I've reached a point in my current Android-Project, that requires verifying an XML-Signature with a .pdf file (the pdf File is signed in the XMl file)
and i encountered one major problem. It is related with absolutley NOT beeing able to use the iaik-libaries:
The Signature is made with the ECC-Algorithm (Eliptic curves), which standard java libaries cannot handle.
Does anyone know a way to deal with these signatures?
So what i am looking for is either another libarie or a workaround for the javax-Problem.
Many Thanks for any idea!
Additional Info:
I know about Apache Santuario, but i can not use it, because it
containt classes that would be added to javax, and the DalvikVM does
not allow that.
I know it's easy to do it with iaik, but it is not an option due to
licence-issues (+ the javax-problem).
I do not post any code, because it cannot be done my way, i'm totaly stuck and i need new Ideas from scratch :/
Related
I hope you're doing well in these complicated times, good containment all around :D
So I come to my problem, currently I'm working on a game in Java and I know that it's possible to modify the jar file of my game which annoys me a little bit because it can give cheating possibilities for malicious players... I had thought of a solution even if it's not infallible, it would be to make sure to check if the jar file has not been modified. But the problem is that I don't know how to check this, I had thought of a system that would check the point of the file even if I doubt it would be the best solution.
If you have any other ideas to secure my game I would be interested :D
It is possible to check if a JAR file on your machine has been modified. Simply compare a cryptographic hash of the current JAR file with a previously recorded hash for a pristine copy. (Or just do a byte-by-byte comparison with the pristine copy.)
But you can't do this for JAR file on the user's machine:
You can't login to the user's machine and access their file system to look at the JAR file. (Even if you could, there is no guarantee that you would see the file that the cheater is actually using.)
If your application (running on the user's machine) tries to report on the integrity of its JAR files, this can be defeated by the cheater. All they need to do is to modify the JAR file containing the reporting code to report a fake hash.
Basically, there is no reliable way to detect that a cheater is running a modified JAR ... apart from detecting the anomalous behavior of the cheat itself.
But think of it this way. If there was a good (reliable, no circumvention) mechanism for detect that a cheater is running a modified client, then cheats would not be a problem in the many online games that exist out there. And (by extension) there would be no way to defeat software license enforcement schemes ... because software vendors would use a similar mechanism.
So, my advice would be not waste too much time on this approach. It only works against people with limited technical expertise or limited motivation.
The only way to completely prevent cheats is to control the platform on which the client runs. That is usually impractical.
In regards to your question about other ideas, the best thing you can do is validate everything from the client. One thing you should always remember is that the client cannot be trusted because you cannot verify anything from it. All you can do is store the state on a remote server and when the client tells you something, validate it, and give a response if necessary or prevent the action if necessary.
You will need to somehow find out where the jar file is: Java - Search for files in a directory
Then you can check for the last modified date of the file: https://www.boraji.com/java-get-last-modified-date-of-a-file
However, I would not consider this a very powerful defense against cheating, because one can modify the jar file and remove the validation of the file date.
You will need to think about the kind of cheating that can occur and to come up with other security measures as well.
EDIT
As Dave Thompson pointed out, the modified timestamp can be changed as well, which makes the modification of the jar file unnecessary, even though reverse engineering is still needed by the hackers, because that's how they find out what the rules of the application are.
I am trying to have my custom file type .vrs (which for all intents and purposes is an rich text format).
I am pleased with what I have since I am self taught.
But am having difficulties associating that file with my program so that when a user double clicks it, it automatically open my document editor.
All searches so far have come up with either right clicking and setting the association, but this is not what I would need.
I may not have explained as well as needed so think Photoshop's .psd when you install Photoshop all psd files are automatically set to open when you double click them.
Hopefully I have been clear enough for you to help.
Also whilst the question is regarding Java any resource be it for C# C++ etc, would also be appreciated.
Thanks for your time and any responses.
This functionality is system dependent, and in Windows involves the registry. If you really want to delve into this, take a look at this post, which goes into great detail on how to accomplish programmatically setting a file extension association using C++. If this is helpful, please write back telling us how you solved the problem in your individual situation.
If that isn't helpful I would try this link instead, as it links to more resources and demonstrates a little C# code.
I'm getting the following in my console. It's not coming from my code. I've placed several libraries such as WebLogic, sun, javax, in my step filters. Is there a way to tell which library generated this message? I don't really want to step through all of the library classes that I'm using to try to find this.
[Fatal Error] :1:80: The element type "body" must be terminated by the matching end-tag "</body>".
When this happens to me, I typically first reach for Google. These days most error messages have been posted by someone somewhere, although you have to ensure you strip your specifics (in this case the "body" sounds pretty specific) out of it.
If Google doesn't help or just takes too long, I typically end up running a binary search tool over my lib directory. The results aren't pretty. But once I know which jar contains the message, I can zoom into a prettier format for the details.
What is it and how do I get around it?
Also, I want to use this code in my Java screen recorder, but I want to provide a vector of images as I click the screenshots rather than reading it frm a folder. I would like help with that, too.
for berry120:
In terms of the "access restriction" error, it seems to be a similar issue to this one - as in you may be trying to replace a Java library class with one from a jar file (in your case JMF.jar.)
Have a look at this question: Access restriction on class due to restriction on required library rt.jar?
The second answer down (one with 250+ upvotes) is the one that may work in your case - remove and re-add the JRE system library.
I have a simple test case producing a sure ArrayOutOfBoundException in jzlib
1.0.7 depending on the data subsequently written to one and the same instance
of ZOutputStream.
Stacktrace:
java.lang.ArrayIndexOutOfBoundsException: 587
at com.jcraft.jzlib.Tree.d_code(Tree.java:149)
at com.jcraft.jzlib.Deflate.compress_block(Deflate.java:691)
at com.jcraft.jzlib.Deflate._tr_flush_block(Deflate.java:897)
at com.jcraft.jzlib.Deflate.flush_block_only(Deflate.java:772)
at com.jcraft.jzlib.Deflate.deflate_slow(Deflate.java:1195)
at com.jcraft.jzlib.Deflate.deflate(Deflate.java:1567)
at com.jcraft.jzlib.ZStream.deflate(ZStream.java:133)
at com.jcraft.jzlib.ZOutputStream.write(ZOutputStream.java:102)
at com.jcraft.jzlib.JZLibTestCase.main(JZLibTestCase.java:51)
at JZLibTestCase.main(JZLibTestCase.java:28)
The problem occurs very rarely and depends on the data subsequentially
written to an open ZOutputStream from jzlib.
Do you have a hint how to fix this? Have you ever heard of this?
Near as I can tell you might've found a bug with JZlib. While searching around I came across other places that have your post with attached source and data files. It does not appear that you're doing anything wrong. You should be able to stream any sequence of bytes to ZOutputStream.
Is there a particular reason you're using JZlib? The two main reasons I understand to use it are support for Z_PARTIAL_FLUSH mode and licensing. If you don't need that flush mode and you're using the Oracle JVM, you should be just fine with the included DeflaterOutputStream. Substituting it in your code for ZOuputStream works without an exception.
I haven't found a concrete reason for using jzlib asking my co-workers, but for sure there has been a bug using java.util.zip somewhen in JRE 1.4 on multi-processor systems, although no one has been able to tell me concretely which one. From that time on we have been using jzlib, which has worked good for many years. Most probably it is already fixed. Nevertheless, using java.util.zip works with my simple test data in the same manner jzlib failed with, that's true.