jdk-sandbox: comparison jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java

equal deleted inserted replaced

-:f4298bc3f4b6
+:469cd39a25de
 (Locale.ENGLISH);
 /** the PKCS7 block for this .DSA/.RSA/.EC file */
 private PKCS7 block;
-// the content of the raw .SF file as an InputStream
+/** the raw bytes of the .SF file */
-private InputStream sfStream;
+private byte sfBytes[];
 /** the name of the signature block file, uppercased and without
 *  the extension (.DSA/.RSA/.EC)
 */
 private String name;
 /** the ManifestDigester */
 private ManifestDigester md;
-/** The MANIFEST.MF */
-private Manifest man;
 /** cache of created MessageDigest objects */
 private HashMap<String, MessageDigest> createdDigests;
 /* workaround for parsing Netscape jars  */
 private boolean workaround = false;
 * @param name the name of the signature block file (.DSA/.RSA/.EC)
 *
 * @param rawBytes the raw bytes of the signature block file
 */
 public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache,
-Manifest man,
 ManifestDigester md,
 String name,
 byte rawBytes[])
 throws IOException, CertificateException
 {
 // need to use local providers here, see Providers class
 Object obj = null;
 try {
 obj = Providers.startJarVerification();
 block = new PKCS7(rawBytes);
-byte[] contentData = block.getContentInfo().getData();
+sfBytes = block.getContentInfo().getData();
-if (contentData != null) {
-sfStream = new ByteArrayInputStream(contentData);
-}
 certificateFactory = CertificateFactory.getInstance("X509");
 } finally {
 Providers.stopJarVerification(obj);
 }
 this.name = name.substring(0, name.lastIndexOf("."))
 .toUpperCase(Locale.ENGLISH);
-this.man = man;
 this.md = md;
 this.signerCache = signerCache;
 }
 /**
 * returns true if we need the .SF file
 */
-public boolean needSignatureFile()
+public boolean needSignatureFileBytes()
 {
-return sfStream == null;
-}
+return sfBytes == null;
+}
-public void setSignatureFile(InputStream ins) {
-this.sfStream = ins;
+/**
+* returns true if we need this .SF file.
+*
+* @param name the name of the .SF file without the extension
+*
+*/
+public boolean needSignatureFile(String name)
+{
+return this.name.equalsIgnoreCase(name);
+}
+/**
+* used to set the raw bytes of the .SF file when it
+* is external to the signature block file.
+*/
+public void setSignatureFile(byte sfBytes[])
+{
+this.sfBytes = sfBytes;
 }
 /**
 * Utility method used by JarVerifier and JarSigner
 * to determine the signature file names and PKCS7 block
 * @param s file name
 * @return true if the input file name is a supported
 *          Signature File or PKCS7 block file name
 */
 public static boolean isBlockOrSF(String s) {
-return s.endsWith(".SF") || isBlock(s);
+// we currently only support DSA and RSA PKCS7 blocks
-}
+if (s.endsWith(".SF") || s.endsWith(".DSA") ||
+s.endsWith(".RSA") || s.endsWith(".EC")) {
-/**
+return true;
-* Utility method used by JarVerifier to determine PKCS7 block
+}
-* files names that are supported
+return false;
-*
-* @param s file name
-* @return true if the input file name is a PKCS7 block file name
-*/
-public static boolean isBlock(String s) {
-return s.endsWith(".DSA") || s.endsWith(".RSA") || s.endsWith(".EC");
 }
 /** get digest from cache */
 private MessageDigest getDigest(String algorithm)
 * and adds code signers for each section where the .SF section
 * hash was verified against the Manifest section.
 *
 *
 */
-public void process(Map<String, CodeSigner[]> signers,
+public void process(Hashtable<String, CodeSigner[]> signers,
 List manifestDigests)
 throws IOException, SignatureException, NoSuchAlgorithmException,
 JarException, CertificateException
 {
 // calls Signature.getInstance() and MessageDigest.getInstance()
 Providers.stopJarVerification(obj);
 }
 }
-private void processImpl(Map<String, CodeSigner[]> signers,
+private void processImpl(Hashtable<String, CodeSigner[]> signers,
 List manifestDigests)
 throws IOException, SignatureException, NoSuchAlgorithmException,
 JarException, CertificateException
 {
-SignatureFileManifest sf = new SignatureFileManifest();
+Manifest sf = new Manifest();
-InputStream ins = sfStream;
+sf.read(new ByteArrayInputStream(sfBytes));
-byte[] buffer = new byte[4096];
+String version =
-int sLen = block.getSignerInfos().length;
+sf.getMainAttributes().getValue(Attributes.Name.SIGNATURE_VERSION);
-boolean mainOK = false;         // main attributes of SF is available...
-boolean manifestSigned = false; // and it matches MANIFEST.MF
+if ((version == null) || !(version.equalsIgnoreCase("1.0"))) {
-BASE64Decoder decoder = new BASE64Decoder();
+// XXX: should this be an exception?
+// for now we just ignore this signature file
-PKCS7.PKCS7Verifier[] pvs = new PKCS7.PKCS7Verifier[sLen];
+return;
-for (int i=0; i<sLen; i++) {
+}
-pvs[i] = PKCS7.PKCS7Verifier.from(block, block.getSignerInfos()[i]);
-}
+SignerInfo[] infos = block.verify(sfBytes);
-/*
+if (infos == null) {
-* Verify SF in streaming mode. The chunks of the file are fed into
-* the Manifest object sf and all PKCS7Verifiers. As soon as the main
-* attributes is available, we'll check if manifestSigned is true. If
-* yes, there is no need to fill in sf's entries field, since it should
-* be identical to entries in man.
-*/
-while (true) {
-int len = ins.read(buffer);
-if (len < 0) {
-if (!manifestSigned) {
-sf.update(null, 0, 0);
-}
-break;
-} else {
-for (int i=0; i<sLen; i++) {
-if (pvs[i] != null) pvs[i].update(buffer, 0, len);
-}
-// Continue reading if verifyManifestHash fails (or, the
-// main attributes is not available yet)
-if (!manifestSigned) {
-sf.update(buffer, 0, len);
-if (!mainOK) {
-try {
-Attributes attr = sf.getMainAttributes();
-String version = attr.getValue(
-Attributes.Name.SIGNATURE_VERSION);
-if ((version == null) ||
-!(version.equalsIgnoreCase("1.0"))) {
-// XXX: should this be an exception?
-// for now we just ignore this signature file
-return;
-}
-mainOK = true;
-manifestSigned = verifyManifestHash(
-sf, md, decoder, manifestDigests);
-} catch (IllegalStateException ise) {
-// main attributes not available yet
-}
-}
-}
-}
-}
-List<SignerInfo> intResult = new ArrayList<>(sLen);
-for (int i = 0; i < sLen; i++) {
-if (pvs[i] != null) {
-SignerInfo signerInfo = pvs[i].verify();
-if (signerInfo != null) {
-intResult.add(signerInfo);
-}
-}
-}
-if (intResult.isEmpty()) {
 throw new SecurityException("cannot verify signature block file " +
 name);
 }
-SignerInfo[] infos =
+BASE64Decoder decoder = new BASE64Decoder();
-intResult.toArray(new SignerInfo[intResult.size()]);
 CodeSigner[] newSigners = getSigners(infos, block);
 // make sure we have something to do all this work for...
 if (newSigners == null)
 return;
+Iterator<Map.Entry<String,Attributes>> entries =
+sf.getEntries().entrySet().iterator();
+// see if we can verify the whole manifest first
+boolean manifestSigned = verifyManifestHash(sf, md, decoder, manifestDigests);
 // verify manifest main attributes
 if (!manifestSigned && !verifyManifestMainAttrs(sf, md, decoder)) {
 throw new SecurityException
 ("Invalid signature file digest for Manifest main attributes");
 }
-Iterator<Map.Entry<String,Attributes>> entries;
+// go through each section in the signature file
-if (manifestSigned) {
-if (debug != null) {
-debug.println("full manifest signature match, "
-+ "update signer info from MANIFEST.MF");
-}
-entries = man.getEntries().entrySet().iterator();
-} else {
-if (debug != null) {
-debug.println("full manifest signature unmatch, "
-+ "update signer info from SF file");
-}
-entries = sf.getEntries().entrySet().iterator();
-}
-// go through each section
 while(entries.hasNext()) {
 Map.Entry<String,Attributes> e = entries.next();
 String name = e.getKey();
 if (manifestSigned ||
 (verifySection(e.getValue(), name, md, decoder))) {
 if (name.startsWith("./"))
 name = name.substring(2);
 if (name.startsWith("/"))
 {
 // check for the same object
 if (set == subset)
 return true;
+boolean match;
 for (int i = 0; i < subset.length; i++) {
 if (!contains(set, subset[i]))
 return false;
 }
 return true;
 CodeSigner[] newSigners) {
 // special case
 if ((oldSigners == null) && (signers == newSigners))
 return true;
+boolean match;
 // make sure all oldSigners are in signers
 if ((oldSigners != null) && !isSubSet(oldSigners, signers))
 return false;
 }
 return true;
 }
 void updateSigners(CodeSigner[] newSigners,
-Map<String, CodeSigner[]> signers, String name) {
+Hashtable<String, CodeSigner[]> signers, String name) {
 CodeSigner[] oldSigners = signers.get(name);
 // search through the cache for a match, go in reverse order
 // as we are more likely to find a match with the last one

changeset 9365	469cd39a25de
parent 9248	44d129a2adfa
child 10336	0bb1999251f8