com.netphantom.server.utils

Class JarSignatureValidator

java.lang.Object

com.netphantom.server.utils.JarSignatureValidator

public class JarSignatureValidator
extends Object

Validates JAR file signatures and checks the validity of signing certificates.

This class provides both offline and online validation capabilities with graceful degradation. When online checks are requested but network connectivity is unavailable, the validator completes all possible offline checks before reporting the connectivity issue.

Verification Modes:

• Simple verification (verify(File)): Quick certificate extraction and validation without reading all JAR entries.
• Thorough verification (verifyThoroughly(File)): Complete JAR integrity check, verifying every entry against its signature.

Online/Offline Behavior:

Both verification methods attempt online revocation checking by default. Use the offlineOnly parameter to skip network checks. If online checks are requested but network connectivity is unavailable, the validator completes all offline checks and records the communication failure in the status.

Usage Examples:

 // Simple verification with online checks (default)
 JarSignatureStatus status = JarSignatureValidator.verify(new File("app.jar"));
 
 // Simple verification, offline only
 JarSignatureStatus status = JarSignatureValidator.verify(new File("app.jar"), true);
 
 // Thorough verification with pre-opened JarFile
 JarFile jarFile = new JarFile("app.jar", true);
 JarSignatureStatus status = JarSignatureValidator.verifyThoroughly(jarFile);
 jarFile.close();
 
 // Check results
 if ( status.isValid() )
   {
   System.out.println("JAR is valid");
   if ( status.isOfflineOnly() )
     System.out.println("Warning: Could not verify revocation online");
   }
 

This class is compatible with Java 8 and later versions.

Author:

Christopher Mindus

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	JarSignatureValidator.CertificateInfo Contains detailed information about an X.509 certificate from a JAR signature.
static class	JarSignatureValidator.JarSignatureStatus Represents the complete result of JAR signature validation with comprehensive interrogation methods.
static class	JarSignatureValidator.RevocationInfo Contains the result of an online certificate revocation check.

Constructor Summary

Constructors

Constructor and Description
JarSignatureValidator()

Method Summary

Modifier and Type	Method and Description
static List<X509Certificate>	extractSignerCertificates(File file) Extracts X.509 certificates from a JAR file's signature block files.
static List<X509Certificate>	extractSignerCertificates(JarFile jar) Extracts X.509 certificates from a JarFile's signature block files.
static JarSignatureValidator.JarSignatureStatus	verify(File file) Performs a simple verification of a JAR file's signature with online checks.
static JarSignatureValidator.JarSignatureStatus	verify(File file, boolean offlineOnly) Performs a simple verification of a JAR file's signature.
static JarSignatureValidator.JarSignatureStatus	verify(JarFile jarFile) Performs a simple verification using a pre-opened JarFile with online checks.
static JarSignatureValidator.JarSignatureStatus	verify(JarFile jarFile, boolean offlineOnly) Performs a simple verification using a pre-opened JarFile.
static JarSignatureValidator.JarSignatureStatus	verifyThoroughly(File file) Performs a thorough verification of a JAR file with online checks.
static JarSignatureValidator.JarSignatureStatus	verifyThoroughly(File file, boolean offlineOnly) Performs a thorough verification of a JAR file's signature and integrity.
static JarSignatureValidator.JarSignatureStatus	verifyThoroughly(JarFile jarFile) Performs a thorough verification using a pre-opened JarFile with online checks.
static JarSignatureValidator.JarSignatureStatus	verifyThoroughly(JarFile jarFile, boolean offlineOnly) Performs a thorough verification using a pre-opened JarFile.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JarSignatureValidator

public JarSignatureValidator()

Method Detail

verify

public static JarSignatureValidator.JarSignatureStatus verify(File file)

Performs a simple verification of a JAR file's signature with online checks.

This method provides a convenient way to verify a JAR file with sensible defaults. It performs:

• Certificate extraction from signature block files (quick mode)
• Offline checks: expiration, validity period, self-signed detection
• Online checks: OCSP/CRL revocation verification (if network available)

This method never throws exceptions for I/O or network failures. All failures are captured in the returned status object.

Parameters:

file - the JAR file to verify.

Returns:

status object that can be interrogated for specific results.

verify

public static JarSignatureValidator.JarSignatureStatus verify(File file,
                                                              boolean offlineOnly)

Performs a simple verification of a JAR file's signature.

This method provides a convenient way to verify a JAR file. It performs:

• Certificate extraction from signature block files (quick mode)
• Offline checks: expiration, validity period, self-signed detection
• Online checks: OCSP/CRL revocation verification (unless offlineOnly is true)

This method never throws exceptions for I/O or network failures. All failures are captured in the returned status object.

Parameters:

file - the JAR file to verify.

offlineOnly - if true, skip online revocation checks; if false, attempt online checks (with graceful fallback).

Returns:

status object that can be interrogated for specific results.

verify

public static JarSignatureValidator.JarSignatureStatus verify(JarFile jarFile)

Performs a simple verification using a pre-opened JarFile with online checks.

Use this method when you already have an open JarFile instance. The JarFile should typically be opened with verification enabled:

 JarFile jarFile = new JarFile(filename, true);
 JarSignatureStatus status = JarSignatureValidator.verify(jarFile);
 jarFile.close();
 

Note: This method does not close the JarFile. The caller is responsible for closing it.

Parameters:

jarFile - the pre-opened JarFile to verify.

Returns:

status object that can be interrogated for specific results.

verify

public static JarSignatureValidator.JarSignatureStatus verify(JarFile jarFile,
                                                              boolean offlineOnly)

Performs a simple verification using a pre-opened JarFile.

Use this method when you already have an open JarFile instance. The JarFile should typically be opened with verification enabled:

 JarFile jarFile = new JarFile(filename, true);
 JarSignatureStatus status = JarSignatureValidator.verify(jarFile, false);
 jarFile.close();
 

Note: This method does not close the JarFile. The caller is responsible for closing it.

Parameters:

jarFile - the pre-opened JarFile to verify.

offlineOnly - if true, skip online revocation checks; if false, attempt online checks (with graceful fallback).

Returns:

status object that can be interrogated for specific results.

verifyThoroughly

public static JarSignatureValidator.JarSignatureStatus verifyThoroughly(File file)

Performs a thorough verification of a JAR file with online checks.

This method provides complete JAR verification including:

• Reading and verifying every entry in the JAR file
• Detecting tampered or unsigned entries
• Offline checks: expiration, validity period, self-signed detection
• Online checks: OCSP/CRL revocation verification (if network available)

This method never throws exceptions for I/O or network failures. All failures are captured in the returned status object.

Performance note: This method reads every byte of every entry in the JAR file, which can be slow for large JARs. Use verify(File) for quick certificate-only checks.

Parameters:

file - the JAR file to verify.

Returns:

status object that can be interrogated for specific results.

verifyThoroughly

public static JarSignatureValidator.JarSignatureStatus verifyThoroughly(File file,
                                                                        boolean offlineOnly)

Performs a thorough verification of a JAR file's signature and integrity.

This method provides complete JAR verification including:

• Reading and verifying every entry in the JAR file
• Detecting tampered or unsigned entries
• Offline checks: expiration, validity period, self-signed detection
• Online checks: OCSP/CRL revocation verification (unless offlineOnly is true)

This method never throws exceptions for I/O or network failures. All failures are captured in the returned status object.

Parameters:

file - the JAR file to verify.

offlineOnly - if true, skip online revocation checks; if false, attempt online checks (with graceful fallback).

Returns:

status object that can be interrogated for specific results.

verifyThoroughly

public static JarSignatureValidator.JarSignatureStatus verifyThoroughly(JarFile jarFile)

Performs a thorough verification using a pre-opened JarFile with online checks.

Use this method when you already have an open JarFile instance. For thorough verification, the JarFile should be opened with verification enabled:

 JarFile jarFile = new JarFile(filename, true);
 JarSignatureStatus status = JarSignatureValidator.verifyThoroughly(jarFile);
 jarFile.close();
 

Note: This method does not close the JarFile. The caller is responsible for closing it.

Parameters:

jarFile - the pre-opened JarFile to verify (should be opened with verify=true).

Returns:

status object that can be interrogated for specific results.

verifyThoroughly

public static JarSignatureValidator.JarSignatureStatus verifyThoroughly(JarFile jarFile,
                                                                        boolean offlineOnly)

Performs a thorough verification using a pre-opened JarFile.

Use this method when you already have an open JarFile instance. For thorough verification, the JarFile should be opened with verification enabled:

 JarFile jarFile = new JarFile(filename, true);
 JarSignatureStatus status = JarSignatureValidator.verifyThoroughly(jarFile, true);
 jarFile.close();
 

Note: This method does not close the JarFile. The caller is responsible for closing it.

Parameters:

jarFile - the pre-opened JarFile to verify (should be opened with verify=true).

offlineOnly - if true, skip online revocation checks; if false, attempt online checks (with graceful fallback).

Returns:

status object that can be interrogated for specific results.

extractSignerCertificates

public static List<X509Certificate> extractSignerCertificates(File file)
                                                       throws IOException,
                                                              CertificateException

Extracts X.509 certificates from a JAR file's signature block files.

Parameters:

file - the JAR file to extract certificates from.

Returns:

list of X.509 certificates found in signature blocks, empty if unsigned.

Throws:

IOException - if the JAR file cannot be read.

CertificateException - if certificate parsing fails.

extractSignerCertificates

public static List<X509Certificate> extractSignerCertificates(JarFile jar)
                                                       throws IOException,
                                                              CertificateException

Extracts X.509 certificates from a JarFile's signature block files.

Note: This method does not close the JarFile.

Parameters:

jar - the JarFile to extract certificates from.

Returns:

list of X.509 certificates found in signature blocks, empty if unsigned.

Throws:

IOException - if the JAR file cannot be read.

CertificateException - if certificate parsing fails.