1

Is it possible to check if a given Java binaries was compiled with a given source code.

Currently I have a project that was built by a vendor (WAR files). The source code of this project will be release in a few months but my superiors are asking me how can we know if the WAR files we deployed in production was generated with source code that will be provided to us in the future.

The vendor is suggesting to use pkgdiff but I am not sure if this checks the implementation of the methods instead of just the methods signature.

Can anyone suggest any methods or tools to ensure that the given source code is the one used to make the binaries (Java WAR files)

Also I read this question How to check if binaries are built from particular sources is the accepted answer the only real option to be 100% sure?

Thanks.

Jefrey Valencia
  • 713
  • 3
  • 13
  • 30
  • Have you considered having them just provide the source code and then you compile/deploy yourself? – Brian Knoblauch Oct 10 '18 at 12:38
  • you mean to say you deployed something in production while it isn't a fixed (released) version??? – Stultuske Oct 10 '18 at 12:39
  • Have you tried JD-GUI? http://jd.benow.ca/ – pavithraCS Oct 10 '18 at 12:39
  • @Brian Hi thanks for your comment unfortunately that is currently not possible as they are renegotiating about payment terms and will not release the source code until the negotiation is finished. – Jefrey Valencia Oct 10 '18 at 12:42
  • Can always hash your current war then when the source is released, compile the new source and hash that. If the two hashes match you have their version – locus2k Oct 10 '18 at 12:53
  • @ Stultuske Hi thanks for your comment. The project is currently winding down but the vendor is not yet releasing the source code until their negotiations with my company is finished. – Jefrey Valencia Oct 10 '18 at 12:55
  • @ jd.benow.ca Hi Thanks for the comment. No I have never heard of that tool before I will see if it can be used. – Jefrey Valencia Oct 10 '18 at 12:56
  • @JefreyValencia you said you already use it in production. Either it is the same version, and nothing changed, or something changed and it isn't the same version anymore. – Stultuske Oct 10 '18 at 13:02
  • @locus2k Hi Thanks for the comment. Really would that be enough? I hope it is a simple as that. I can program in Java but I am currently at a loss on the intricacies on how the code is compiled. I will try to do some test using a sample project if this will; work. Thanks!!! – Jefrey Valencia Oct 10 '18 at 13:02
  • Hi @Stultuske thanks for your time, yes we currently have the WAR files in PRD. But the source code will be released to us in the future. We would just like to be sure that the source code will be given to us will produce the same WAR file we have now. Unfortunately, this approach is new to me as I usually build the binaries from the source so I am not sure if a source code compiled in different times or different OS will (But assuming same java configurations) generate the same file. – Jefrey Valencia Oct 10 '18 at 13:11

1 Answers1

0

Try unpacking the war file and using javap tool, compare MD5 checksum from output of each pair of .class files

javap -sysinfo orig/src/com/example/ClassA.class local/src/com/example/ClassA.class | grep MD5
MD5 checksum abd302fa751dd9a6e86b18674397140a
MD5 checksum abd302fa751dd9a6e86b18674397140a

Checksum of compiled code should be the same. With a shell script you could do something like:

javap -sysinfo ../ClassA.class ClassA.class | \
gawk 'BEGIN{ RS="^[}]$"; FS="\n" } { if(NR == 1){ md1=$3; cn=$1} }; END{ if($3 == md1){print "OK!",cn,md1,$3} else{ print "Failed",cn,md1,$3 }}'

Result:

OK! Classfile /home/luis/tmp/ClassA.class   MD5 checksum abd302fa751dd9a6e86b18674397140a   MD5 checksum abd302fa751dd9a6e86b18674397140a

Or log failures instead:

Failed Classfile /home/luis/tmp/ClassA.class   MD5 checksum abd302fa751dd9a6e86b18674397140a   MD5 checksum abd302fa751dd9a6e86b18674397140a
LMC
  • 10,453
  • 2
  • 27
  • 52