Re: regarding using public key to verify client

ankit <ankit.ankit@...>

Hi Taniguchi,
Thank you for your response. You are right that my application is responsible for verification of the signature. But I just want to know that is there any way where I can put my key files to java build pack with which I am deploying my application on cloud foundry and let my application use those keys from build pack to verify the signature. Because I don’t want to add those key files to my app’s war.

Just like we put cacerts in java buildpack which is used by application, can’t we put the key files in buildpack and use those by our application to verify signature.


From: Noburou TANIGUCHI [via CF Dev] [mailto:ml-node+s70369n2719h10(a)]
Sent: Monday, November 16, 2015 6:09 PM
To: ., Ankit <ankit.ankit(a)>
Subject: Re: regarding using public key to verify client

Hi ankit,

First of all, do you think who is responsible to verify the signature? Your application? Or (one of) the components of Cloud Foundry? I assume the former is your answer. I think there is no functionality in Cloud Foundry to verify client signature.

Then, if you use the Cloud Foundry java-buildpack to deploy your application, I think there is the only one way to send key files with your app on deployment. It is to add your key files to your app's war / jar / zip file, primitively like:

jar uvf your-war-jar-zip-file path-to-your-key-files-or-directories

But you may add a maven / gradle task to do such a thing.

This is because the Cloud Foundry java-buildpack accepts only one zip-format file on a deployment.

# Please correct this post if I am wrong. Thank you.

ankit wrote
Suppose my application is deployed on the cloud foundry and my client sends a POST request that contains some message but that message is digitally signed by client’s private key. So, I need client’s public key(digital id of client) to verify my client for inbound calls in the cloud foundry where application is running. So, can you tell me where can I put these public keys(digital IDs of clients) in java build pack or any other place.
Similarly, for outbound calls I want my message to be digitally signed and for that I need private key to be used. So, where can I put that also?
I'm not a ...
noburou taniguchi

If you reply to this email, your message will be added to the discussion below:
To unsubscribe from regarding using public key to verify client, click here<>.

The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

View this message in context:
Sent from the CF Dev mailing list archive at

Join { to automatically receive all group messages.