src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
author dl
Fri, 13 Oct 2017 18:19:18 -0700
changeset 47342 bffcbf07ea88
parent 47216 71c04702a3d5
child 48760 25725c11c296
permissions -rw-r--r--
8188047: Add SplittableRandom.nextBytes Reviewed-by: martin, psandoz
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     1
/*
45118
e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory
ihse
parents: 42685
diff changeset
     2
 * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     4
 *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     5
 * This code is free software; you can redistribute it and/or modify it
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     6
 * under the terms of the GNU General Public License version 2 only, as
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     7
 * published by the Free Software Foundation.  Oracle designates this
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     8
 * particular file as subject to the "Classpath" exception as provided
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
     9
 * by Oracle in the LICENSE file that accompanied this code.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    10
 *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    11
 * This code is distributed in the hope that it will be useful, but WITHOUT
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    14
 * version 2 for more details (a copy is included in the LICENSE file that
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    15
 * accompanied this code).
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    16
 *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    17
 * You should have received a copy of the GNU General Public License version
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    18
 * 2 along with this work; if not, write to the Free Software Foundation,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    20
 *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    22
 * or visit www.oracle.com if you need additional information or have any
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    23
 * questions.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    24
 */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    25
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    26
package jdk.security.jarsigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    27
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    28
import com.sun.jarsigner.ContentSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    29
import com.sun.jarsigner.ContentSignerParameters;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    30
import sun.security.tools.PathList;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    31
import sun.security.tools.jarsigner.TimestampedSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    32
import sun.security.util.ManifestDigester;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    33
import sun.security.util.SignatureFileVerifier;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    34
import sun.security.x509.AlgorithmId;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    35
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    36
import java.io.*;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    37
import java.net.SocketTimeoutException;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    38
import java.net.URI;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    39
import java.net.URL;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    40
import java.net.URLClassLoader;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    41
import java.security.*;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    42
import java.security.cert.CertPath;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    43
import java.security.cert.Certificate;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    44
import java.security.cert.CertificateException;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    45
import java.security.cert.X509Certificate;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    46
import java.util.*;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    47
import java.util.function.BiConsumer;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    48
import java.util.jar.Attributes;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    49
import java.util.jar.JarEntry;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    50
import java.util.jar.JarFile;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    51
import java.util.jar.Manifest;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    52
import java.util.zip.ZipEntry;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    53
import java.util.zip.ZipFile;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    54
import java.util.zip.ZipOutputStream;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    55
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    56
/**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    57
 * An immutable utility class to sign a jar file.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    58
 * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    59
 * A caller creates a {@code JarSigner.Builder} object, (optionally) sets
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    60
 * some parameters, and calls {@link JarSigner.Builder#build build} to create
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    61
 * a {@code JarSigner} object. This {@code JarSigner} object can then
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    62
 * be used to sign a jar file.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    63
 * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    64
 * Unless otherwise stated, calling a method of {@code JarSigner} or
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    65
 * {@code JarSigner.Builder} with a null argument will throw
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    66
 * a {@link NullPointerException}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    67
 * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    68
 * Example:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    69
 * <pre>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    70
 * JarSigner signer = new JarSigner.Builder(key, certPath)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    71
 *         .digestAlgorithm("SHA-1")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    72
 *         .signatureAlgorithm("SHA1withDSA")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    73
 *         .build();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    74
 * try (ZipFile in = new ZipFile(inputFile);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    75
 *         FileOutputStream out = new FileOutputStream(outputFile)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    76
 *     signer.sign(in, out);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    77
 * }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    78
 * </pre>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    79
 *
35302
e4d2275861c3 8136494: Update "@since 1.9" to "@since 9" to match java.version.specification
iris
parents: 34894
diff changeset
    80
 * @since 9
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    81
 */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    82
public final class JarSigner {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    83
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    84
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    85
     * A mutable builder class that can create an immutable {@code JarSigner}
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    86
     * from various signing-related parameters.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    87
     *
35302
e4d2275861c3 8136494: Update "@since 1.9" to "@since 9" to match java.version.specification
iris
parents: 34894
diff changeset
    88
     * @since 9
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    89
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    90
    public static class Builder {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    91
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    92
        // Signer materials:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    93
        final PrivateKey privateKey;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    94
        final X509Certificate[] certChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    95
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    96
        // JarSigner options:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    97
        // Support multiple digestalg internally. Can be null, but not empty
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    98
        String[] digestalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
    99
        String sigalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   100
        // Precisely should be one provider for each digestalg, maybe later
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   101
        Provider digestProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   102
        Provider sigProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   103
        URI tsaUrl;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   104
        String signerName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   105
        BiConsumer<String,String> handler;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   106
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   107
        // Implementation-specific properties:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   108
        String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   109
        String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   110
        boolean signManifest = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   111
        boolean externalSF = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   112
        String altSignerPath;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   113
        String altSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   114
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   115
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   116
         * Creates a {@code JarSigner.Builder} object with
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   117
         * a {@link KeyStore.PrivateKeyEntry} object.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   118
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   119
         * @param entry the {@link KeyStore.PrivateKeyEntry} of the signer.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   120
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   121
        public Builder(KeyStore.PrivateKeyEntry entry) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   122
            this.privateKey = entry.getPrivateKey();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   123
            try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   124
                // called internally, no need to clone
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   125
                Certificate[] certs = entry.getCertificateChain();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   126
                this.certChain = Arrays.copyOf(certs, certs.length,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   127
                        X509Certificate[].class);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   128
            } catch (ArrayStoreException ase) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   129
                // Wrong type, not X509Certificate. Won't document.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   130
                throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   131
                        "Entry does not contain X509Certificate");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   132
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   133
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   134
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   135
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   136
         * Creates a {@code JarSigner.Builder} object with a private key and
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   137
         * a certification path.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   138
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   139
         * @param privateKey the private key of the signer.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   140
         * @param certPath the certification path of the signer.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   141
         * @throws IllegalArgumentException if {@code certPath} is empty, or
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   142
         *      the {@code privateKey} algorithm does not match the algorithm
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   143
         *      of the {@code PublicKey} in the end entity certificate
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   144
         *      (the first certificate in {@code certPath}).
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   145
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   146
        public Builder(PrivateKey privateKey, CertPath certPath) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   147
            List<? extends Certificate> certs = certPath.getCertificates();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   148
            if (certs.isEmpty()) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   149
                throw new IllegalArgumentException("certPath cannot be empty");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   150
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   151
            if (!privateKey.getAlgorithm().equals
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   152
                    (certs.get(0).getPublicKey().getAlgorithm())) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   153
                throw new IllegalArgumentException
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   154
                        ("private key algorithm does not match " +
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   155
                                "algorithm of public key in end entity " +
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   156
                                "certificate (the 1st in certPath)");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   157
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   158
            this.privateKey = privateKey;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   159
            try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   160
                this.certChain = certs.toArray(new X509Certificate[certs.size()]);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   161
            } catch (ArrayStoreException ase) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   162
                // Wrong type, not X509Certificate.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   163
                throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   164
                        "Entry does not contain X509Certificate");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   165
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   166
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   167
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   168
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   169
         * Sets the digest algorithm. If no digest algorithm is specified,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   170
         * the default algorithm returned by {@link #getDefaultDigestAlgorithm}
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   171
         * will be used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   172
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   173
         * @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   174
         *      the {@code MessageDigest} section in the <a href=
45118
e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory
ihse
parents: 42685
diff changeset
   175
         *      "{@docRoot}/../specs/security/standard-names.html#messagedigest-algorithms">
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   176
         *      Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   177
         *      Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   178
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   179
         * @throws NoSuchAlgorithmException if {@code algorithm} is not available.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   180
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   181
        public Builder digestAlgorithm(String algorithm) throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   182
            MessageDigest.getInstance(Objects.requireNonNull(algorithm));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   183
            this.digestalg = new String[]{algorithm};
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   184
            this.digestProvider = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   185
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   186
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   187
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   188
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   189
         * Sets the digest algorithm from the specified provider.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   190
         * If no digest algorithm is specified, the default algorithm
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   191
         * returned by {@link #getDefaultDigestAlgorithm} will be used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   192
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   193
         * @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   194
         *      the {@code MessageDigest} section in the <a href=
45118
e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory
ihse
parents: 42685
diff changeset
   195
         *      "{@docRoot}/../specs/security/standard-names.html#messagedigest-algorithms">
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   196
         *      Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   197
         *      Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   198
         * @param provider the provider.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   199
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   200
         * @throws NoSuchAlgorithmException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   201
         *      available in the specified provider.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   202
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   203
        public Builder digestAlgorithm(String algorithm, Provider provider)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   204
                throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   205
            MessageDigest.getInstance(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   206
                    Objects.requireNonNull(algorithm),
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   207
                    Objects.requireNonNull(provider));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   208
            this.digestalg = new String[]{algorithm};
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   209
            this.digestProvider = provider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   210
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   211
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   212
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   213
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   214
         * Sets the signature algorithm. If no signature algorithm
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   215
         * is specified, the default signature algorithm returned by
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   216
         * {@link #getDefaultSignatureAlgorithm} for the private key
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   217
         * will be used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   218
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   219
         * @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   220
         *      the {@code Signature} section in the <a href=
45118
e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory
ihse
parents: 42685
diff changeset
   221
         *      "{@docRoot}/../specs/security/standard-names.html#signature-algorithms">
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   222
         *      Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   223
         *      Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   224
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   225
         * @throws NoSuchAlgorithmException if {@code algorithm} is not available.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   226
         * @throws IllegalArgumentException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   227
         *      compatible with the algorithm of the signer's private key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   228
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   229
        public Builder signatureAlgorithm(String algorithm)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   230
                throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   231
            // Check availability
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   232
            Signature.getInstance(Objects.requireNonNull(algorithm));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   233
            AlgorithmId.checkKeyAndSigAlgMatch(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   234
                    privateKey.getAlgorithm(), algorithm);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   235
            this.sigalg = algorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   236
            this.sigProvider = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   237
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   238
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   239
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   240
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   241
         * Sets the signature algorithm from the specified provider. If no
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   242
         * signature algorithm is specified, the default signature algorithm
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   243
         * returned by {@link #getDefaultSignatureAlgorithm} for the private
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   244
         * key will be used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   245
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   246
         * @param algorithm the standard name of the algorithm. See
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   247
         *      the {@code Signature} section in the <a href=
45118
e4258d800b54 8178278: Move Standard Algorithm Names document to specs directory
ihse
parents: 42685
diff changeset
   248
         *      "{@docRoot}/../specs/security/standard-names.html#signature-algorithms">
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   249
         *      Java Cryptography Architecture Standard Algorithm Name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   250
         *      Documentation</a> for information about standard algorithm names.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   251
         * @param provider  the provider.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   252
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   253
         * @throws NoSuchAlgorithmException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   254
         *      available in the specified provider.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   255
         * @throws IllegalArgumentException if {@code algorithm} is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   256
         *      compatible with the algorithm of the signer's private key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   257
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   258
        public Builder signatureAlgorithm(String algorithm, Provider provider)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   259
                throws NoSuchAlgorithmException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   260
            // Check availability
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   261
            Signature.getInstance(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   262
                    Objects.requireNonNull(algorithm),
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   263
                    Objects.requireNonNull(provider));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   264
            AlgorithmId.checkKeyAndSigAlgMatch(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   265
                    privateKey.getAlgorithm(), algorithm);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   266
            this.sigalg = algorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   267
            this.sigProvider = provider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   268
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   269
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   270
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   271
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   272
         * Sets the URI of the Time Stamping Authority (TSA).
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   273
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   274
         * @param uri the URI.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   275
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   276
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   277
        public Builder tsa(URI uri) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   278
            this.tsaUrl = Objects.requireNonNull(uri);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   279
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   280
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   281
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   282
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   283
         * Sets the signer name. The name will be used as the base name for
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   284
         * the signature files. All lowercase characters will be converted to
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   285
         * uppercase for signature file names. If a signer name is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   286
         * specified, the string "SIGNER" will be used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   287
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   288
         * @param name the signer name.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   289
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   290
         * @throws IllegalArgumentException if {@code name} is empty or has
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   291
         *      a size bigger than 8, or it contains characters not from the
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   292
         *      set "a-zA-Z0-9_-".
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   293
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   294
        public Builder signerName(String name) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   295
            if (name.isEmpty() || name.length() > 8) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   296
                throw new IllegalArgumentException("Name too long");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   297
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   298
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   299
            name = name.toUpperCase(Locale.ENGLISH);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   300
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   301
            for (int j = 0; j < name.length(); j++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   302
                char c = name.charAt(j);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   303
                if (!
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   304
                        ((c >= 'A' && c <= 'Z') ||
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   305
                                (c >= '0' && c <= '9') ||
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   306
                                (c == '-') ||
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   307
                                (c == '_'))) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   308
                    throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   309
                            "Invalid characters in name");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   310
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   311
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   312
            this.signerName = name;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   313
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   314
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   315
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   316
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   317
         * Sets en event handler that will be triggered when a {@link JarEntry}
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   318
         * is to be added, signed, or updated during the signing process.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   319
         * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   320
         * The handler can be used to display signing progress. The first
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   321
         * argument of the handler can be "adding", "signing", or "updating",
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   322
         * and the second argument is the name of the {@link JarEntry}
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   323
         * being processed.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   324
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   325
         * @param handler the event handler.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   326
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   327
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   328
        public Builder eventHandler(BiConsumer<String,String> handler) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   329
            this.handler = Objects.requireNonNull(handler);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   330
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   331
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   332
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   333
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   334
         * Sets an additional implementation-specific property indicated by
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   335
         * the specified key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   336
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   337
         * @implNote This implementation supports the following properties:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   338
         * <ul>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   339
         * <li>"tsaDigestAlg": algorithm of digest data in the timestamping
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   340
         * request. The default value is the same as the result of
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   341
         * {@link #getDefaultDigestAlgorithm}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   342
         * <li>"tsaPolicyId": TSAPolicyID for Timestamping Authority.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   343
         * No default value.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   344
         * <li>"internalsf": "true" if the .SF file is included inside the
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   345
         * signature block, "false" otherwise. Default "false".
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   346
         * <li>"sectionsonly": "true" if the .SF file only contains the hash
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   347
         * value for each section of the manifest and not for the whole
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   348
         * manifest, "false" otherwise. Default "false".
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   349
         * </ul>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   350
         * All property names are case-insensitive.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   351
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   352
         * @param key the name of the property.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   353
         * @param value the value of the property.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   354
         * @return the {@code JarSigner.Builder} itself.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   355
         * @throws UnsupportedOperationException if the key is not supported
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   356
         *      by this implementation.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   357
         * @throws IllegalArgumentException if the value is not accepted as
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   358
         *      a legal value for this key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   359
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   360
        public Builder setProperty(String key, String value) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   361
            Objects.requireNonNull(key);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   362
            Objects.requireNonNull(value);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   363
            switch (key.toLowerCase(Locale.US)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   364
                case "tsadigestalg":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   365
                    try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   366
                        MessageDigest.getInstance(value);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   367
                    } catch (NoSuchAlgorithmException nsae) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   368
                        throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   369
                                "Invalid tsadigestalg", nsae);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   370
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   371
                    this.tSADigestAlg = value;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   372
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   373
                case "tsapolicyid":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   374
                    this.tSAPolicyID = value;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   375
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   376
                case "internalsf":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   377
                    switch (value) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   378
                        case "true":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   379
                            externalSF = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   380
                            break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   381
                        case "false":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   382
                            externalSF = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   383
                            break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   384
                        default:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   385
                            throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   386
                                "Invalid internalsf value");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   387
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   388
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   389
                case "sectionsonly":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   390
                    switch (value) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   391
                        case "true":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   392
                            signManifest = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   393
                            break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   394
                        case "false":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   395
                            signManifest = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   396
                            break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   397
                        default:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   398
                            throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   399
                                "Invalid signManifest value");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   400
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   401
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   402
                case "altsignerpath":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   403
                    altSignerPath = value;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   404
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   405
                case "altsigner":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   406
                    altSigner = value;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   407
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   408
                default:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   409
                    throw new UnsupportedOperationException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   410
                            "Unsupported key " + key);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   411
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   412
            return this;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   413
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   414
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   415
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   416
         * Gets the default digest algorithm.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   417
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   418
         * @implNote This implementation returns "SHA-256". The value may
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   419
         * change in the future.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   420
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   421
         * @return the default digest algorithm.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   422
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   423
        public static String getDefaultDigestAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   424
            return "SHA-256";
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   425
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   426
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   427
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   428
         * Gets the default signature algorithm for a private key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   429
         * For example, SHA256withRSA for a 2048-bit RSA key, and
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   430
         * SHA384withECDSA for a 384-bit EC key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   431
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   432
         * @implNote This implementation makes use of comparable strengths
42685
a538ed225637 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
weijun
parents: 35302
diff changeset
   433
         * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4.
33872
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   434
         * Specifically, if a DSA or RSA key with a key size greater than 7680
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   435
         * bits, or an EC key with a key size greater than or equal to 512 bits,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   436
         * SHA-512 will be used as the hash function for the signature.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   437
         * If a DSA or RSA key has a key size greater than 3072 bits, or an
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   438
         * EC key has a key size greater than or equal to 384 bits, SHA-384 will
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   439
         * be used. Otherwise, SHA-256 will be used. The value may
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   440
         * change in the future.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   441
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   442
         * @param key the private key.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   443
         * @return the default signature algorithm. Returns null if a default
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   444
         *      signature algorithm cannot be found. In this case,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   445
         *      {@link #signatureAlgorithm} must be called to specify a
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   446
         *      signature algorithm. Otherwise, the {@link #build} method
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   447
         *      will throw an {@link IllegalArgumentException}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   448
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   449
        public static String getDefaultSignatureAlgorithm(PrivateKey key) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   450
            return AlgorithmId.getDefaultSigAlgForKey(Objects.requireNonNull(key));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   451
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   452
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   453
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   454
         * Builds a {@code JarSigner} object from the parameters set by the
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   455
         * setter methods.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   456
         * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   457
         * This method does not modify internal state of this {@code Builder}
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   458
         * object and can be called multiple times to generate multiple
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   459
         * {@code JarSigner} objects. After this method is called, calling
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   460
         * any method on this {@code Builder} will have no effect on
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   461
         * the newly built {@code JarSigner} object.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   462
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   463
         * @return the {@code JarSigner} object.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   464
         * @throws IllegalArgumentException if a signature algorithm is not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   465
         *      set and cannot be derived from the private key using the
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   466
         *      {@link #getDefaultSignatureAlgorithm} method.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   467
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   468
        public JarSigner build() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   469
            return new JarSigner(this);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   470
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   471
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   472
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   473
    private static final String META_INF = "META-INF/";
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   474
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   475
    // All fields in Builder are duplicated here as final. Those not
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   476
    // provided but has a default value will be filled with default value.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   477
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   478
    // Precisely, a final array field can still be modified if only
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   479
    // reference is copied, no clone is done because we are concerned about
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   480
    // casual change instead of malicious attack.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   481
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   482
    // Signer materials:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   483
    private final PrivateKey privateKey;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   484
    private final X509Certificate[] certChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   485
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   486
    // JarSigner options:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   487
    private final String[] digestalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   488
    private final String sigalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   489
    private final Provider digestProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   490
    private final Provider sigProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   491
    private final URI tsaUrl;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   492
    private final String signerName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   493
    private final BiConsumer<String,String> handler;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   494
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   495
    // Implementation-specific properties:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   496
    private final String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   497
    private final String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   498
    private final boolean signManifest; // "sign" the whole manifest
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   499
    private final boolean externalSF; // leave the .SF out of the PKCS7 block
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   500
    private final String altSignerPath;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   501
    private final String altSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   502
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   503
    private JarSigner(JarSigner.Builder builder) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   504
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   505
        this.privateKey = builder.privateKey;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   506
        this.certChain = builder.certChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   507
        if (builder.digestalg != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   508
            // No need to clone because builder only accepts one alg now
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   509
            this.digestalg = builder.digestalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   510
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   511
            this.digestalg = new String[] {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   512
                    Builder.getDefaultDigestAlgorithm() };
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   513
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   514
        this.digestProvider = builder.digestProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   515
        if (builder.sigalg != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   516
            this.sigalg = builder.sigalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   517
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   518
            this.sigalg = JarSigner.Builder
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   519
                    .getDefaultSignatureAlgorithm(privateKey);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   520
            if (this.sigalg == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   521
                throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   522
                        "No signature alg for " + privateKey.getAlgorithm());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   523
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   524
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   525
        this.sigProvider = builder.sigProvider;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   526
        this.tsaUrl = builder.tsaUrl;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   527
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   528
        if (builder.signerName == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   529
            this.signerName = "SIGNER";
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   530
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   531
            this.signerName = builder.signerName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   532
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   533
        this.handler = builder.handler;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   534
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   535
        if (builder.tSADigestAlg != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   536
            this.tSADigestAlg = builder.tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   537
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   538
            this.tSADigestAlg = Builder.getDefaultDigestAlgorithm();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   539
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   540
        this.tSAPolicyID = builder.tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   541
        this.signManifest = builder.signManifest;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   542
        this.externalSF = builder.externalSF;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   543
        this.altSigner = builder.altSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   544
        this.altSignerPath = builder.altSignerPath;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   545
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   546
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   547
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   548
     * Signs a file into an {@link OutputStream}. This method will not close
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   549
     * {@code file} or {@code os}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   550
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   551
     * @param file the file to sign.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   552
     * @param os the output stream.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   553
     * @throws JarSignerException if the signing fails.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   554
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   555
    public void sign(ZipFile file, OutputStream os) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   556
        try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   557
            sign0(Objects.requireNonNull(file),
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   558
                    Objects.requireNonNull(os));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   559
        } catch (SocketTimeoutException | CertificateException e) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   560
            // CertificateException is thrown when the received cert from TSA
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   561
            // has no id-kp-timeStamping in its Extended Key Usages extension.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   562
            throw new JarSignerException("Error applying timestamp", e);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   563
        } catch (IOException ioe) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   564
            throw new JarSignerException("I/O error", ioe);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   565
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   566
            throw new JarSignerException("Error in signer materials", e);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   567
        } catch (SignatureException se) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   568
            throw new JarSignerException("Error creating signature", se);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   569
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   570
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   571
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   572
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   573
     * Returns the digest algorithm for this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   574
     * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   575
     * The return value is never null.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   576
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   577
     * @return the digest algorithm.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   578
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   579
    public String getDigestAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   580
        return digestalg[0];
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   581
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   582
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   583
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   584
     * Returns the signature algorithm for this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   585
     * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   586
     * The return value is never null.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   587
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   588
     * @return the signature algorithm.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   589
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   590
    public String getSignatureAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   591
        return sigalg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   592
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   593
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   594
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   595
     * Returns the URI of the Time Stamping Authority (TSA).
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   596
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   597
     * @return the URI of the TSA.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   598
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   599
    public URI getTsa() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   600
        return tsaUrl;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   601
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   602
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   603
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   604
     * Returns the signer name of this {@code JarSigner}.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   605
     * <p>
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   606
     * The return value is never null.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   607
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   608
     * @return the signer name.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   609
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   610
    public String getSignerName() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   611
        return signerName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   612
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   613
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   614
    /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   615
     * Returns the value of an additional implementation-specific property
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   616
     * indicated by the specified key. If a property is not set but has a
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   617
     * default value, the default value will be returned.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   618
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   619
     * @implNote See {@link JarSigner.Builder#setProperty} for a list of
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   620
     * properties this implementation supports. All property names are
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   621
     * case-insensitive.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   622
     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   623
     * @param key the name of the property.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   624
     * @return the value for the property.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   625
     * @throws UnsupportedOperationException if the key is not supported
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   626
     *      by this implementation.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   627
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   628
    public String getProperty(String key) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   629
        Objects.requireNonNull(key);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   630
        switch (key.toLowerCase(Locale.US)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   631
            case "tsadigestalg":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   632
                return tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   633
            case "tsapolicyid":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   634
                return tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   635
            case "internalsf":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   636
                return Boolean.toString(!externalSF);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   637
            case "sectionsonly":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   638
                return Boolean.toString(!signManifest);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   639
            case "altsignerpath":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   640
                return altSignerPath;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   641
            case "altsigner":
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   642
                return altSigner;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   643
            default:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   644
                throw new UnsupportedOperationException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   645
                        "Unsupported key " + key);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   646
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   647
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   648
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   649
    private void sign0(ZipFile zipFile, OutputStream os)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   650
            throws IOException, CertificateException, NoSuchAlgorithmException,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   651
            SignatureException, InvalidKeyException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   652
        MessageDigest[] digests;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   653
        try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   654
            digests = new MessageDigest[digestalg.length];
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   655
            for (int i = 0; i < digestalg.length; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   656
                if (digestProvider == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   657
                    digests[i] = MessageDigest.getInstance(digestalg[i]);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   658
                } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   659
                    digests[i] = MessageDigest.getInstance(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   660
                            digestalg[i], digestProvider);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   661
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   662
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   663
        } catch (NoSuchAlgorithmException asae) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   664
            // Should not happen. User provided alg were checked, and default
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   665
            // alg should always be available.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   666
            throw new AssertionError(asae);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   667
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   668
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   669
        PrintStream ps = new PrintStream(os);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   670
        ZipOutputStream zos = new ZipOutputStream(ps);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   671
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   672
        Manifest manifest = new Manifest();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   673
        Map<String, Attributes> mfEntries = manifest.getEntries();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   674
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   675
        // The Attributes of manifest before updating
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   676
        Attributes oldAttr = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   677
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   678
        boolean mfModified = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   679
        boolean mfCreated = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   680
        byte[] mfRawBytes = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   681
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   682
        // Check if manifest exists
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   683
        ZipEntry mfFile;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   684
        if ((mfFile = getManifestFile(zipFile)) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   685
            // Manifest exists. Read its raw bytes.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   686
            mfRawBytes = zipFile.getInputStream(mfFile).readAllBytes();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   687
            manifest.read(new ByteArrayInputStream(mfRawBytes));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   688
            oldAttr = (Attributes) (manifest.getMainAttributes().clone());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   689
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   690
            // Create new manifest
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   691
            Attributes mattr = manifest.getMainAttributes();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   692
            mattr.putValue(Attributes.Name.MANIFEST_VERSION.toString(),
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   693
                    "1.0");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   694
            String javaVendor = System.getProperty("java.vendor");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   695
            String jdkVersion = System.getProperty("java.version");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   696
            mattr.putValue("Created-By", jdkVersion + " (" + javaVendor
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   697
                    + ")");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   698
            mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   699
            mfCreated = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   700
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   701
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   702
        /*
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   703
         * For each entry in jar
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   704
         * (except for signature-related META-INF entries),
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   705
         * do the following:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   706
         *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   707
         * - if entry is not contained in manifest, add it to manifest;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   708
         * - if entry is contained in manifest, calculate its hash and
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   709
         *   compare it with the one in the manifest; if they are
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   710
         *   different, replace the hash in the manifest with the newly
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   711
         *   generated one. (This may invalidate existing signatures!)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   712
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   713
        Vector<ZipEntry> mfFiles = new Vector<>();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   714
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   715
        boolean wasSigned = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   716
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   717
        for (Enumeration<? extends ZipEntry> enum_ = zipFile.entries();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   718
             enum_.hasMoreElements(); ) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   719
            ZipEntry ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   720
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   721
            if (ze.getName().startsWith(META_INF)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   722
                // Store META-INF files in vector, so they can be written
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   723
                // out first
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   724
                mfFiles.addElement(ze);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   725
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   726
                if (SignatureFileVerifier.isBlockOrSF(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   727
                        ze.getName().toUpperCase(Locale.ENGLISH))) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   728
                    wasSigned = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   729
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   730
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   731
                if (SignatureFileVerifier.isSigningRelated(ze.getName())) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   732
                    // ignore signature-related and manifest files
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   733
                    continue;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   734
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   735
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   736
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   737
            if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   738
                // jar entry is contained in manifest, check and
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   739
                // possibly update its digest attributes
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   740
                if (updateDigests(ze, zipFile, digests,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   741
                        manifest)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   742
                    mfModified = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   743
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   744
            } else if (!ze.isDirectory()) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   745
                // Add entry to manifest
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   746
                Attributes attrs = getDigestAttributes(ze, zipFile, digests);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   747
                mfEntries.put(ze.getName(), attrs);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   748
                mfModified = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   749
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   750
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   751
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   752
        // Recalculate the manifest raw bytes if necessary
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   753
        if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   754
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   755
            manifest.write(baos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   756
            if (wasSigned) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   757
                byte[] newBytes = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   758
                if (mfRawBytes != null
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   759
                        && oldAttr.equals(manifest.getMainAttributes())) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   760
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   761
                    /*
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   762
                     * Note:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   763
                     *
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   764
                     * The Attributes object is based on HashMap and can handle
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   765
                     * continuation columns. Therefore, even if the contents are
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   766
                     * not changed (in a Map view), the bytes that it write()
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   767
                     * may be different from the original bytes that it read()
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   768
                     * from. Since the signature on the main attributes is based
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   769
                     * on raw bytes, we must retain the exact bytes.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   770
                     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   771
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   772
                    int newPos = findHeaderEnd(newBytes);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   773
                    int oldPos = findHeaderEnd(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   774
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   775
                    if (newPos == oldPos) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   776
                        System.arraycopy(mfRawBytes, 0, newBytes, 0, oldPos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   777
                    } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   778
                        // cat oldHead newTail > newBytes
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   779
                        byte[] lastBytes = new byte[oldPos +
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   780
                                newBytes.length - newPos];
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   781
                        System.arraycopy(mfRawBytes, 0, lastBytes, 0, oldPos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   782
                        System.arraycopy(newBytes, newPos, lastBytes, oldPos,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   783
                                newBytes.length - newPos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   784
                        newBytes = lastBytes;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   785
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   786
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   787
                mfRawBytes = newBytes;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   788
            } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   789
                mfRawBytes = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   790
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   791
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   792
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   793
        // Write out the manifest
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   794
        if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   795
            // manifest file has new length
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   796
            mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   797
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   798
        if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   799
            if (mfCreated) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   800
                handler.accept("adding", mfFile.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   801
            } else if (mfModified) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   802
                handler.accept("updating", mfFile.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   803
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   804
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   805
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   806
        zos.putNextEntry(mfFile);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   807
        zos.write(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   808
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   809
        // Calculate SignatureFile (".SF") and SignatureBlockFile
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   810
        ManifestDigester manDig = new ManifestDigester(mfRawBytes);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   811
        SignatureFile sf = new SignatureFile(digests, manifest, manDig,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   812
                signerName, signManifest);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   813
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   814
        byte[] block;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   815
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   816
        Signature signer;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   817
        if (sigProvider == null ) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   818
            signer = Signature.getInstance(sigalg);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   819
        } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   820
            signer = Signature.getInstance(sigalg, sigProvider);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   821
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   822
        signer.initSign(privateKey);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   823
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   824
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   825
        sf.write(baos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   826
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   827
        byte[] content = baos.toByteArray();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   828
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   829
        signer.update(content);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   830
        byte[] signature = signer.sign();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   831
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   832
        @SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   833
        ContentSigner signingMechanism = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   834
        if (altSigner != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   835
            signingMechanism = loadSigningMechanism(altSigner,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   836
                    altSignerPath);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   837
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   838
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   839
        @SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   840
        ContentSignerParameters params =
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   841
                new JarSignerParameters(null, tsaUrl, tSAPolicyID,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   842
                        tSADigestAlg, signature,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   843
                        signer.getAlgorithm(), certChain, content, zipFile);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   844
        block = sf.generateBlock(params, externalSF, signingMechanism);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   845
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   846
        String sfFilename = sf.getMetaName();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   847
        String bkFilename = sf.getBlockName(privateKey);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   848
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   849
        ZipEntry sfFile = new ZipEntry(sfFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   850
        ZipEntry bkFile = new ZipEntry(bkFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   851
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   852
        long time = System.currentTimeMillis();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   853
        sfFile.setTime(time);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   854
        bkFile.setTime(time);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   855
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   856
        // signature file
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   857
        zos.putNextEntry(sfFile);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   858
        sf.write(zos);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   859
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   860
        if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   861
            if (zipFile.getEntry(sfFilename) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   862
                handler.accept("updating", sfFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   863
            } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   864
                handler.accept("adding", sfFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   865
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   866
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   867
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   868
        // signature block file
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   869
        zos.putNextEntry(bkFile);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   870
        zos.write(block);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   871
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   872
        if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   873
            if (zipFile.getEntry(bkFilename) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   874
                handler.accept("updating", bkFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   875
            } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   876
                handler.accept("adding", bkFilename);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   877
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   878
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   879
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   880
        // Write out all other META-INF files that we stored in the
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   881
        // vector
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   882
        for (int i = 0; i < mfFiles.size(); i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   883
            ZipEntry ze = mfFiles.elementAt(i);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   884
            if (!ze.getName().equalsIgnoreCase(JarFile.MANIFEST_NAME)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   885
                    && !ze.getName().equalsIgnoreCase(sfFilename)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   886
                    && !ze.getName().equalsIgnoreCase(bkFilename)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   887
                if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   888
                    if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   889
                        handler.accept("signing", ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   890
                    } else if (!ze.isDirectory()) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   891
                        handler.accept("adding", ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   892
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   893
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   894
                writeEntry(zipFile, zos, ze);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   895
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   896
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   897
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   898
        // Write out all other files
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   899
        for (Enumeration<? extends ZipEntry> enum_ = zipFile.entries();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   900
             enum_.hasMoreElements(); ) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   901
            ZipEntry ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   902
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   903
            if (!ze.getName().startsWith(META_INF)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   904
                if (handler != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   905
                    if (manifest.getAttributes(ze.getName()) != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   906
                        handler.accept("signing", ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   907
                    } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   908
                        handler.accept("adding", ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   909
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   910
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   911
                writeEntry(zipFile, zos, ze);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   912
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   913
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   914
        zipFile.close();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   915
        zos.close();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   916
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   917
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   918
    private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   919
            throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   920
        ZipEntry ze2 = new ZipEntry(ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   921
        ze2.setMethod(ze.getMethod());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   922
        ze2.setTime(ze.getTime());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   923
        ze2.setComment(ze.getComment());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   924
        ze2.setExtra(ze.getExtra());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   925
        if (ze.getMethod() == ZipEntry.STORED) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   926
            ze2.setSize(ze.getSize());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   927
            ze2.setCrc(ze.getCrc());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   928
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   929
        os.putNextEntry(ze2);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   930
        writeBytes(zf, ze, os);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   931
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   932
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   933
    private void writeBytes
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   934
            (ZipFile zf, ZipEntry ze, ZipOutputStream os) throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   935
        try (InputStream is = zf.getInputStream(ze)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   936
            is.transferTo(os);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   937
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   938
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   939
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   940
    private boolean updateDigests(ZipEntry ze, ZipFile zf,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   941
                                  MessageDigest[] digests,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   942
                                  Manifest mf) throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   943
        boolean update = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   944
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   945
        Attributes attrs = mf.getAttributes(ze.getName());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   946
        String[] base64Digests = getDigests(ze, zf, digests);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   947
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   948
        for (int i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   949
            // The entry name to be written into attrs
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   950
            String name = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   951
            try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   952
                // Find if the digest already exists. An algorithm could have
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   953
                // different names. For example, last time it was SHA, and this
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   954
                // time it's SHA-1.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   955
                AlgorithmId aid = AlgorithmId.get(digests[i].getAlgorithm());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   956
                for (Object key : attrs.keySet()) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   957
                    if (key instanceof Attributes.Name) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   958
                        String n = key.toString();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   959
                        if (n.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   960
                            String tmp = n.substring(0, n.length() - 7);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   961
                            if (AlgorithmId.get(tmp).equals(aid)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   962
                                name = n;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   963
                                break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   964
                            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   965
                        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   966
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   967
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   968
            } catch (NoSuchAlgorithmException nsae) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   969
                // Ignored. Writing new digest entry.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   970
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   971
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   972
            if (name == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   973
                name = digests[i].getAlgorithm() + "-Digest";
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   974
                attrs.putValue(name, base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   975
                update = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   976
            } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   977
                // compare digests, and replace the one in the manifest
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   978
                // if they are different
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   979
                String mfDigest = attrs.getValue(name);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   980
                if (!mfDigest.equalsIgnoreCase(base64Digests[i])) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   981
                    attrs.putValue(name, base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   982
                    update = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   983
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   984
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   985
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   986
        return update;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   987
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   988
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   989
    private Attributes getDigestAttributes(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   990
            ZipEntry ze, ZipFile zf, MessageDigest[] digests)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   991
            throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   992
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   993
        String[] base64Digests = getDigests(ze, zf, digests);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   994
        Attributes attrs = new Attributes();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   995
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   996
        for (int i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   997
            attrs.putValue(digests[i].getAlgorithm() + "-Digest",
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   998
                    base64Digests[i]);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
   999
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1000
        return attrs;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1001
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1002
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1003
    /*
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1004
     * Returns manifest entry from given jar file, or null if given jar file
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1005
     * does not have a manifest entry.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1006
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1007
    private ZipEntry getManifestFile(ZipFile zf) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1008
        ZipEntry ze = zf.getEntry(JarFile.MANIFEST_NAME);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1009
        if (ze == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1010
            // Check all entries for matching name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1011
            Enumeration<? extends ZipEntry> enum_ = zf.entries();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1012
            while (enum_.hasMoreElements() && ze == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1013
                ze = enum_.nextElement();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1014
                if (!JarFile.MANIFEST_NAME.equalsIgnoreCase
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1015
                        (ze.getName())) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1016
                    ze = null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1017
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1018
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1019
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1020
        return ze;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1021
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1022
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1023
    private String[] getDigests(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1024
            ZipEntry ze, ZipFile zf, MessageDigest[] digests)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1025
            throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1026
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1027
        int n, i;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1028
        try (InputStream is = zf.getInputStream(ze)) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1029
            long left = ze.getSize();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1030
            byte[] buffer = new byte[8192];
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1031
            while ((left > 0)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1032
                    && (n = is.read(buffer, 0, buffer.length)) != -1) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1033
                for (i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1034
                    digests[i].update(buffer, 0, n);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1035
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1036
                left -= n;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1037
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1038
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1039
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1040
        // complete the digests
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1041
        String[] base64Digests = new String[digests.length];
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1042
        for (i = 0; i < digests.length; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1043
            base64Digests[i] = Base64.getEncoder()
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1044
                    .encodeToString(digests[i].digest());
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1045
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1046
        return base64Digests;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1047
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1048
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1049
    @SuppressWarnings("fallthrough")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1050
    private int findHeaderEnd(byte[] bs) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1051
        // Initial state true to deal with empty header
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1052
        boolean newline = true;     // just met a newline
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1053
        int len = bs.length;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1054
        for (int i = 0; i < len; i++) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1055
            switch (bs[i]) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1056
                case '\r':
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1057
                    if (i < len - 1 && bs[i + 1] == '\n') i++;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1058
                    // fallthrough
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1059
                case '\n':
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1060
                    if (newline) return i + 1;    //+1 to get length
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1061
                    newline = true;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1062
                    break;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1063
                default:
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1064
                    newline = false;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1065
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1066
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1067
        // If header end is not found, it means the MANIFEST.MF has only
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1068
        // the main attributes section and it does not end with 2 newlines.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1069
        // Returns the whole length so that it can be completely replaced.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1070
        return len;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1071
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1072
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1073
    /*
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1074
     * Try to load the specified signing mechanism.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1075
     * The URL class loader is used.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1076
     */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1077
    @SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1078
    private ContentSigner loadSigningMechanism(String signerClassName,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1079
                                               String signerClassPath) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1080
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1081
        // construct class loader
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1082
        String cpString;   // make sure env.class.path defaults to dot
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1083
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1084
        // do prepends to get correct ordering
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1085
        cpString = PathList.appendPath(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1086
                System.getProperty("env.class.path"), null);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1087
        cpString = PathList.appendPath(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1088
                System.getProperty("java.class.path"), cpString);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1089
        cpString = PathList.appendPath(signerClassPath, cpString);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1090
        URL[] urls = PathList.pathToURLs(cpString);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1091
        ClassLoader appClassLoader = new URLClassLoader(urls);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1092
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1093
        try {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1094
            // attempt to find signer
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1095
            Class<?> signerClass = appClassLoader.loadClass(signerClassName);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1096
            Object signer = signerClass.newInstance();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1097
            return (ContentSigner) signer;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1098
        } catch (ClassNotFoundException|InstantiationException|
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1099
                IllegalAccessException|ClassCastException e) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1100
            throw new IllegalArgumentException(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1101
                    "Invalid altSigner or altSignerPath", e);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1102
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1103
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1104
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1105
    static class SignatureFile {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1106
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1107
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1108
         * SignatureFile
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1109
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1110
        Manifest sf;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1111
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1112
        /**
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1113
         * .SF base name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1114
         */
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1115
        String baseName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1116
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1117
        public SignatureFile(MessageDigest digests[],
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1118
                             Manifest mf,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1119
                             ManifestDigester md,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1120
                             String baseName,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1121
                             boolean signManifest) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1122
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1123
            this.baseName = baseName;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1124
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1125
            String version = System.getProperty("java.version");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1126
            String javaVendor = System.getProperty("java.vendor");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1127
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1128
            sf = new Manifest();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1129
            Attributes mattr = sf.getMainAttributes();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1130
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1131
            mattr.putValue(Attributes.Name.SIGNATURE_VERSION.toString(), "1.0");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1132
            mattr.putValue("Created-By", version + " (" + javaVendor + ")");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1133
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1134
            if (signManifest) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1135
                for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1136
                    mattr.putValue(digest.getAlgorithm() + "-Digest-Manifest",
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1137
                            Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1138
                                    md.manifestDigest(digest)));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1139
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1140
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1141
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1142
            // create digest of the manifest main attributes
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1143
            ManifestDigester.Entry mde =
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1144
                    md.get(ManifestDigester.MF_MAIN_ATTRS, false);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1145
            if (mde != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1146
                for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1147
                    mattr.putValue(digest.getAlgorithm() +
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1148
                                    "-Digest-" + ManifestDigester.MF_MAIN_ATTRS,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1149
                            Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1150
                                    mde.digest(digest)));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1151
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1152
            } else {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1153
                throw new IllegalStateException
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1154
                        ("ManifestDigester failed to create " +
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1155
                                "Manifest-Main-Attribute entry");
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1156
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1157
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1158
            // go through the manifest entries and create the digests
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1159
            Map<String, Attributes> entries = sf.getEntries();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1160
            for (String name: mf.getEntries().keySet()) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1161
                mde = md.get(name, false);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1162
                if (mde != null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1163
                    Attributes attr = new Attributes();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1164
                    for (MessageDigest digest: digests) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1165
                        attr.putValue(digest.getAlgorithm() + "-Digest",
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1166
                                Base64.getEncoder().encodeToString(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1167
                                        mde.digest(digest)));
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1168
                    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1169
                    entries.put(name, attr);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1170
                }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1171
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1172
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1173
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1174
        // Write .SF file
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1175
        public void write(OutputStream out) throws IOException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1176
            sf.write(out);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1177
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1178
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1179
        // get .SF file name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1180
        public String getMetaName() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1181
            return "META-INF/" + baseName + ".SF";
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1182
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1183
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1184
        // get .DSA (or .DSA, .EC) file name
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1185
        public String getBlockName(PrivateKey privateKey) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1186
            String keyAlgorithm = privateKey.getAlgorithm();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1187
            return "META-INF/" + baseName + "." + keyAlgorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1188
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1189
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1190
        // Generates the PKCS#7 content of block file
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1191
        @SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1192
        public byte[] generateBlock(ContentSignerParameters params,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1193
                                    boolean externalSF,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1194
                                    ContentSigner signingMechanism)
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1195
                throws NoSuchAlgorithmException,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1196
                       IOException, CertificateException {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1197
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1198
            if (signingMechanism == null) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1199
                signingMechanism = new TimestampedSigner();
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1200
            }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1201
            return signingMechanism.generateSignedData(
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1202
                    params,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1203
                    externalSF,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1204
                    params.getTimestampingAuthority() != null
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1205
                        || params.getTimestampingAuthorityCertificate() != null);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1206
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1207
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1208
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1209
    @SuppressWarnings("deprecation")
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1210
    class JarSignerParameters implements ContentSignerParameters {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1211
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1212
        private String[] args;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1213
        private URI tsa;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1214
        private byte[] signature;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1215
        private String signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1216
        private X509Certificate[] signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1217
        private byte[] content;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1218
        private ZipFile source;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1219
        private String tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1220
        private String tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1221
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1222
        JarSignerParameters(String[] args, URI tsa,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1223
                            String tSAPolicyID, String tSADigestAlg,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1224
                            byte[] signature, String signatureAlgorithm,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1225
                            X509Certificate[] signerCertificateChain,
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1226
                            byte[] content, ZipFile source) {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1227
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1228
            Objects.requireNonNull(signature);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1229
            Objects.requireNonNull(signatureAlgorithm);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1230
            Objects.requireNonNull(signerCertificateChain);
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1231
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1232
            this.args = args;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1233
            this.tsa = tsa;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1234
            this.tSAPolicyID = tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1235
            this.tSADigestAlg = tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1236
            this.signature = signature;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1237
            this.signatureAlgorithm = signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1238
            this.signerCertificateChain = signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1239
            this.content = content;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1240
            this.source = source;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1241
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1242
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1243
        public String[] getCommandLine() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1244
            return args;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1245
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1246
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1247
        public URI getTimestampingAuthority() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1248
            return tsa;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1249
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1250
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1251
        public X509Certificate getTimestampingAuthorityCertificate() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1252
            // We don't use this param. Always provide tsaURI.
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1253
            return null;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1254
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1255
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1256
        public String getTSAPolicyID() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1257
            return tSAPolicyID;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1258
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1259
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1260
        public String getTSADigestAlg() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1261
            return tSADigestAlg;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1262
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1263
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1264
        public byte[] getSignature() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1265
            return signature;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1266
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1267
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1268
        public String getSignatureAlgorithm() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1269
            return signatureAlgorithm;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1270
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1271
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1272
        public X509Certificate[] getSignerCertificateChain() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1273
            return signerCertificateChain;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1274
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1275
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1276
        public byte[] getContent() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1277
            return content;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1278
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1279
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1280
        public ZipFile getSource() {
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1281
            return source;
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1282
        }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1283
    }
94e3836950ec 8056174: New APIs for jar signing
weijun
parents:
diff changeset
  1284
}