jdk-sandbox: src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java@258dc79d2265 (annotated)

33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1	/*
45118 e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory ihse parents: 42685 diff changeset	2	* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	4	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	10	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	15	* accompanied this code).
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	16	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	20	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	23	* questions.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	24	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	25
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	26	package jdk.security.jarsigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	27
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	28	import com.sun.jarsigner.ContentSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	29	import com.sun.jarsigner.ContentSignerParameters;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	30	import sun.security.tools.PathList;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	31	import sun.security.tools.jarsigner.TimestampedSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	32	import sun.security.util.ManifestDigester;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	33	import sun.security.util.SignatureFileVerifier;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	34	import sun.security.x509.AlgorithmId;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	35
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	36	import java.io.*;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	37	import java.net.SocketTimeoutException;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	38	import java.net.URI;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	39	import java.net.URL;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	40	import java.net.URLClassLoader;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	41	import java.security.*;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	42	import java.security.cert.CertPath;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	43	import java.security.cert.Certificate;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	44	import java.security.cert.CertificateException;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	45	import java.security.cert.X509Certificate;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	46	import java.util.*;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	47	import java.util.function.BiConsumer;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	48	import java.util.jar.Attributes;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	49	import java.util.jar.JarEntry;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	50	import java.util.jar.JarFile;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	51	import java.util.jar.Manifest;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	52	import java.util.zip.ZipEntry;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	53	import java.util.zip.ZipFile;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	54	import java.util.zip.ZipOutputStream;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	55
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	56	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	57	* An immutable utility class to sign a jar file.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	58	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	59	* A caller creates a {@code JarSigner.Builder} object, (optionally) sets
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	60	* some parameters, and calls {@link JarSigner.Builder#build build} to create
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	61	* a {@code JarSigner} object. This {@code JarSigner} object can then
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	62	* be used to sign a jar file.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	63	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	64	* Unless otherwise stated, calling a method of {@code JarSigner} or
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	65	* {@code JarSigner.Builder} with a null argument will throw
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	66	* a {@link NullPointerException}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	67	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	68	* Example:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	69	* <pre>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	70	* JarSigner signer = new JarSigner.Builder(key, certPath)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	71	* .digestAlgorithm("SHA-1")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	72	* .signatureAlgorithm("SHA1withDSA")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	73	* .build();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	74	* try (ZipFile in = new ZipFile(inputFile);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	75	* FileOutputStream out = new FileOutputStream(outputFile)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	76	* signer.sign(in, out);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	77	* }
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	78	* </pre>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	79	*
35302 e4d2275861c3 8136494: Update "@since 1.9" to "@since 9" to match java.version.specification iris parents: 34894 diff changeset	80	* @since 9
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	81	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	82	public final class JarSigner {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	83
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	84	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	85	* A mutable builder class that can create an immutable {@code JarSigner}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	86	* from various signing-related parameters.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	87	*
35302 e4d2275861c3 8136494: Update "@since 1.9" to "@since 9" to match java.version.specification iris parents: 34894 diff changeset	88	* @since 9
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	89	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	90	public static class Builder {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	91
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	92	// Signer materials:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	93	final PrivateKey privateKey;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	94	final X509Certificate[] certChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	95
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	96	// JarSigner options:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	97	// Support multiple digestalg internally. Can be null, but not empty
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	98	String[] digestalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	99	String sigalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	100	// Precisely should be one provider for each digestalg, maybe later
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	101	Provider digestProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	102	Provider sigProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	103	URI tsaUrl;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	104	String signerName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	105	BiConsumer<String,String> handler;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	106
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	107	// Implementation-specific properties:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	108	String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	109	String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	110	boolean signManifest = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	111	boolean externalSF = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	112	String altSignerPath;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	113	String altSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	114
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	115	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	116	* Creates a {@code JarSigner.Builder} object with
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	117	* a {@link KeyStore.PrivateKeyEntry} object.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	118	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	119	* @param entry the {@link KeyStore.PrivateKeyEntry} of the signer.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	120	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	121	public Builder(KeyStore.PrivateKeyEntry entry) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	122	this.privateKey = entry.getPrivateKey();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	123	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	124	// called internally, no need to clone
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	125	Certificate[] certs = entry.getCertificateChain();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	126	this.certChain = Arrays.copyOf(certs, certs.length,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	127	X509Certificate[].class);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	128	} catch (ArrayStoreException ase) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	129	// Wrong type, not X509Certificate. Won't document.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	130	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	131	"Entry does not contain X509Certificate");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	132	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	133	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	134
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	135	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	136	* Creates a {@code JarSigner.Builder} object with a private key and
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	137	* a certification path.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	138	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	139	* @param privateKey the private key of the signer.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	140	* @param certPath the certification path of the signer.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	141	* @throws IllegalArgumentException if {@code certPath} is empty, or
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	142	* the {@code privateKey} algorithm does not match the algorithm
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	143	* of the {@code PublicKey} in the end entity certificate
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	144	* (the first certificate in {@code certPath}).
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	145	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	146	public Builder(PrivateKey privateKey, CertPath certPath) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	147	List<? extends Certificate> certs = certPath.getCertificates();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	148	if (certs.isEmpty()) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	149	throw new IllegalArgumentException("certPath cannot be empty");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	150	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	151	if (!privateKey.getAlgorithm().equals
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	152	(certs.get(0).getPublicKey().getAlgorithm())) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	153	throw new IllegalArgumentException
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	154	("private key algorithm does not match " +
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	155	"algorithm of public key in end entity " +
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	156	"certificate (the 1st in certPath)");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	157	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	158	this.privateKey = privateKey;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	159	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	160	this.certChain = certs.toArray(new X509Certificate[certs.size()]);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	161	} catch (ArrayStoreException ase) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	162	// Wrong type, not X509Certificate.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	163	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	164	"Entry does not contain X509Certificate");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	165	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	166	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	167
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	168	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	169	* Sets the digest algorithm. If no digest algorithm is specified,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	170	* the default algorithm returned by {@link #getDefaultDigestAlgorithm}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	171	* will be used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	172	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	173	* @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	174	* the {@code MessageDigest} section in the <a href=
45118 e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory ihse parents: 42685 diff changeset	175	* "{@docRoot}/../specs/security/standard-names.html#messagedigest-algorithms">
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	176	* Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	177	* Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	178	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	179	* @throws NoSuchAlgorithmException if {@code algorithm} is not available.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	180	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	181	public Builder digestAlgorithm(String algorithm) throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	182	MessageDigest.getInstance(Objects.requireNonNull(algorithm));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	183	this.digestalg = new String[]{algorithm};
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	184	this.digestProvider = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	185	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	186	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	187
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	188	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	189	* Sets the digest algorithm from the specified provider.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	190	* If no digest algorithm is specified, the default algorithm
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	191	* returned by {@link #getDefaultDigestAlgorithm} will be used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	192	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	193	* @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	194	* the {@code MessageDigest} section in the <a href=
45118 e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory ihse parents: 42685 diff changeset	195	* "{@docRoot}/../specs/security/standard-names.html#messagedigest-algorithms">
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	196	* Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	197	* Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	198	* @param provider the provider.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	199	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	200	* @throws NoSuchAlgorithmException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	201	* available in the specified provider.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	202	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	203	public Builder digestAlgorithm(String algorithm, Provider provider)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	204	throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	205	MessageDigest.getInstance(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	206	Objects.requireNonNull(algorithm),
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	207	Objects.requireNonNull(provider));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	208	this.digestalg = new String[]{algorithm};
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	209	this.digestProvider = provider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	210	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	211	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	212
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	213	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	214	* Sets the signature algorithm. If no signature algorithm
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	215	* is specified, the default signature algorithm returned by
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	216	* {@link #getDefaultSignatureAlgorithm} for the private key
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	217	* will be used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	218	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	219	* @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	220	* the {@code Signature} section in the <a href=
45118 e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory ihse parents: 42685 diff changeset	221	* "{@docRoot}/../specs/security/standard-names.html#signature-algorithms">
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	222	* Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	223	* Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	224	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	225	* @throws NoSuchAlgorithmException if {@code algorithm} is not available.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	226	* @throws IllegalArgumentException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	227	* compatible with the algorithm of the signer's private key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	228	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	229	public Builder signatureAlgorithm(String algorithm)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	230	throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	231	// Check availability
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	232	Signature.getInstance(Objects.requireNonNull(algorithm));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	233	AlgorithmId.checkKeyAndSigAlgMatch(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	234	privateKey.getAlgorithm(), algorithm);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	235	this.sigalg = algorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	236	this.sigProvider = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	237	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	238	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	239
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	240	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	241	* Sets the signature algorithm from the specified provider. If no
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	242	* signature algorithm is specified, the default signature algorithm
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	243	* returned by {@link #getDefaultSignatureAlgorithm} for the private
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	244	* key will be used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	245	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	246	* @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	247	* the {@code Signature} section in the <a href=
45118 e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory ihse parents: 42685 diff changeset	248	* "{@docRoot}/../specs/security/standard-names.html#signature-algorithms">
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	249	* Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	250	* Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	251	* @param provider the provider.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	252	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	253	* @throws NoSuchAlgorithmException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	254	* available in the specified provider.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	255	* @throws IllegalArgumentException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	256	* compatible with the algorithm of the signer's private key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	257	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	258	public Builder signatureAlgorithm(String algorithm, Provider provider)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	259	throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	260	// Check availability
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	261	Signature.getInstance(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	262	Objects.requireNonNull(algorithm),
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	263	Objects.requireNonNull(provider));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	264	AlgorithmId.checkKeyAndSigAlgMatch(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	265	privateKey.getAlgorithm(), algorithm);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	266	this.sigalg = algorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	267	this.sigProvider = provider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	268	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	269	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	270
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	271	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	272	* Sets the URI of the Time Stamping Authority (TSA).
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	273	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	274	* @param uri the URI.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	275	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	276	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	277	public Builder tsa(URI uri) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	278	this.tsaUrl = Objects.requireNonNull(uri);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	279	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	280	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	281
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	282	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	283	* Sets the signer name. The name will be used as the base name for
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	284	* the signature files. All lowercase characters will be converted to
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	285	* uppercase for signature file names. If a signer name is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	286	* specified, the string "SIGNER" will be used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	287	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	288	* @param name the signer name.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	289	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	290	* @throws IllegalArgumentException if {@code name} is empty or has
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	291	* a size bigger than 8, or it contains characters not from the
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	292	* set "a-zA-Z0-9_-".
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	293	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	294	public Builder signerName(String name) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	295	if (name.isEmpty() \|\| name.length() > 8) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	296	throw new IllegalArgumentException("Name too long");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	297	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	298
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	299	name = name.toUpperCase(Locale.ENGLISH);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	300
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	301	for (int j = 0; j < name.length(); j++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	302	char c = name.charAt(j);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	303	if (!
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	304	((c >= 'A' && c <= 'Z') \|\|
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	305	(c >= '0' && c <= '9') \|\|
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	306	(c == '-') \|\|
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	307	(c == '_'))) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	308	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	309	"Invalid characters in name");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	310	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	311	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	312	this.signerName = name;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	313	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	314	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	315
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	316	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	317	* Sets en event handler that will be triggered when a {@link JarEntry}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	318	* is to be added, signed, or updated during the signing process.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	319	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	320	* The handler can be used to display signing progress. The first
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	321	* argument of the handler can be "adding", "signing", or "updating",
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	322	* and the second argument is the name of the {@link JarEntry}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	323	* being processed.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	324	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	325	* @param handler the event handler.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	326	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	327	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	328	public Builder eventHandler(BiConsumer<String,String> handler) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	329	this.handler = Objects.requireNonNull(handler);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	330	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	331	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	332
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	333	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	334	* Sets an additional implementation-specific property indicated by
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	335	* the specified key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	336	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	337	* @implNote This implementation supports the following properties:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	338	* <ul>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	339	* <li>"tsaDigestAlg": algorithm of digest data in the timestamping
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	340	* request. The default value is the same as the result of
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	341	* {@link #getDefaultDigestAlgorithm}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	342	* <li>"tsaPolicyId": TSAPolicyID for Timestamping Authority.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	343	* No default value.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	344	* <li>"internalsf": "true" if the .SF file is included inside the
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	345	* signature block, "false" otherwise. Default "false".
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	346	* <li>"sectionsonly": "true" if the .SF file only contains the hash
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	347	* value for each section of the manifest and not for the whole
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	348	* manifest, "false" otherwise. Default "false".
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	349	* </ul>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	350	* All property names are case-insensitive.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	351	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	352	* @param key the name of the property.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	353	* @param value the value of the property.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	354	* @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	355	* @throws UnsupportedOperationException if the key is not supported
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	356	* by this implementation.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	357	* @throws IllegalArgumentException if the value is not accepted as
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	358	* a legal value for this key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	359	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	360	public Builder setProperty(String key, String value) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	361	Objects.requireNonNull(key);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	362	Objects.requireNonNull(value);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	363	switch (key.toLowerCase(Locale.US)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	364	case "tsadigestalg":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	365	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	366	MessageDigest.getInstance(value);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	367	} catch (NoSuchAlgorithmException nsae) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	368	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	369	"Invalid tsadigestalg", nsae);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	370	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	371	this.tSADigestAlg = value;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	372	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	373	case "tsapolicyid":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	374	this.tSAPolicyID = value;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	375	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	376	case "internalsf":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	377	switch (value) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	378	case "true":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	379	externalSF = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	380	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	381	case "false":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	382	externalSF = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	383	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	384	default:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	385	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	386	"Invalid internalsf value");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	387	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	388	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	389	case "sectionsonly":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	390	switch (value) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	391	case "true":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	392	signManifest = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	393	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	394	case "false":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	395	signManifest = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	396	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	397	default:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	398	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	399	"Invalid signManifest value");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	400	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	401	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	402	case "altsignerpath":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	403	altSignerPath = value;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	404	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	405	case "altsigner":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	406	altSigner = value;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	407	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	408	default:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	409	throw new UnsupportedOperationException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	410	"Unsupported key " + key);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	411	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	412	return this;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	413	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	414
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	415	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	416	* Gets the default digest algorithm.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	417	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	418	* @implNote This implementation returns "SHA-256". The value may
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	419	* change in the future.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	420	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	421	* @return the default digest algorithm.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	422	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	423	public static String getDefaultDigestAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	424	return "SHA-256";
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	425	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	426
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	427	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	428	* Gets the default signature algorithm for a private key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	429	* For example, SHA256withRSA for a 2048-bit RSA key, and
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	430	* SHA384withECDSA for a 384-bit EC key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	431	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	432	* @implNote This implementation makes use of comparable strengths
42685 a538ed225637 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec weijun parents: 35302 diff changeset	433	* as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4.
33872 94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	434	* Specifically, if a DSA or RSA key with a key size greater than 7680
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	435	* bits, or an EC key with a key size greater than or equal to 512 bits,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	436	* SHA-512 will be used as the hash function for the signature.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	437	* If a DSA or RSA key has a key size greater than 3072 bits, or an
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	438	* EC key has a key size greater than or equal to 384 bits, SHA-384 will
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	439	* be used. Otherwise, SHA-256 will be used. The value may
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	440	* change in the future.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	441	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	442	* @param key the private key.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	443	* @return the default signature algorithm. Returns null if a default
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	444	* signature algorithm cannot be found. In this case,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	445	* {@link #signatureAlgorithm} must be called to specify a
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	446	* signature algorithm. Otherwise, the {@link #build} method
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	447	* will throw an {@link IllegalArgumentException}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	448	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	449	public static String getDefaultSignatureAlgorithm(PrivateKey key) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	450	return AlgorithmId.getDefaultSigAlgForKey(Objects.requireNonNull(key));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	451	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	452
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	453	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	454	* Builds a {@code JarSigner} object from the parameters set by the
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	455	* setter methods.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	456	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	457	* This method does not modify internal state of this {@code Builder}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	458	* object and can be called multiple times to generate multiple
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	459	* {@code JarSigner} objects. After this method is called, calling
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	460	* any method on this {@code Builder} will have no effect on
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	461	* the newly built {@code JarSigner} object.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	462	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	463	* @return the {@code JarSigner} object.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	464	* @throws IllegalArgumentException if a signature algorithm is not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	465	* set and cannot be derived from the private key using the
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	466	* {@link #getDefaultSignatureAlgorithm} method.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	467	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	468	public JarSigner build() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	469	return new JarSigner(this);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	470	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	471	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	472
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	473	private static final String META_INF = "META-INF/";
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	474
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	475	// All fields in Builder are duplicated here as final. Those not
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	476	// provided but has a default value will be filled with default value.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	477
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	478	// Precisely, a final array field can still be modified if only
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	479	// reference is copied, no clone is done because we are concerned about
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	480	// casual change instead of malicious attack.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	481
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	482	// Signer materials:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	483	private final PrivateKey privateKey;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	484	private final X509Certificate[] certChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	485
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	486	// JarSigner options:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	487	private final String[] digestalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	488	private final String sigalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	489	private final Provider digestProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	490	private final Provider sigProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	491	private final URI tsaUrl;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	492	private final String signerName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	493	private final BiConsumer<String,String> handler;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	494
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	495	// Implementation-specific properties:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	496	private final String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	497	private final String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	498	private final boolean signManifest; // "sign" the whole manifest
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	499	private final boolean externalSF; // leave the .SF out of the PKCS7 block
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	500	private final String altSignerPath;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	501	private final String altSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	502
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	503	private JarSigner(JarSigner.Builder builder) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	504
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	505	this.privateKey = builder.privateKey;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	506	this.certChain = builder.certChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	507	if (builder.digestalg != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	508	// No need to clone because builder only accepts one alg now
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	509	this.digestalg = builder.digestalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	510	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	511	this.digestalg = new String[] {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	512	Builder.getDefaultDigestAlgorithm() };
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	513	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	514	this.digestProvider = builder.digestProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	515	if (builder.sigalg != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	516	this.sigalg = builder.sigalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	517	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	518	this.sigalg = JarSigner.Builder
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	519	.getDefaultSignatureAlgorithm(privateKey);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	520	if (this.sigalg == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	521	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	522	"No signature alg for " + privateKey.getAlgorithm());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	523	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	524	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	525	this.sigProvider = builder.sigProvider;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	526	this.tsaUrl = builder.tsaUrl;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	527
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	528	if (builder.signerName == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	529	this.signerName = "SIGNER";
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	530	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	531	this.signerName = builder.signerName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	532	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	533	this.handler = builder.handler;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	534
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	535	if (builder.tSADigestAlg != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	536	this.tSADigestAlg = builder.tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	537	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	538	this.tSADigestAlg = Builder.getDefaultDigestAlgorithm();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	539	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	540	this.tSAPolicyID = builder.tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	541	this.signManifest = builder.signManifest;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	542	this.externalSF = builder.externalSF;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	543	this.altSigner = builder.altSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	544	this.altSignerPath = builder.altSignerPath;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	545	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	546
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	547	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	548	* Signs a file into an {@link OutputStream}. This method will not close
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	549	* {@code file} or {@code os}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	550	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	551	* @param file the file to sign.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	552	* @param os the output stream.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	553	* @throws JarSignerException if the signing fails.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	554	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	555	public void sign(ZipFile file, OutputStream os) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	556	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	557	sign0(Objects.requireNonNull(file),
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	558	Objects.requireNonNull(os));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	559	} catch (SocketTimeoutException \| CertificateException e) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	560	// CertificateException is thrown when the received cert from TSA
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	561	// has no id-kp-timeStamping in its Extended Key Usages extension.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	562	throw new JarSignerException("Error applying timestamp", e);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	563	} catch (IOException ioe) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	564	throw new JarSignerException("I/O error", ioe);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	565	} catch (NoSuchAlgorithmException \| InvalidKeyException e) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	566	throw new JarSignerException("Error in signer materials", e);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	567	} catch (SignatureException se) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	568	throw new JarSignerException("Error creating signature", se);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	569	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	570	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	571
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	572	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	573	* Returns the digest algorithm for this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	574	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	575	* The return value is never null.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	576	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	577	* @return the digest algorithm.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	578	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	579	public String getDigestAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	580	return digestalg[0];
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	581	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	582
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	583	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	584	* Returns the signature algorithm for this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	585	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	586	* The return value is never null.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	587	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	588	* @return the signature algorithm.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	589	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	590	public String getSignatureAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	591	return sigalg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	592	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	593
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	594	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	595	* Returns the URI of the Time Stamping Authority (TSA).
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	596	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	597	* @return the URI of the TSA.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	598	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	599	public URI getTsa() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	600	return tsaUrl;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	601	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	602
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	603	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	604	* Returns the signer name of this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	605	* <p>
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	606	* The return value is never null.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	607	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	608	* @return the signer name.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	609	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	610	public String getSignerName() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	611	return signerName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	612	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	613
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	614	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	615	* Returns the value of an additional implementation-specific property
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	616	* indicated by the specified key. If a property is not set but has a
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	617	* default value, the default value will be returned.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	618	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	619	* @implNote See {@link JarSigner.Builder#setProperty} for a list of
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	620	* properties this implementation supports. All property names are
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	621	* case-insensitive.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	622	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	623	* @param key the name of the property.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	624	* @return the value for the property.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	625	* @throws UnsupportedOperationException if the key is not supported
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	626	* by this implementation.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	627	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	628	public String getProperty(String key) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	629	Objects.requireNonNull(key);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	630	switch (key.toLowerCase(Locale.US)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	631	case "tsadigestalg":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	632	return tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	633	case "tsapolicyid":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	634	return tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	635	case "internalsf":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	636	return Boolean.toString(!externalSF);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	637	case "sectionsonly":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	638	return Boolean.toString(!signManifest);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	639	case "altsignerpath":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	640	return altSignerPath;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	641	case "altsigner":
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	642	return altSigner;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	643	default:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	644	throw new UnsupportedOperationException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	645	"Unsupported key " + key);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	646	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	647	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	648
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	649	private void sign0(ZipFile zipFile, OutputStream os)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	650	throws IOException, CertificateException, NoSuchAlgorithmException,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	651	SignatureException, InvalidKeyException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	652	MessageDigest[] digests;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	653	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	654	digests = new MessageDigest[digestalg.length];
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	655	for (int i = 0; i < digestalg.length; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	656	if (digestProvider == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	657	digests[i] = MessageDigest.getInstance(digestalg[i]);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	658	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	659	digests[i] = MessageDigest.getInstance(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	660	digestalg[i], digestProvider);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	661	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	662	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	663	} catch (NoSuchAlgorithmException asae) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	664	// Should not happen. User provided alg were checked, and default
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	665	// alg should always be available.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	666	throw new AssertionError(asae);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	667	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	668
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	669	PrintStream ps = new PrintStream(os);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	670	ZipOutputStream zos = new ZipOutputStream(ps);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	671
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	672	Manifest manifest = new Manifest();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	673	Map<String, Attributes> mfEntries = manifest.getEntries();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	674
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	675	// The Attributes of manifest before updating
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	676	Attributes oldAttr = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	677
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	678	boolean mfModified = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	679	boolean mfCreated = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	680	byte[] mfRawBytes = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	681
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	682	// Check if manifest exists
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	683	ZipEntry mfFile;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	684	if ((mfFile = getManifestFile(zipFile)) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	685	// Manifest exists. Read its raw bytes.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	686	mfRawBytes = zipFile.getInputStream(mfFile).readAllBytes();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	687	manifest.read(new ByteArrayInputStream(mfRawBytes));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	688	oldAttr = (Attributes) (manifest.getMainAttributes().clone());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	689	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	690	// Create new manifest
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	691	Attributes mattr = manifest.getMainAttributes();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	692	mattr.putValue(Attributes.Name.MANIFEST_VERSION.toString(),
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	693	"1.0");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	694	String javaVendor = System.getProperty("java.vendor");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	695	String jdkVersion = System.getProperty("java.version");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	696	mattr.putValue("Created-By", jdkVersion + " (" + javaVendor
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	697	+ ")");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	698	mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	699	mfCreated = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	700	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	701
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	702	/*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	703	* For each entry in jar
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	704	* (except for signature-related META-INF entries),
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	705	* do the following:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	706	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	707	* - if entry is not contained in manifest, add it to manifest;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	708	* - if entry is contained in manifest, calculate its hash and
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	709	* compare it with the one in the manifest; if they are
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	710	* different, replace the hash in the manifest with the newly
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	711	* generated one. (This may invalidate existing signatures!)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	712	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	713	Vector<ZipEntry> mfFiles = new Vector<>();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	714
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	715	boolean wasSigned = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	716
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	717	for (Enumeration<? extends ZipEntry> enum_ = zipFile.entries();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	718	enum_.hasMoreElements(); ) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	719	ZipEntry ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	720
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	721	if (ze.getName().startsWith(META_INF)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	722	// Store META-INF files in vector, so they can be written
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	723	// out first
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	724	mfFiles.addElement(ze);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	725
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	726	if (SignatureFileVerifier.isBlockOrSF(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	727	ze.getName().toUpperCase(Locale.ENGLISH))) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	728	wasSigned = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	729	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	730
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	731	if (SignatureFileVerifier.isSigningRelated(ze.getName())) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	732	// ignore signature-related and manifest files
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	733	continue;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	734	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	735	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	736
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	737	if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	738	// jar entry is contained in manifest, check and
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	739	// possibly update its digest attributes
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	740	if (updateDigests(ze, zipFile, digests,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	741	manifest)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	742	mfModified = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	743	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	744	} else if (!ze.isDirectory()) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	745	// Add entry to manifest
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	746	Attributes attrs = getDigestAttributes(ze, zipFile, digests);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	747	mfEntries.put(ze.getName(), attrs);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	748	mfModified = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	749	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	750	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	751
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	752	// Recalculate the manifest raw bytes if necessary
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	753	if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	754	ByteArrayOutputStream baos = new ByteArrayOutputStream();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	755	manifest.write(baos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	756	if (wasSigned) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	757	byte[] newBytes = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	758	if (mfRawBytes != null
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	759	&& oldAttr.equals(manifest.getMainAttributes())) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	760
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	761	/*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	762	* Note:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	763	*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	764	* The Attributes object is based on HashMap and can handle
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	765	* continuation columns. Therefore, even if the contents are
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	766	* not changed (in a Map view), the bytes that it write()
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	767	* may be different from the original bytes that it read()
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	768	* from. Since the signature on the main attributes is based
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	769	* on raw bytes, we must retain the exact bytes.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	770	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	771
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	772	int newPos = findHeaderEnd(newBytes);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	773	int oldPos = findHeaderEnd(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	774
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	775	if (newPos == oldPos) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	776	System.arraycopy(mfRawBytes, 0, newBytes, 0, oldPos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	777	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	778	// cat oldHead newTail > newBytes
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	779	byte[] lastBytes = new byte[oldPos +
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	780	newBytes.length - newPos];
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	781	System.arraycopy(mfRawBytes, 0, lastBytes, 0, oldPos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	782	System.arraycopy(newBytes, newPos, lastBytes, oldPos,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	783	newBytes.length - newPos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	784	newBytes = lastBytes;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	785	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	786	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	787	mfRawBytes = newBytes;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	788	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	789	mfRawBytes = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	790	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	791	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	792
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	793	// Write out the manifest
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	794	if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	795	// manifest file has new length
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	796	mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	797	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	798	if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	799	if (mfCreated) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	800	handler.accept("adding", mfFile.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	801	} else if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	802	handler.accept("updating", mfFile.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	803	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	804	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	805
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	806	zos.putNextEntry(mfFile);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	807	zos.write(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	808
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	809	// Calculate SignatureFile (".SF") and SignatureBlockFile
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	810	ManifestDigester manDig = new ManifestDigester(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	811	SignatureFile sf = new SignatureFile(digests, manifest, manDig,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	812	signerName, signManifest);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	813
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	814	byte[] block;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	815
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	816	Signature signer;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	817	if (sigProvider == null ) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	818	signer = Signature.getInstance(sigalg);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	819	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	820	signer = Signature.getInstance(sigalg, sigProvider);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	821	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	822	signer.initSign(privateKey);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	823
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	824	ByteArrayOutputStream baos = new ByteArrayOutputStream();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	825	sf.write(baos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	826
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	827	byte[] content = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	828
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	829	signer.update(content);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	830	byte[] signature = signer.sign();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	831
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	832	@SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	833	ContentSigner signingMechanism = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	834	if (altSigner != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	835	signingMechanism = loadSigningMechanism(altSigner,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	836	altSignerPath);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	837	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	838
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	839	@SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	840	ContentSignerParameters params =
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	841	new JarSignerParameters(null, tsaUrl, tSAPolicyID,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	842	tSADigestAlg, signature,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	843	signer.getAlgorithm(), certChain, content, zipFile);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	844	block = sf.generateBlock(params, externalSF, signingMechanism);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	845
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	846	String sfFilename = sf.getMetaName();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	847	String bkFilename = sf.getBlockName(privateKey);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	848
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	849	ZipEntry sfFile = new ZipEntry(sfFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	850	ZipEntry bkFile = new ZipEntry(bkFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	851
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	852	long time = System.currentTimeMillis();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	853	sfFile.setTime(time);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	854	bkFile.setTime(time);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	855
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	856	// signature file
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	857	zos.putNextEntry(sfFile);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	858	sf.write(zos);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	859
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	860	if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	861	if (zipFile.getEntry(sfFilename) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	862	handler.accept("updating", sfFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	863	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	864	handler.accept("adding", sfFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	865	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	866	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	867
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	868	// signature block file
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	869	zos.putNextEntry(bkFile);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	870	zos.write(block);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	871
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	872	if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	873	if (zipFile.getEntry(bkFilename) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	874	handler.accept("updating", bkFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	875	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	876	handler.accept("adding", bkFilename);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	877	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	878	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	879
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	880	// Write out all other META-INF files that we stored in the
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	881	// vector
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	882	for (int i = 0; i < mfFiles.size(); i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	883	ZipEntry ze = mfFiles.elementAt(i);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	884	if (!ze.getName().equalsIgnoreCase(JarFile.MANIFEST_NAME)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	885	&& !ze.getName().equalsIgnoreCase(sfFilename)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	886	&& !ze.getName().equalsIgnoreCase(bkFilename)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	887	if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	888	if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	889	handler.accept("signing", ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	890	} else if (!ze.isDirectory()) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	891	handler.accept("adding", ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	892	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	893	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	894	writeEntry(zipFile, zos, ze);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	895	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	896	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	897
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	898	// Write out all other files
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	899	for (Enumeration<? extends ZipEntry> enum_ = zipFile.entries();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	900	enum_.hasMoreElements(); ) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	901	ZipEntry ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	902
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	903	if (!ze.getName().startsWith(META_INF)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	904	if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	905	if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	906	handler.accept("signing", ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	907	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	908	handler.accept("adding", ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	909	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	910	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	911	writeEntry(zipFile, zos, ze);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	912	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	913	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	914	zipFile.close();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	915	zos.close();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	916	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	917
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	918	private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	919	throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	920	ZipEntry ze2 = new ZipEntry(ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	921	ze2.setMethod(ze.getMethod());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	922	ze2.setTime(ze.getTime());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	923	ze2.setComment(ze.getComment());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	924	ze2.setExtra(ze.getExtra());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	925	if (ze.getMethod() == ZipEntry.STORED) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	926	ze2.setSize(ze.getSize());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	927	ze2.setCrc(ze.getCrc());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	928	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	929	os.putNextEntry(ze2);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	930	writeBytes(zf, ze, os);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	931	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	932
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	933	private void writeBytes
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	934	(ZipFile zf, ZipEntry ze, ZipOutputStream os) throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	935	try (InputStream is = zf.getInputStream(ze)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	936	is.transferTo(os);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	937	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	938	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	939
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	940	private boolean updateDigests(ZipEntry ze, ZipFile zf,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	941	MessageDigest[] digests,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	942	Manifest mf) throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	943	boolean update = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	944
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	945	Attributes attrs = mf.getAttributes(ze.getName());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	946	String[] base64Digests = getDigests(ze, zf, digests);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	947
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	948	for (int i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	949	// The entry name to be written into attrs
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	950	String name = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	951	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	952	// Find if the digest already exists. An algorithm could have
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	953	// different names. For example, last time it was SHA, and this
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	954	// time it's SHA-1.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	955	AlgorithmId aid = AlgorithmId.get(digests[i].getAlgorithm());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	956	for (Object key : attrs.keySet()) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	957	if (key instanceof Attributes.Name) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	958	String n = key.toString();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	959	if (n.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	960	String tmp = n.substring(0, n.length() - 7);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	961	if (AlgorithmId.get(tmp).equals(aid)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	962	name = n;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	963	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	964	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	965	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	966	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	967	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	968	} catch (NoSuchAlgorithmException nsae) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	969	// Ignored. Writing new digest entry.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	970	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	971
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	972	if (name == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	973	name = digests[i].getAlgorithm() + "-Digest";
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	974	attrs.putValue(name, base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	975	update = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	976	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	977	// compare digests, and replace the one in the manifest
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	978	// if they are different
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	979	String mfDigest = attrs.getValue(name);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	980	if (!mfDigest.equalsIgnoreCase(base64Digests[i])) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	981	attrs.putValue(name, base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	982	update = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	983	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	984	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	985	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	986	return update;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	987	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	988
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	989	private Attributes getDigestAttributes(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	990	ZipEntry ze, ZipFile zf, MessageDigest[] digests)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	991	throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	992
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	993	String[] base64Digests = getDigests(ze, zf, digests);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	994	Attributes attrs = new Attributes();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	995
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	996	for (int i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	997	attrs.putValue(digests[i].getAlgorithm() + "-Digest",
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	998	base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	999	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1000	return attrs;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1001	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1002
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1003	/*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1004	* Returns manifest entry from given jar file, or null if given jar file
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1005	* does not have a manifest entry.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1006	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1007	private ZipEntry getManifestFile(ZipFile zf) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1008	ZipEntry ze = zf.getEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1009	if (ze == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1010	// Check all entries for matching name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1011	Enumeration<? extends ZipEntry> enum_ = zf.entries();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1012	while (enum_.hasMoreElements() && ze == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1013	ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1014	if (!JarFile.MANIFEST_NAME.equalsIgnoreCase
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1015	(ze.getName())) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1016	ze = null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1017	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1018	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1019	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1020	return ze;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1021	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1022
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1023	private String[] getDigests(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1024	ZipEntry ze, ZipFile zf, MessageDigest[] digests)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1025	throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1026
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1027	int n, i;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1028	try (InputStream is = zf.getInputStream(ze)) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1029	long left = ze.getSize();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1030	byte[] buffer = new byte[8192];
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1031	while ((left > 0)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1032	&& (n = is.read(buffer, 0, buffer.length)) != -1) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1033	for (i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1034	digests[i].update(buffer, 0, n);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1035	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1036	left -= n;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1037	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1038	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1039
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1040	// complete the digests
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1041	String[] base64Digests = new String[digests.length];
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1042	for (i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1043	base64Digests[i] = Base64.getEncoder()
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1044	.encodeToString(digests[i].digest());
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1045	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1046	return base64Digests;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1047	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1048
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1049	@SuppressWarnings("fallthrough")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1050	private int findHeaderEnd(byte[] bs) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1051	// Initial state true to deal with empty header
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1052	boolean newline = true; // just met a newline
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1053	int len = bs.length;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1054	for (int i = 0; i < len; i++) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1055	switch (bs[i]) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1056	case '\r':
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1057	if (i < len - 1 && bs[i + 1] == '\n') i++;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1058	// fallthrough
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1059	case '\n':
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1060	if (newline) return i + 1; //+1 to get length
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1061	newline = true;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1062	break;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1063	default:
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1064	newline = false;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1065	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1066	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1067	// If header end is not found, it means the MANIFEST.MF has only
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1068	// the main attributes section and it does not end with 2 newlines.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1069	// Returns the whole length so that it can be completely replaced.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1070	return len;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1071	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1072
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1073	/*
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1074	* Try to load the specified signing mechanism.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1075	* The URL class loader is used.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1076	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1077	@SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1078	private ContentSigner loadSigningMechanism(String signerClassName,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1079	String signerClassPath) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1080
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1081	// construct class loader
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1082	String cpString; // make sure env.class.path defaults to dot
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1083
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1084	// do prepends to get correct ordering
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1085	cpString = PathList.appendPath(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1086	System.getProperty("env.class.path"), null);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1087	cpString = PathList.appendPath(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1088	System.getProperty("java.class.path"), cpString);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1089	cpString = PathList.appendPath(signerClassPath, cpString);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1090	URL[] urls = PathList.pathToURLs(cpString);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1091	ClassLoader appClassLoader = new URLClassLoader(urls);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1092
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1093	try {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1094	// attempt to find signer
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1095	Class<?> signerClass = appClassLoader.loadClass(signerClassName);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1096	Object signer = signerClass.newInstance();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1097	return (ContentSigner) signer;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1098	} catch (ClassNotFoundException\|InstantiationException\|
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1099	IllegalAccessException\|ClassCastException e) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1100	throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1101	"Invalid altSigner or altSignerPath", e);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1102	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1103	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1104
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1105	static class SignatureFile {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1106
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1107	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1108	* SignatureFile
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1109	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1110	Manifest sf;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1111
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1112	/**
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1113	* .SF base name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1114	*/
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1115	String baseName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1116
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1117	public SignatureFile(MessageDigest digests[],
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1118	Manifest mf,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1119	ManifestDigester md,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1120	String baseName,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1121	boolean signManifest) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1122
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1123	this.baseName = baseName;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1124
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1125	String version = System.getProperty("java.version");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1126	String javaVendor = System.getProperty("java.vendor");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1127
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1128	sf = new Manifest();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1129	Attributes mattr = sf.getMainAttributes();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1130
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1131	mattr.putValue(Attributes.Name.SIGNATURE_VERSION.toString(), "1.0");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1132	mattr.putValue("Created-By", version + " (" + javaVendor + ")");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1133
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1134	if (signManifest) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1135	for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1136	mattr.putValue(digest.getAlgorithm() + "-Digest-Manifest",
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1137	Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1138	md.manifestDigest(digest)));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1139	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1140	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1141
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1142	// create digest of the manifest main attributes
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1143	ManifestDigester.Entry mde =
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1144	md.get(ManifestDigester.MF_MAIN_ATTRS, false);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1145	if (mde != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1146	for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1147	mattr.putValue(digest.getAlgorithm() +
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1148	"-Digest-" + ManifestDigester.MF_MAIN_ATTRS,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1149	Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1150	mde.digest(digest)));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1151	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1152	} else {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1153	throw new IllegalStateException
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1154	("ManifestDigester failed to create " +
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1155	"Manifest-Main-Attribute entry");
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1156	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1157
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1158	// go through the manifest entries and create the digests
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1159	Map<String, Attributes> entries = sf.getEntries();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1160	for (String name: mf.getEntries().keySet()) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1161	mde = md.get(name, false);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1162	if (mde != null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1163	Attributes attr = new Attributes();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1164	for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1165	attr.putValue(digest.getAlgorithm() + "-Digest",
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1166	Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1167	mde.digest(digest)));
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1168	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1169	entries.put(name, attr);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1170	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1171	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1172	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1173
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1174	// Write .SF file
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1175	public void write(OutputStream out) throws IOException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1176	sf.write(out);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1177	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1178
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1179	// get .SF file name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1180	public String getMetaName() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1181	return "META-INF/" + baseName + ".SF";
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1182	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1183
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1184	// get .DSA (or .DSA, .EC) file name
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1185	public String getBlockName(PrivateKey privateKey) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1186	String keyAlgorithm = privateKey.getAlgorithm();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1187	return "META-INF/" + baseName + "." + keyAlgorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1188	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1189
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1190	// Generates the PKCS#7 content of block file
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1191	@SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1192	public byte[] generateBlock(ContentSignerParameters params,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1193	boolean externalSF,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1194	ContentSigner signingMechanism)
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1195	throws NoSuchAlgorithmException,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1196	IOException, CertificateException {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1197
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1198	if (signingMechanism == null) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1199	signingMechanism = new TimestampedSigner();
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1200	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1201	return signingMechanism.generateSignedData(
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1202	params,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1203	externalSF,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1204	params.getTimestampingAuthority() != null
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1205	\|\| params.getTimestampingAuthorityCertificate() != null);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1206	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1207	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1208
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1209	@SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1210	class JarSignerParameters implements ContentSignerParameters {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1211
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1212	private String[] args;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1213	private URI tsa;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1214	private byte[] signature;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1215	private String signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1216	private X509Certificate[] signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1217	private byte[] content;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1218	private ZipFile source;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1219	private String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1220	private String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1221
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1222	JarSignerParameters(String[] args, URI tsa,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1223	String tSAPolicyID, String tSADigestAlg,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1224	byte[] signature, String signatureAlgorithm,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1225	X509Certificate[] signerCertificateChain,
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1226	byte[] content, ZipFile source) {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1227
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1228	Objects.requireNonNull(signature);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1229	Objects.requireNonNull(signatureAlgorithm);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1230	Objects.requireNonNull(signerCertificateChain);
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1231
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1232	this.args = args;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1233	this.tsa = tsa;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1234	this.tSAPolicyID = tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1235	this.tSADigestAlg = tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1236	this.signature = signature;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1237	this.signatureAlgorithm = signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1238	this.signerCertificateChain = signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1239	this.content = content;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1240	this.source = source;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1241	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1242
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1243	public String[] getCommandLine() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1244	return args;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1245	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1246
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1247	public URI getTimestampingAuthority() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1248	return tsa;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1249	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1250
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1251	public X509Certificate getTimestampingAuthorityCertificate() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1252	// We don't use this param. Always provide tsaURI.
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1253	return null;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1254	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1255
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1256	public String getTSAPolicyID() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1257	return tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1258	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1259
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1260	public String getTSADigestAlg() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1261	return tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1262	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1263
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1264	public byte[] getSignature() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1265	return signature;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1266	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1267
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1268	public String getSignatureAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1269	return signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1270	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1271
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1272	public X509Certificate[] getSignerCertificateChain() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1273	return signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1274	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1275
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1276	public byte[] getContent() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1277	return content;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1278	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1279
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1280	public ZipFile getSource() {
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1281	return source;
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1282	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1283	}
94e3836950ec 8056174: New APIs for jar signing weijun parents: diff changeset	1284	}

author	naoto
	Tue, 24 Oct 2017 08:56:30 -0700
changeset 47441	258dc79d2265
parent 47216	71c04702a3d5
child 48760	25725c11c296
permissions	-rw-r--r--