Self-Destructing JAR
[110 byte] By [ChromoXNHa] at [2007-11-27 1:19:42] 
I was wondering how I can self destruct(or make a file delete it self) after a certain expiration date?
# 1
I would investigate the legal consequences of this first.ejpa at 2007-7-11 23:56:16 >
# 2
If I want to make my own program self destruct? Even if its in the license?ChromoXNHa at 2007-7-11 23:56:16 >
# 3
Such a licence may not be lawful.
If you're confident that it is, and that you know the law, and if you have deep enough pockets to defend the lawsuits, go ahead.
Otherwise get legal advice.
Better still, just forget it. Use a time bomb that will just stop it running, like everybody else. I find it very useful to get people to finally pay for their software.
ejpa at 2007-7-11 23:56:16 >
# 4
But anything can be cracked... So how am I supposed to create a secure time lock?ChromoXNHa at 2007-7-11 23:56:16 >
# 5
Not really, I have expiring JARs that would take NASA resources to crack. There is always the set-the-clock-back attack but I'm prepared to live with the few people who can be bothered. Mostly it's about getting your product such that people want to use it, and the price and protection mechanisms at a point where it's easier to pay the money. The law of diminishing returns applies - you probably can't get the last few percent to pay but it probably isn't really worth it to try.
ejpa at 2007-7-11 23:56:16 >
# 6
Alright well how do you make those JARs? What is the basic method?ChromoXNHa at 2007-7-11 23:56:16 >
# 7
Sign them with a certificate which has the required expiry date. Get the certificate via e.g. the main class's Class -> Protection Domain -> CodeSource and check its expiry date.ejpa at 2007-7-11 23:56:16 >
# 8
Could you maybe post a guide to making that expiry date, I can sign a jar it just doesn't have a date to expire.ChromoXNHa at 2007-7-11 23:56:16 >
# 9
The expiry date is that of the certificate.ejpa at 2007-7-11 23:56:16 >
# 10
Alright well I added the -validity and said 7 but it still said it was going to last for 6 months and how do I make my code aware of this and make it not launch when the time is up?ChromoXNHa at 2007-7-11 23:56:16 >
# 11
Validity is in days to 'keytool' and it works for me.I've already answered your other question.ejpa at 2007-7-11 23:56:16 >
# 12
Ok so if I want to protect my jar I first sign it with a date that the cert will expire in 7 days, then in the code I just have a simple if statement to see if the cert is expired? What keeps them from editing the code inside? Or could you post a guide on how to do this? Thanks.ChromoXNHa at 2007-7-11 23:56:16 >
# 13
If you sign a jar it is cryptographically secure. Neither the signature nor any .class file can be tampered with without destroying the validity of the entire JAR.ejpa at 2007-7-11 23:56:16 >
# 14
Alright well I got a little something working but now I have a problem....
This code:
this.certs = FusionInterface.class.getProtectionDomain().getCodeSource().getCodeSigners();
Date certDate = certs[i].getTimestamp().getTimestamp();
The second line of that code produces a NullPointerException which I don't understand because when I sign my jar and have it System.out all the Certs it prints them correctly with the correct Validity data.
ChromoXNHa at 2007-7-11 23:56:16 >
# 15
null pointer exception from which element? certs? getTimestamp() (i)?ejpa at 2007-7-21 20:04:22 >
# 16
Date certDate = certs[i].getTimestamp().getTimestamp();
It happens in the last .getTimestamp(), even though I signed the applet and when I use the jarsigner -verify it prints the whole cert and everything on the applet so I definitely signed the jar.
I can post the whole class if you would like...
import java.net.Socket;
import java.security.CodeSigner;
import java.util.Date;
public class Protection {
/** Creates a new instance of Protection */
private CodeSigner[] certs;
private HTTPSocket socket;
public Protection() {
this.certs = FusionInterface.class.getProtectionDomain().getCodeSource().getCodeSigners();
socket = new HTTPSocket();
}
public boolean check() {
String sepoch = socket.get("http://www.xav.com/time.cgi", "http://www.google.com");
long epoch = Long.parseLong(Misc.parse(sepoch, "<td align=\"right\"><tt>", "</tt></td>"));
if(certs != null) {
for(int i=0;i<certs.length;i++) {
System.out.println(certs.length);
System.out.println(epoch);
System.out.println(certs[i]);
Date certDate = certs[i].getTimestamp().getTimestamp();
Date currentDate = new Date(epoch);
if(certDate.after(currentDate)) {
return false;
} else {
return true;
}
}
} else {
return true;
}
return false;
}
}
>
ChromoXNHa at 2007-7-21 20:04:22 >
# 17
ejp do you have any ideas? I don't understand why because when I toString() it prints the whole cert out including its validity time.ChromoXNHa at 2007-7-21 20:04:22 >
# 18
You don't need to to most of that. Just check whether the certificate has expired by calling checkValidity().ejpa at 2007-7-21 20:04:22 >
# 19
How do I grab the x509cert from the JAR?ChromoXNHa at 2007-7-21 20:04:22 >
# 20
The certs array is full of them, e.g. certs[0] if it's a self-signed cert. You have to typecast it.
// Not sure whether you need to verify or whether the JVM does this for you
certs[0].verify(certs[0].getPublicKey());
X509Certificate cert = (X509Certificate)certs[0];
cert.checkValidity();
ejpa at 2007-7-21 20:04:22 >
# 21
you can include another jar that deletes another after a certain timew32sysfiea at 2007-7-21 20:04:22 >
# 22
For some reason the certs won't convert to a X509Certificate...
X509Certificate cert = (X509Certificate)(FusionInterface.class.getProtectionDomain().getCodeSource().getCodeSigners())[0];
It gives me the error:
/Users/jeffrey/Entelechy/src/entelechy/Protection.java:27: inconvertible types
found: java.security.CodeSigner
required: java.security.cert.X509Certificate
cert = (X509Certificate)(FusionInterface.class.getProtectionDomain().getCodeSource().getCodeSigners())[0];
ChromoXNHa at 2007-7-21 20:04:22 >
# 23
Don't worry about it I figured it out.ChromoXNHa at 2007-7-21 20:04:22 >
# 24
> you can include another jar that deletes another> after a certain timeIf you'd bothered to read the thread you'd have seen some very good reasons for not pursuing that the topic.ejpa at 2007-7-21 20:04:22 >
Core New Topic
Core Hot Topic
- FTP Problem
- RMI cannot connect
- Patrametrized inner interfaces
- Unchecked warning with generics and compareTo
- Changing serialVersionUID of objects serialized in a file.
- Can someone confirm: Annotations are unsuited for preprocessing?
- Asynchroneously closing of NIO socket channels does not work on Linux?
- Access problems with RMI and Applets
Core
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding