SignedObject (Serializable object, PrivateKey signingKey, Signature signingEngine)
Is it safe to serialize and deliver this object to a client application? Is there a way that they might get hold of the PrivateKey through reflection?
I want to use this object to hold a digital signature as well as the data that was signed.
The serialized objects include only the object itself and the signature (and the algorithm used for signing purposes), as noted here:
http://java.sun.com/j2se/1.4.2/docs/api/serialized-form.html#java.security.SignedObject
As a result, it is safe to pass these around. Not only can the private key not be determined through that object alone, but it also cannot be tampered along the way, so the object will remain trusted (so long as the client verifies it).
you can finde more info about java security here:
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html