SignatureFileVerifier.java revision 6336
6336N/A * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A /* Are we debugging ? */ 0N/A /* cache of CodeSigner objects */ 1786N/A /** the PKCS7 block for this .DSA/.RSA/.EC file */ 4046N/A /** the raw bytes of the .SF file */ 0N/A /** the name of the signature block file, uppercased and without 1786N/A * the extension (.DSA/.RSA/.EC) 0N/A /** the ManifestDigester */ 0N/A /** cache of created MessageDigest objects */ 0N/A /* workaround for parsing Netscape jars */ 0N/A /* for generating certpath objects */ 0N/A * Create the named SignatureFileVerifier. 1786N/A * @param name the name of the signature block file (.DSA/.RSA/.EC) 0N/A * @param rawBytes the raw bytes of the signature block file 0N/A // new PKCS7() calls CertificateFactory.getInstance() 0N/A // need to use local providers here, see Providers class 0N/A * returns true if we need the .SF file 4046N/A * returns true if we need this .SF file. 4046N/A * @param name the name of the .SF file without the extension 4046N/A * used to set the raw bytes of the .SF file when it 4046N/A * is external to the signature block file. 0N/A * Utility method used by JarVerifier and JarSigner 0N/A * to determine the signature file names and PKCS7 block 0N/A * files names that are supported 0N/A * @param s file name 0N/A * @return true if the input file name is a supported 0N/A * Signature File or PKCS7 block file name 4046N/A // we currently only support DSA and RSA PKCS7 blocks 0N/A /** get digest from cache */ 0N/A * process the signature block file. Goes through the .SF file 0N/A * and adds code signers for each section where the .SF section 0N/A * hash was verified against the Manifest section. 0N/A // calls Signature.getInstance() and MessageDigest.getInstance() 0N/A // need to use local providers here, see Providers class 4046N/A // XXX: should this be an exception? 4046N/A // for now we just ignore this signature file 0N/A // make sure we have something to do all this work for... 4046N/A // see if we can verify the whole manifest first 0N/A // verify manifest main attributes 0N/A (
"Invalid signature file digest for Manifest main attributes");
4046N/A // go through each section in the signature file 3209N/A // MANIFEST.MF is always regarded as signed 0N/A * See if the whole manifest was signed. 0N/A // go through all the attributes and process *-Digest-Manifest entries 0N/A // 16 is length of "-Digest-Manifest" 0N/A //XXX: we will continue and verify each section 0N/A // go through all the attributes and process 0N/A // digest entries for the manifest main attributes 0N/A "Manifest Main Attributes digest " +
0N/A // we will *not* continue and verify each section 0N/A "Manifest main attributes failed");
0N/A // this method returns 'true' if either: 0N/A // . manifest main attributes were not signed, or 0N/A // . manifest main attributes were signed and verified 0N/A * given the .SF digest header, and the data from the 0N/A * section in the manifest, see if the hashes match. 0N/A * if not, throw a SecurityException. 0N/A * @return true if all the -Digest headers verified 0N/A * @exception SecurityException if the hash was not equal 0N/A "no manifiest section for signature file entry "+
name);
0N/A //sun.misc.HexDumpEncoder hex = new sun.misc.HexDumpEncoder(); 0N/A //hex.encodeBuffer(data, System.out); 0N/A // go through all the attributes and process *-Digest entries 0N/A // 7 is length of "-Digest" 0N/A // attempt to fallback to the workaround 0N/A " signature file digest for " +
name);
0N/A * Given the PKCS7 block and SignerInfo[], create an array of 0N/A * CodeSigner objects. We do this only *once* for a given 0N/A * signature block file. 0N/A // Append the new code signer 0N/A * Examines a signature timestamp token to generate a timestamp object. 0N/A * Examines the signer's unsigned attributes for a 0N/A * <tt>signatureTimestampToken</tt> attribute. If present, 0N/A * then it is parsed to extract the date and time at which the 0N/A * timestamp was generated. 0N/A * @param info A signer information element of a PKCS 7 block. 0N/A * @return A timestamp token or null if none is present. 0N/A * @throws IOException if an error is encountered while parsing the 0N/A * @throws NoSuchAlgorithmException if an error is encountered while 0N/A * verifying the PKCS7 object. 0N/A * @throws SignatureException if an error is encountered while 0N/A * verifying the PKCS7 object. 0N/A * @throws CertificateException if an error is encountered while generating 0N/A * the TSA's certpath. 0N/A // Extract the signer's unsigned attributes 0N/A // Extract the content (an encoded timestamp token info) 0N/A // Extract the signer (the Timestamping Authority) 0N/A // while verifying the content 0N/A // Expect only one signer 0N/A // Create a timestamp token info object 6336N/A // Check that the signature timestamp applies to this signature 0N/A // Create a timestamp object 6336N/A * Check that the signature timestamp applies to this signature. 6336N/A * Match the hash present in the signature timestamp token against the hash 0N/A // for the toHex function 0N/A {
'0',
'1',
'2',
'3',
'4',
'5',
'6',
'7',
'8',
'9',
'a',
'b',
'c',
'd',
'e',
'f'};
0N/A * convert a byte array to a hex string for debugging purposes 0N/A * @param data the binary data to be converted to a hex string 0N/A * @return an ASCII hex string 0N/A // returns true if set contains signer 0N/A // returns true if subset is a subset of set 0N/A // check for the same object 0N/A * returns true if signer contains exactly the same code signers as 0N/A * oldSigner and newSigner, false otherwise. oldSigner 0N/A * is allowed to be null. 0N/A // make sure all oldSigners are in signers 0N/A // make sure all newSigners are in signers 0N/A // now make sure all the code signers in signers are 0N/A // also in oldSigners or newSigners 0N/A // search through the cache for a match, go in reverse order 0N/A // as we are more likely to find a match with the last one 0N/A // added to the cache