infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-05-30 15:22:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

8056174: New APIs for jar signing

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2015-11-20 08:34:04 +08:00
parent 969487d380
commit a7d92d59f9
7 changed files with 2065 additions and 928 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
jdk/src/java.base/share/classes/sun/security/x509/AlgorithmId.java
View File

@ -977,4 +977,69 @@ public class AlgorithmId implements Serializable, DerEncoder {
}
return null;
}
/**
* Checks if a signature algorithm matches a key algorithm, i.e. a
* signature can be initialized with a key.
*
* @param kAlg must not be null
* @param sAlg must not be null
* @throws IllegalArgumentException if they do not match
*/
public static void checkKeyAndSigAlgMatch(String kAlg, String sAlg) {
String sAlgUp = sAlg.toUpperCase(Locale.US);
if ((sAlgUp.endsWith("WITHRSA") && !kAlg.equalsIgnoreCase("RSA")) ||
(sAlgUp.endsWith("WITHECDSA") && !kAlg.equalsIgnoreCase("EC")) ||
(sAlgUp.endsWith("WITHDSA") && !kAlg.equalsIgnoreCase("DSA"))) {
throw new IllegalArgumentException(
"key algorithm not compatible with signature algorithm");
}
}
/**
* Returns the default signature algorithm for a private key. The digest
* part might evolve with time. Remember to update the spec of
* {@link jdk.security.jarsigner.JarSigner.Builder#getDefaultSignatureAlgorithm(PrivateKey)}
* if updated.
*
* @param k cannot be null
* @return the default alg, might be null if unsupported
*/
public static String getDefaultSigAlgForKey(PrivateKey k) {
switch (k.getAlgorithm().toUpperCase()) {
case "EC":
return ecStrength(KeyUtil.getKeySize(k))
+ "withECDSA";
case "DSA":
return ifcFfcStrength(KeyUtil.getKeySize(k))
+ "withDSA";
case "RSA":
return ifcFfcStrength(KeyUtil.getKeySize(k))
+ "withRSA";
default:
return null;
}
}
// Values from SP800-57 part 1 rev 3 tables 2 and three
private static String ecStrength (int bitLength) {
if (bitLength >= 512) { // 256 bits of strength
return "SHA512";
} else if (bitLength >= 384) { // 192 bits of strength
return "SHA384";
} else { // 128 bits of strength and less
return "SHA256";
}
}
// same values for RSA and DSA
private static String ifcFfcStrength (int bitLength) {
if (bitLength > 7680) { // 256 bits
return "SHA512";
} else if (bitLength > 3072) { // 192 bits
return "SHA384";
} else { // 128 bits and less
return "SHA256";
}
}
}

1286
jdk/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java Normal file
View File

File diff suppressed because it is too large Load Diff

56
jdk/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSignerException.java Normal file
View File

@ -0,0 +1,56 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package jdk.security.jarsigner;
/**
* This exception is thrown when {@link JarSigner#sign} fails.
*
* @since 1.9
*/
@jdk.Exported
public class JarSignerException extends RuntimeException {
private static final long serialVersionUID = -4732217075689309530L;
/**
* Constructs a new {@code JarSignerException} with the specified detail
* message and cause.
* <p>
* Note that the detail message associated with
* {@code cause} is <i>not</i> automatically incorporated in
* this {@code JarSignerException}'s detail message.
*
* @param message the detail message (which is saved for later retrieval
* by the {@link #getMessage()} method).
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
*/
public JarSignerException(String message, Throwable cause) {
super(message, cause);
}
}

1016
jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
View File

File diff suppressed because it is too large Load Diff

182
jdk/test/jdk/security/jarsigner/Function.java Normal file
View File

@ -0,0 +1,182 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8056174
* @summary test the functions of JarSigner API
* @modules java.base/sun.security.tools.keytool
* jdk.jartool
*/
import jdk.security.jarsigner.JarSigner;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import java.util.zip.ZipOutputStream;
public class Function {
public static void main(String[] args) throws Exception {
try (FileOutputStream fout =new FileOutputStream("src.zip");
ZipOutputStream zout = new ZipOutputStream(fout)) {
zout.putNextEntry(new ZipEntry("x"));
zout.write(new byte[10]);
zout.closeEntry();
}
sun.security.tools.keytool.Main.main(
("-storetype jks -keystore ks -storepass changeit" +
" -keypass changeit -dname" +
" CN=RSA -alias r -genkeypair -keyalg rsa").split(" "));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("ks"), "changeit".toCharArray());
PrivateKey key = (PrivateKey)ks.getKey("r", "changeit".toCharArray());
Certificate cert = ks.getCertificate("r");
JarSigner.Builder jsb = new JarSigner.Builder(key,
CertificateFactory.getInstance("X.509").generateCertPath(
Collections.singletonList(cert)));
jsb.digestAlgorithm("SHA1");
jsb.signatureAlgorithm("SHA1withRSA");
AtomicInteger counter = new AtomicInteger(0);
StringBuilder sb = new StringBuilder();
jsb.eventHandler(
(a, f)->{
counter.incrementAndGet();
sb.append(a).append(' ').append(f).append('\n');
});
OutputStream blackHole = new OutputStream() {
@Override
public void write(int b) throws IOException { }
};
try (ZipFile src = new ZipFile("src.zip")) {
jsb.build().sign(src, blackHole);
}
if (counter.get() != 4) {
throw new Exception("Event number is " + counter.get()
+ ":\n" + sb.toString());
}
// Provider test.
Provider p = new MyProvider();
jsb.digestAlgorithm("Five", p);
jsb.signatureAlgorithm("SHA1WithRSA", p);
try (ZipFile src = new ZipFile("src.zip");
FileOutputStream out = new FileOutputStream("out.jar")) {
jsb.build().sign(src, out);
}
try (JarFile signed = new JarFile("out.jar")) {
Manifest man = signed.getManifest();
assertTrue(man.getAttributes("x").getValue("Five-Digest").equals("FAKE"));
Manifest sf = new Manifest(signed.getInputStream(
signed.getJarEntry("META-INF/SIGNER.SF")));
assertTrue(sf.getMainAttributes().getValue("Five-Digest-Manifest")
.equals("FAKE"));
assertTrue(sf.getAttributes("x").getValue("Five-Digest").equals("FAKE"));
try (InputStream sig = signed.getInputStream(
signed.getJarEntry("META-INF/SIGNER.RSA"))) {
byte[] data = sig.readAllBytes();
assertTrue(Arrays.equals(
Arrays.copyOfRange(data, data.length-8, data.length),
"FAKEFAKE".getBytes()));
}
}
}
private static void assertTrue(boolean v) {
if (!v) {
throw new AssertionError();
}
}
public static class MyProvider extends Provider {
MyProvider() {
super("MY", 1.0d, null);
put("MessageDigest.Five", Five.class.getName());
put("Signature.SHA1WithRSA", SHA1WithRSA.class.getName());
}
}
// "Five" is a MessageDigest always returns the same value
public static class Five extends MessageDigest {
static final byte[] dig = {0x14, 0x02, (byte)0x84}; //base64 -> FAKE
public Five() { super("Five"); }
protected void engineUpdate(byte input) { }
protected void engineUpdate(byte[] input, int offset, int len) { }
protected byte[] engineDigest() { return dig; }
protected void engineReset() { }
}
// This fake "SHA1withRSA" is a Signature always returns the same value.
// An existing name must be used otherwise PKCS7 does not which OID to use.
public static class SHA1WithRSA extends Signature {
static final byte[] sig = "FAKEFAKE".getBytes();
public SHA1WithRSA() { super("SHA1WithRSA"); }
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException { }
protected void engineInitSign(PrivateKey privateKey)
throws InvalidKeyException { }
protected void engineUpdate(byte b) throws SignatureException { }
protected void engineUpdate(byte[] b, int off, int len)
throws SignatureException { }
protected byte[] engineSign() throws SignatureException { return sig; }
protected boolean engineVerify(byte[] sigBytes)
throws SignatureException {
return Arrays.equals(sigBytes, sig);
}
protected void engineSetParameter(String param, Object value)
throws InvalidParameterException { }
protected Object engineGetParameter(String param)
throws InvalidParameterException { return null; }
}
}

251
jdk/test/jdk/security/jarsigner/Spec.java Normal file
View File

@ -0,0 +1,251 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* @test
* @bug 8056174
* @summary Make sure JarSigner impl conforms to spec
* @library /lib/testlibrary
* @modules java.base/sun.security.tools.keytool
* java.base/sun.security.provider.certpath
* jdk.jartool
*/
import com.sun.jarsigner.ContentSigner;
import com.sun.jarsigner.ContentSignerParameters;
import jdk.security.jarsigner.JarSigner;
import jdk.testlibrary.JarUtils;
import sun.security.provider.certpath.X509CertPath;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.function.BiConsumer;
public class Spec {
public static void main(String[] args) throws Exception {
// Prepares raw file
Files.write(Paths.get("a"), "a".getBytes());
// Pack
JarUtils.createJar("a.jar", "a");
// Prepare a keystore
sun.security.tools.keytool.Main.main(
("-keystore ks -storepass changeit -keypass changeit -dname" +
" CN=RSA -alias r -genkeypair -keyalg rsa").split(" "));
sun.security.tools.keytool.Main.main(
("-keystore ks -storepass changeit -keypass changeit -dname" +
" CN=DSA -alias d -genkeypair -keyalg dsa").split(" "));
char[] pass = "changeit".toCharArray();
KeyStore ks = KeyStore.getInstance(
new File("ks"), pass);
PrivateKey pkr = (PrivateKey)ks.getKey("r", pass);
PrivateKey pkd = (PrivateKey)ks.getKey("d", pass);
CertPath cp = CertificateFactory.getInstance("X.509")
.generateCertPath(Arrays.asList(ks.getCertificateChain("r")));
Provider sun = Security.getProvider("SUN");
// throws
npe(()->new JarSigner.Builder(null));
npe(()->new JarSigner.Builder(null, cp));
iae(()->new JarSigner.Builder(
pkr, new X509CertPath(Collections.emptyList())));
iae(()->new JarSigner.Builder(pkd, cp)); // unmatched certs alg
JarSigner.Builder b1 = new JarSigner.Builder(pkr, cp);
npe(()->b1.digestAlgorithm(null));
nsae(()->b1.digestAlgorithm("HAHA"));
b1.digestAlgorithm("SHA-256");
npe(()->b1.digestAlgorithm("SHA-256", null));
npe(()->b1.digestAlgorithm(null, sun));
nsae(()->b1.digestAlgorithm("HAHA", sun));
b1.digestAlgorithm("SHA-256", sun);
npe(()->b1.signatureAlgorithm(null));
nsae(()->b1.signatureAlgorithm("HAHAwithHEHE"));
iae(()->b1.signatureAlgorithm("SHA256withECDSA"));
npe(()->b1.signatureAlgorithm(null, sun));
npe(()->b1.signatureAlgorithm("SHA256withRSA", null));
nsae(()->b1.signatureAlgorithm("HAHAwithHEHE", sun));
iae(()->b1.signatureAlgorithm("SHA256withDSA", sun));
npe(()->b1.tsa(null));
npe(()->b1.signerName(null));
iae(()->b1.signerName(""));
iae(()->b1.signerName("123456789"));
iae(()->b1.signerName("a+b"));
npe(()->b1.setProperty(null, ""));
uoe(()->b1.setProperty("what", ""));
npe(()->b1.setProperty("tsadigestalg", null));
iae(()->b1.setProperty("tsadigestalg", "HAHA"));
npe(()->b1.setProperty("tsapolicyid", null));
npe(()->b1.setProperty("internalsf", null));
iae(()->b1.setProperty("internalsf", "Hello"));
npe(()->b1.setProperty("sectionsonly", null));
iae(()->b1.setProperty("sectionsonly", "OK"));
npe(()->b1.setProperty("altsigner", null));
npe(()->b1.eventHandler(null));
// default values
JarSigner.Builder b2 = new JarSigner.Builder(pkr, cp);
JarSigner js2 = b2.build();
assertTrue(js2.getDigestAlgorithm().equals(
JarSigner.Builder.getDefaultDigestAlgorithm()));
assertTrue(js2.getSignatureAlgorithm().equals(
JarSigner.Builder.getDefaultSignatureAlgorithm(pkr)));
assertTrue(js2.getTsa() == null);
assertTrue(js2.getSignerName().equals("SIGNER"));
assertTrue(js2.getProperty("tsadigestalg").equals(
JarSigner.Builder.getDefaultDigestAlgorithm()));
assertTrue(js2.getProperty("tsapolicyid") == null);
assertTrue(js2.getProperty("internalsf").equals("false"));
assertTrue(js2.getProperty("sectionsonly").equals("false"));
assertTrue(js2.getProperty("altsigner") == null);
uoe(()->js2.getProperty("invalid"));
// default values
BiConsumer<String,String> myeh = (a,s)->{};
URI tsa = new URI("https://tsa.com");
JarSigner.Builder b3 = new JarSigner.Builder(pkr, cp)
.digestAlgorithm("SHA-1")
.signatureAlgorithm("SHA1withRSA")
.signerName("Duke")
.tsa(tsa)
.setProperty("tsadigestalg", "SHA-512")
.setProperty("tsapolicyid", "1.2.3.4")
.setProperty("internalsf", "true")
.setProperty("sectionsonly", "true")
.setProperty("altsigner", "MyContentSigner")
.eventHandler(myeh);
JarSigner js3 = b3.build();
assertTrue(js3.getDigestAlgorithm().equals("SHA-1"));
assertTrue(js3.getSignatureAlgorithm().equals("SHA1withRSA"));
assertTrue(js3.getTsa().equals(tsa));
assertTrue(js3.getSignerName().equals("DUKE"));
assertTrue(js3.getProperty("tsadigestalg").equals("SHA-512"));
assertTrue(js3.getProperty("tsapolicyid").equals("1.2.3.4"));
assertTrue(js3.getProperty("internalsf").equals("true"));
assertTrue(js3.getProperty("sectionsonly").equals("true"));
assertTrue(js3.getProperty("altsigner").equals("MyContentSigner"));
assertTrue(js3.getProperty("altsignerpath") == null);
assertTrue(JarSigner.Builder.getDefaultDigestAlgorithm().equals("SHA-256"));
// Calculating large DSA and RSA keys are too slow.
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
assertTrue(JarSigner.Builder
.getDefaultSignatureAlgorithm(kpg.generateKeyPair().getPrivate())
.equals("SHA256withRSA"));
kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024);
assertTrue(JarSigner.Builder
.getDefaultSignatureAlgorithm(kpg.generateKeyPair().getPrivate())
.equals("SHA256withDSA"));
kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(192);
assertTrue(JarSigner.Builder
.getDefaultSignatureAlgorithm(kpg.generateKeyPair().getPrivate())
.equals("SHA256withECDSA"));
kpg.initialize(384);
assertTrue(JarSigner.Builder
.getDefaultSignatureAlgorithm(kpg.generateKeyPair().getPrivate())
.equals("SHA384withECDSA"));
kpg.initialize(571);
assertTrue(JarSigner.Builder
.getDefaultSignatureAlgorithm(kpg.generateKeyPair().getPrivate())
.equals("SHA512withECDSA"));
}
interface RunnableWithException {
void run() throws Exception;
}
static void uoe(RunnableWithException r) throws Exception {
checkException(r, UnsupportedOperationException.class);
}
static void nsae(RunnableWithException r) throws Exception {
checkException(r, NoSuchAlgorithmException.class);
}
static void npe(RunnableWithException r) throws Exception {
checkException(r, NullPointerException.class);
}
static void iae(RunnableWithException r) throws Exception {
checkException(r, IllegalArgumentException.class);
}
static void checkException(RunnableWithException r, Class ex)
throws Exception {
try {
r.run();
} catch (Exception e) {
if (ex.isAssignableFrom(e.getClass())) {
return;
}
throw e;
}
throw new Exception("No exception thrown");
}
static void assertTrue(boolean x) throws Exception {
if (!x) throw new Exception("Not true");
}
static class MyContentSigner extends ContentSigner {
@Override
public byte[] generateSignedData(
ContentSignerParameters parameters,
boolean omitContent,
boolean applyTimestamp) throws NoSuchAlgorithmException,
CertificateException, IOException {
return new byte[0];
}
}
}

137
jdk/test/sun/security/tools/jarsigner/Options.java Normal file
View File

@ -0,0 +1,137 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* @test
* @bug 8056174
* @summary Make sure the jarsigner tool still works after it's modified to
* be based on JarSigner API
* @library /lib/testlibrary
* @modules java.base/sun.security.tools.keytool
* jdk.jartool/sun.security.tools.jarsigner
* java.base/sun.security.pkcs
* java.base/sun.security.x509
*/
import com.sun.jarsigner.ContentSigner;
import com.sun.jarsigner.ContentSignerParameters;
import jdk.testlibrary.JarUtils;
import sun.security.pkcs.PKCS7;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.*;
import java.util.jar.Attributes;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
public class Options {
public static void main(String[] args) throws Exception {
// Prepares raw file
Files.write(Paths.get("a"), "a".getBytes());
// Pack
JarUtils.createJar("a.jar", "a");
// Prepare a keystore
sun.security.tools.keytool.Main.main(
("-keystore jks -storepass changeit -keypass changeit -dname" +
" CN=A -alias a -genkeypair -keyalg rsa").split(" "));
// -altsign
sun.security.tools.jarsigner.Main.main(
("-debug -signedjar altsign.jar -keystore jks -storepass changeit" +
" -altsigner Options$X a.jar a").split(" "));
try (JarFile jf = new JarFile("altsign.jar")) {
JarEntry je = jf.getJarEntry("META-INF/A.RSA");
try (InputStream is = jf.getInputStream(je)) {
if (!Arrays.equals(is.readAllBytes(), "1234".getBytes())) {
throw new Exception("altsign go wrong");
}
}
}
// -sigfile, -digestalg, -sigalg, -internalsf, -sectionsonly
sun.security.tools.jarsigner.Main.main(
("-debug -signedjar new.jar -keystore jks -storepass changeit" +
" -sigfile olala -digestalg SHA1 -sigalg SHA224withRSA" +
" -internalsf -sectionsonly a.jar a").split(" "));
try (JarFile jf = new JarFile("new.jar")) {
JarEntry je = jf.getJarEntry("META-INF/OLALA.SF");
Objects.requireNonNull(je); // check -sigfile
byte[] sf = null; // content of .SF
try (InputStream is = jf.getInputStream(je)) {
sf = is.readAllBytes(); // save for later comparison
Attributes attrs = new Manifest(new ByteArrayInputStream(sf))
.getMainAttributes();
// check -digestalg
if (!attrs.containsKey(new Attributes.Name(
"SHA1-Digest-Manifest-Main-Attributes"))) {
throw new Exception("digestalg incorrect");
}
// check -sectionsonly
if (attrs.containsKey(new Attributes.Name(
"SHA1-Digest-Manifest"))) {
throw new Exception("SF should not have file digest");
}
}
je = jf.getJarEntry("META-INF/OLALA.RSA");
try (InputStream is = jf.getInputStream(je)) {
PKCS7 p7 = new PKCS7(is.readAllBytes());
String alg = p7.getSignerInfos()[0]
.getDigestAlgorithmId().getName();
if (!alg.equals("SHA-224")) { // check -sigalg
throw new Exception("PKCS7 signing is using " + alg);
}
// check -internalsf
if (!Arrays.equals(sf, p7.getContentInfo().getData())) {
throw new Exception("SF not in RSA");
}
}
}
// TSA-related ones are checked in ts.sh
}
public static class X extends ContentSigner {
@Override
public byte[] generateSignedData(ContentSignerParameters parameters,
boolean omitContent, boolean applyTimestamp)
throws NoSuchAlgorithmException, CertificateException,
IOException {
return "1234".getBytes();
}
}
}