0

I'd like to ensure my Java Jar is only ran using a JDK I've provided. I can't find a good way to stop / restrict the program if another JDK is being used to run it.

An idea I have is to hash a file from the JDK and perform a checksum within the Jar. But I'm not sure if this is the best way.

I'm not looking for System.getProperty("java.version") as a solution. Because multiple JDK with the same version exist and it doesn't reveal if the JDK has been altered.

Guiigiugi Ojhuihiuhi
  • 11
  • 1
  • Trivial to check the version and exit (or not). Why would you want to though? – g00se Sep 15 '22 at 17:52
  • @g00se I want to make sure its exactly the JDK I've provided for security reasons such as a customized cacerts file. Furthermore, there are multiple different JDK with the same java version. – Guiigiugi Ojhuihiuhi Sep 15 '22 at 17:56
  • *for security reasons* can you explain in detail? – Jens Sep 15 '22 at 17:59
  • @Jens sure, in Java, the cacerts file is used to determine if an SSL certificate is trusted. If the cacerts file is adjusted to trust a not trustworthy certificate, SSL can be compromised. Furthermore, there are other alterations an attacker can do via a customized JDK such as recording passwords types by a user, etc. – Guiigiugi Ojhuihiuhi Sep 15 '22 at 18:01
  • 2
    That might be the case but it doesn't have a lot to do with the runtime version – g00se Sep 15 '22 at 18:04
  • Your rquirement sounds strange. But what you want, is that the cacerts file can not be changed. Not the jdk itself. So maybe you sould read all certificates and stop if there is one, you not know – Jens Sep 15 '22 at 18:05
  • @g00se I'm not looking to check for specific runtime versions. I'm looking to ensure the JDK provided to users of the program is the only JDK that can be used. And, I am looking to prevent the JDK from being altered. – Guiigiugi Ojhuihiuhi Sep 15 '22 at 18:06
  • @Jens I'm trying to ensure that the exact JDK provided to users is the only JDK that can be used to run the application. Cacerts is just one of the reasons why. – Guiigiugi Ojhuihiuhi Sep 15 '22 at 18:07
  • But in the scenario you described is the cacerts the only file which has to secured – Jens Sep 15 '22 at 18:09
  • Mabe this helps: https://stackoverflow.com/questions/13996547/how-do-i-bundle-a-jre-into-an-exe-for-a-java-application-launch4j-says-runtime – Jens Sep 15 '22 at 18:11
  • @Jens It is not the only file. Is there a way to perform a checksum on the entire jdk? – Guiigiugi Ojhuihiuhi Sep 15 '22 at 18:12
  • https://stackoverflow.com/questions/31452742/generate-checksum-for-a-directory-in-windows – Jens Sep 15 '22 at 18:13
  • Not sure if a JVM instance has a uid but you could build your own JVM and include one – g00se Sep 15 '22 at 19:34
  • 1
    When you bundle the application with a JDK using `jlink`, it will run only with that JDK. – Holger Sep 16 '22 at 06:53
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Sep 16 '22 at 08:20

0 Answers0