Java Reference
In-Depth Information
The former provides the ultimate goal, but without the latter, the former would be
meaningless. You'll learn about both as we discuss digital signing and certificates.
We'll show you how to create certificates and use them to digitally sign your bundles.
Then we'll introduce
BundleSignerCondition
, which gives you the ability to grant
permissions based on the identity established via certificates. First, let's get some ter-
minology out of the way.
14.5.1
Learning the terminology
The domain of digital cryptography is complex and sophisticated. Providing a com-
plete and detailed description is beyond the scope of the topic, so we'll focus on
describing just enough to have it make sense. With that in mind, table 14.6 introduces
some relevant terms we'll use throughout the remainder of the chapter.
Table 14.6
Digital cryptography terminology
Term
Definition
Digital signing
A mathematical approach for verifying the authenticity of digital data. Specifically, used
to verify the identity of the provider and that the data hasn't been modified.
Signature
A unique value calculated when data is digitally signed.
Public key
cryptography
A form of digital signing using two mathematically related keys: a public key and a pri-
vate key. The private key is a guarded secret used to sign data. The public key is shared
with others in the form of a certificate, which they can use to verify that a signature was
generated with the private key. This allows you to infer the identity of the provider and
determine whether someone has tampered with the data.
Certificate
A form of metadata about a public key, binding it to the identity of the private key holder.
This binding is achieved by having a well-known (trusted) third party sign the public key/
identity pair.
Distinguished
name
The identification portion of a certificate; specifically, as defined by the X.509 ITU-IT
standard. Identifies the holder of the private key.
Certificate
chain
A certificate has a reference to the certificate of its third-party signer, which includes a
reference to the certificate of its signer, and so on, until the root. This is a certificate
chain. The root of the certificate chain is a self-signed certificate.
A general understanding of these terms should be sufficient. You don't need a com-
plete understanding of digital cryptography to use the technology effectively. We'll
start looking at the basics.
14.5.2
Creating certificates and signing bundles
You'll be using digital signing based on public key cryptography, which involves a pub-
lic key and a private key. The public key is shared with the world in the form of a cer-
tificate. The private key is kept secret and used to sign data by performing a
computation over it. The resulting value can be verified by performing another calcu-
lation over the data using the public key. This verifies that the signer has access to the
private key and that the data hasn't been modified.
