jdk-sandbox: comparison src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java

equal deleted inserted replaced

-:643978a35f6e
+:94691d8e746f
 /*
-* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 // Should not happen. User provided alg were checked, and default
 // alg should always be available.
 throw new AssertionError(asae);
 }
-PrintStream ps = new PrintStream(os);
+ZipOutputStream zos = new ZipOutputStream(os);
-ZipOutputStream zos = new ZipOutputStream(ps);
 Manifest manifest = new Manifest();
-Map<String, Attributes> mfEntries = manifest.getEntries();
-// The Attributes of manifest before updating
-Attributes oldAttr = null;
-boolean mfModified = false;
-boolean mfCreated = false;
 byte[] mfRawBytes = null;
 // Check if manifest exists
-ZipEntry mfFile;
+ZipEntry mfFile = getManifestFile(zipFile);
-if ((mfFile = getManifestFile(zipFile)) != null) {
+boolean mfCreated = mfFile == null;
+if (!mfCreated) {
 // Manifest exists. Read its raw bytes.
 mfRawBytes = zipFile.getInputStream(mfFile).readAllBytes();
 manifest.read(new ByteArrayInputStream(mfRawBytes));
-oldAttr = (Attributes) (manifest.getMainAttributes().clone());
 } else {
 // Create new manifest
 Attributes mattr = manifest.getMainAttributes();
 mattr.putValue(Attributes.Name.MANIFEST_VERSION.toString(),
 "1.0");
 String javaVendor = System.getProperty("java.vendor");
 String jdkVersion = System.getProperty("java.version");
 mattr.putValue("Created-By", jdkVersion + " (" + javaVendor
 + ")");
 mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
-mfCreated = true;
 }
 /*
 * For each entry in jar
 * (except for signature-related META-INF entries),
 if (ze.getName().startsWith(META_INF)) {
 // Store META-INF files in vector, so they can be written
 // out first
 mfFiles.addElement(ze);
-if (SignatureFileVerifier.isBlockOrSF(
+String zeNameUp = ze.getName().toUpperCase(Locale.ENGLISH);
-ze.getName().toUpperCase(Locale.ENGLISH))) {
+if (SignatureFileVerifier.isBlockOrSF(zeNameUp)
+// no need to preserve binary manifest portions
+// if the only existing signature will be replaced
+&& !zeNameUp.startsWith(SignatureFile
+.getBaseSignatureFilesName(signerName))) {
 wasSigned = true;
 }
 if (SignatureFileVerifier.isSigningRelated(ze.getName())) {
 // ignore signature-related and manifest files
 }
 if (manifest.getAttributes(ze.getName()) != null) {
 // jar entry is contained in manifest, check and
 // possibly update its digest attributes
-if (updateDigests(ze, zipFile, digests,
+updateDigests(ze, zipFile, digests, manifest);
-manifest)) {
-mfModified = true;
-}
 } else if (!ze.isDirectory()) {
 // Add entry to manifest
 Attributes attrs = getDigestAttributes(ze, zipFile, digests);
-mfEntries.put(ze.getName(), attrs);
+manifest.getEntries().put(ze.getName(), attrs);
-mfModified = true;
+}
 }
-}
+/*
-// Recalculate the manifest raw bytes if necessary
+* Note:
-if (mfModified) {
+*
-ByteArrayOutputStream baos = new ByteArrayOutputStream();
+* The Attributes object is based on HashMap and can handle
+* continuation lines. Therefore, even if the contents are not changed
+* (in a Map view), the bytes that it write() may be different from
+* the original bytes that it read() from. Since the signature is
+* based on raw bytes, we must retain the exact bytes.
+*/
+boolean mfModified;
+ByteArrayOutputStream baos = new ByteArrayOutputStream();
+if (mfCreated || !wasSigned) {
+mfModified = true;
 manifest.write(baos);
-if (wasSigned) {
+mfRawBytes = baos.toByteArray();
-byte[] newBytes = baos.toByteArray();
+} else {
-if (mfRawBytes != null
-&& oldAttr.equals(manifest.getMainAttributes())) {
+// the manifest before updating
+Manifest oldManifest = new Manifest(
-/*
+new ByteArrayInputStream(mfRawBytes));
-* Note:
+mfModified = !oldManifest.equals(manifest);
-*
+if (!mfModified) {
-* The Attributes object is based on HashMap and can handle
+// leave whole manifest (mfRawBytes) unmodified
-* continuation columns. Therefore, even if the contents are
+} else {
-* not changed (in a Map view), the bytes that it write()
+// reproduce the manifest raw bytes for unmodified sections
-* may be different from the original bytes that it read()
+manifest.write(baos);
-* from. Since the signature on the main attributes is based
+byte[] mfNewRawBytes = baos.toByteArray();
-* on raw bytes, we must retain the exact bytes.
+baos.reset();
-*/
+ManifestDigester oldMd = new ManifestDigester(mfRawBytes);
-int newPos = findHeaderEnd(newBytes);
+ManifestDigester newMd = new ManifestDigester(mfNewRawBytes);
-int oldPos = findHeaderEnd(mfRawBytes);
+// main attributes
-if (newPos == oldPos) {
+if (manifest.getMainAttributes().equals(
-System.arraycopy(mfRawBytes, 0, newBytes, 0, oldPos);
+oldManifest.getMainAttributes())
+&& (manifest.getEntries().isEmpty() ||
+oldMd.getMainAttsEntry().isProperlyDelimited())) {
+oldMd.getMainAttsEntry().reproduceRaw(baos);
+} else {
+newMd.getMainAttsEntry().reproduceRaw(baos);
+}
+// individual sections
+for (Map.Entry<String,Attributes> entry :
+manifest.getEntries().entrySet()) {
+String sectionName = entry.getKey();
+Attributes entryAtts = entry.getValue();
+if (entryAtts.equals(oldManifest.getAttributes(sectionName))
+&& oldMd.get(sectionName).isProperlyDelimited()) {
+oldMd.get(sectionName).reproduceRaw(baos);
 } else {
-// cat oldHead newTail > newBytes
+newMd.get(sectionName).reproduceRaw(baos);
-byte[] lastBytes = new byte[oldPos +
-newBytes.length - newPos];
-System.arraycopy(mfRawBytes, 0, lastBytes, 0, oldPos);
-System.arraycopy(newBytes, newPos, lastBytes, oldPos,
-newBytes.length - newPos);
-newBytes = lastBytes;
 }
 }
-mfRawBytes = newBytes;
-} else {
 mfRawBytes = baos.toByteArray();
 }
 }
 // Write out the manifest
 if (mfModified) {
 // manifest file has new length
 mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
 }
 if (handler != null) {
-if (mfCreated) {
+if (mfCreated || !mfModified) {
 handler.accept("adding", mfFile.getName());
-} else if (mfModified) {
+} else {
 handler.accept("updating", mfFile.getName());
 }
 }
 zos.putNextEntry(mfFile);
 zos.write(mfRawBytes);
 // Calculate SignatureFile (".SF") and SignatureBlockFile
 ManifestDigester manDig = new ManifestDigester(mfRawBytes);
 } else {
 signer = Signature.getInstance(sigalg, sigProvider);
 }
 signer.initSign(privateKey);
-ByteArrayOutputStream baos = new ByteArrayOutputStream();
+baos.reset();
 sf.write(baos);
 byte[] content = baos.toByteArray();
 signer.update(content);
 byte[] signature = signer.sign();
 for (int i = 0; i < mfFiles.size(); i++) {
 ZipEntry ze = mfFiles.elementAt(i);
 if (!ze.getName().equalsIgnoreCase(JarFile.MANIFEST_NAME)
 && !ze.getName().equalsIgnoreCase(sfFilename)
 && !ze.getName().equalsIgnoreCase(bkFilename)) {
+if (ze.getName().startsWith(SignatureFile
+.getBaseSignatureFilesName(signerName))
+&& SignatureFileVerifier.isBlockOrSF(ze.getName())) {
+if (handler != null) {
+handler.accept("updating", ze.getName());
+}
+continue;
+}
 if (handler != null) {
 if (manifest.getAttributes(ze.getName()) != null) {
 handler.accept("signing", ze.getName());
 } else if (!ze.isDirectory()) {
 handler.accept("adding", ze.getName());
 try (InputStream is = zf.getInputStream(ze)) {
 is.transferTo(os);
 }
 }
-private boolean updateDigests(ZipEntry ze, ZipFile zf,
+private void updateDigests(ZipEntry ze, ZipFile zf,
 MessageDigest[] digests,
 Manifest mf) throws IOException {
-boolean update = false;
 Attributes attrs = mf.getAttributes(ze.getName());
 String[] base64Digests = getDigests(ze, zf, digests);
 for (int i = 0; i < digests.length; i++) {
 // The entry name to be written into attrs
 // Ignored. Writing new digest entry.
 }
 if (name == null) {
 name = digests[i].getAlgorithm() + "-Digest";
-attrs.putValue(name, base64Digests[i]);
+}
-update = true;
+attrs.putValue(name, base64Digests[i]);
-} else {
+}
-// compare digests, and replace the one in the manifest
-// if they are different
-String mfDigest = attrs.getValue(name);
-if (!mfDigest.equalsIgnoreCase(base64Digests[i])) {
-attrs.putValue(name, base64Digests[i]);
-update = true;
-}
-}
-}
-return update;
 }
 private Attributes getDigestAttributes(
 ZipEntry ze, ZipFile zf, MessageDigest[] digests)
 throws IOException {
 .encodeToString(digests[i].digest());
 }
 return base64Digests;
 }
-@SuppressWarnings("fallthrough")
-private int findHeaderEnd(byte[] bs) {
-// Initial state true to deal with empty header
-boolean newline = true;     // just met a newline
-int len = bs.length;
-for (int i = 0; i < len; i++) {
-switch (bs[i]) {
-case '\r':
-if (i < len - 1 && bs[i + 1] == '\n') i++;
-// fallthrough
-case '\n':
-if (newline) return i + 1;    //+1 to get length
-newline = true;
-break;
-default:
-newline = false;
-}
-}
-// If header end is not found, it means the MANIFEST.MF has only
-// the main attributes section and it does not end with 2 newlines.
-// Returns the whole length so that it can be completely replaced.
-return len;
-}
 /*
 * Try to load the specified signing mechanism.
 * The URL class loader is used.
 */
 @SuppressWarnings("deprecation")
 md.manifestDigest(digest)));
 }
 }
 // create digest of the manifest main attributes
-ManifestDigester.Entry mde =
+ManifestDigester.Entry mde = md.getMainAttsEntry(false);
-md.get(ManifestDigester.MF_MAIN_ATTRS, false);
 if (mde != null) {
-for (MessageDigest digest: digests) {
+for (MessageDigest digest : digests) {
-mattr.putValue(digest.getAlgorithm() +
+mattr.putValue(digest.getAlgorithm() + "-Digest-" +
-"-Digest-" + ManifestDigester.MF_MAIN_ATTRS,
+ManifestDigester.MF_MAIN_ATTRS,
-Base64.getEncoder().encodeToString(
+Base64.getEncoder().encodeToString(mde.digest(digest)));
-mde.digest(digest)));
 }
 } else {
 throw new IllegalStateException
 ("ManifestDigester failed to create " +
 "Manifest-Main-Attribute entry");
 // Write .SF file
 public void write(OutputStream out) throws IOException {
 sf.write(out);
 }
+private static String getBaseSignatureFilesName(String baseName) {
+return "META-INF/" + baseName + ".";
+}
 // get .SF file name
 public String getMetaName() {
-return "META-INF/" + baseName + ".SF";
+return getBaseSignatureFilesName(baseName) + "SF";
 }
 // get .DSA (or .DSA, .EC) file name
 public String getBlockName(PrivateKey privateKey) {
 String keyAlgorithm = privateKey.getAlgorithm();
-return "META-INF/" + baseName + "." + keyAlgorithm;
+return getBaseSignatureFilesName(baseName) + keyAlgorithm;
 }
 // Generates the PKCS#7 content of block file
 @SuppressWarnings("deprecation")
 public byte[] generateBlock(ContentSignerParameters params,

changeset 57488	94691d8e746f
parent 48760	25725c11c296