts: n/a
 
      06-26-2004
James D Carroll wrote:

> 1. Inspect a jar and find out the contents of it. Having identified
> classes I would like to get an MD5 hash of them.


This can be done using the stuff in java.util.zip. Alternatively you can use
getResource() to find .class files in "the" source jar.


> 2. Verify that the class I found in the jar and loaded via Class.forName()
> is that same as the one in the jar.


This cannot be done in general. You can create your own classloader which
retains (a hash of) the byte[] array of classes as they are defined, but for
classes that are not loaded via that classloader, this data is not available.

But then, if you are using your own classloader, why do you need to check that
it's loading the "right" class definition from the JAR file ?

You don't say what you are trying to achieve, but it may be that signing and
sealing the JAR would get some of what you are looking for.

-- chris


 
Reply With Quote
 
Chris Smith
Guest
Posts: n/a
 
      06-26-2004
James D Carroll wrote:
> I'm looking for a way to do the following:
>
> 1. Inspect a jar and find out the contents of it. Having identified classes
> I would like to get an MD5 hash of them.
>
> 2. Verify that the class I found in the jar and loaded via Class.forName()
> is that same as the one in the jar.


The first part is easy. Just use the java.util.zip package to inspect
the contents of the JAR. The second part is more difficult. If you
need to load classes from that JAR, why not just create a URLClassLoader
to do so, and load the class directly from there?

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      06-27-2004
On Sat, 26 Jun 2004 00:35:51 -0400, "James D Carroll"
<(E-Mail Removed)> wrote or quoted :

>2. Verify that the class I found in the jar and loaded via Class.forName()
>is that same as the one in the jar.


Why wouldn't it be? If someone has tampered with the that process,
surely they could tamper with your code to check up on them.

Perhaps you could do a sanity check, make the class do some
computations and check it gives the expected result.

If this is anti-piracy logic, see
http://mindprod.com/jgloss/obfuscator.html
for some hints.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Hemal Pandya
Guest
Posts: n/a
 
      06-27-2004
Roedy Green <(E-Mail Removed)> writes:

> On Sat, 26 Jun 2004 00:35:51 -0400, "James D Carroll"
> <(E-Mail Removed)> wrote or quoted :
>
>>2. Verify that the class I found in the jar and loaded via Class.forName()
>>is that same as the one in the jar.

>
> Why wouldn't it be? If someone has tampered with the that process,
> surely they could tamper with your code to check up on them.
>
> Perhaps you could do a sanity check, make the class do some
> computations and check it gives the expected result.
>


Or perhaps to verify that the class was indeed located from the
location the programmer intended for it to be loaded. See
http://groups.google.com/groups?\
threadm=MPG.17cad830743b828398a282%40news.altopia. com
for an approach that will work in some cases.

But if this is the case then I would say it should be tackled at the
level in your development enviroment rather then at run-time. See
http://mindprod.com/projects/pathtool.html for a possible approach.

Of course, I could be wrong.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Runtime.exec(String[]) Doesn't Always Work, bBut Runtime.exec(String) Does Hal Vaughan Java 11 05-22-2006 04:49 PM
How to find at Runtime, if Created class object is instance of given class declaration Ami C++ 3 02-27-2006 04:59 PM
question--A function returns class object(comparing C++ & JAVA) Xiaoshen Li C++ 11 12-26-2005 01:41 PM
question--function returns class object(comparing C++ & JAVA) Xiaoshen Li Java 30 12-21-2005 12:52 PM
Nested Class, Member Class, Inner Class, Local Class, Anonymous Class E11 Java 1 10-12-2005 03:34 PM



Advertisments