Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
86ea65ab
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
86ea65ab
编写于
10月 29, 2014
作者:
S
Stephen Connolly
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Make it possible for sub-classes to have a sub-class specific trust anchor chain
上级
4cb7414e
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
77 addition
and
64 deletion
+77
-64
core/src/main/java/hudson/model/UpdateSite.java
core/src/main/java/hudson/model/UpdateSite.java
+10
-1
core/src/main/java/jenkins/util/JSONSignatureValidator.java
core/src/main/java/jenkins/util/JSONSignatureValidator.java
+67
-63
未找到文件。
core/src/main/java/hudson/model/UpdateSite.java
浏览文件 @
86ea65ab
...
...
@@ -218,7 +218,16 @@ public class UpdateSite {
* Verifies the signature in the update center data file.
*/
private
FormValidation
verifySignature
(
JSONObject
o
)
throws
IOException
{
return
new
JSONSignatureValidator
(
"update site '"
+
id
+
"'"
).
verifySignature
(
o
);
return
getJsonSignatureValidator
().
verifySignature
(
o
);
}
/**
* Let sub-classes of UpdateSite provide their own signature validator.
* @return the signature validator.
*/
@Nonnull
protected
JSONSignatureValidator
getJsonSignatureValidator
()
{
return
new
JSONSignatureValidator
(
"update site '"
+
id
+
"'"
);
}
/**
...
...
core/src/main/java/jenkins/util/JSONSignatureValidator.java
浏览文件 @
86ea65ab
...
...
@@ -72,69 +72,7 @@ public class JSONSignatureValidator {
certs
.
add
(
c
);
}
// if we trust default root CAs, we end up trusting anyone who has a valid certificate,
// which isn't useful at all
Set
<
TrustAnchor
>
anchors
=
new
HashSet
<
TrustAnchor
>();
// CertificateUtil.getDefaultRootCAs();
Jenkins
j
=
Jenkins
.
getInstance
();
for
(
String
cert
:
(
Set
<
String
>)
j
.
servletContext
.
getResourcePaths
(
"/WEB-INF/update-center-rootCAs"
))
{
if
(
cert
.
endsWith
(
"/"
)
||
cert
.
endsWith
(
".txt"
))
{
continue
;
// skip directories also any text files that are meant to be documentation
}
InputStream
in
=
j
.
servletContext
.
getResourceAsStream
(
cert
);
if
(
in
==
null
)
continue
;
// our test for paths ending in / should prevent this from happening
Certificate
certificate
;
try
{
certificate
=
cf
.
generateCertificate
(
in
);
}
catch
(
CertificateException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Webapp resources in /WEB-INF/update-center-rootCAs are "
+
"expected to be either certificates or .txt files documenting the "
+
"certificates, but %s did not parse as a certificate. Skipping this "
+
"resource for now."
,
cert
),
e
);
continue
;
}
finally
{
in
.
close
();
}
try
{
anchors
.
add
(
new
TrustAnchor
((
X509Certificate
)
certificate
,
null
));
}
catch
(
IllegalArgumentException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"The name constraints in the certificate resource %s could not be "
+
"decoded. Skipping this resource for now."
,
cert
),
e
);
}
}
File
[]
cas
=
new
File
(
j
.
root
,
"update-center-rootCAs"
).
listFiles
();
if
(
cas
!=
null
)
{
for
(
File
cert
:
cas
)
{
if
(
cert
.
isDirectory
()
||
cert
.
getName
().
endsWith
(
".txt"
))
{
continue
;
// skip directories also any text files that are meant to be documentation
}
FileInputStream
in
=
new
FileInputStream
(
cert
);
Certificate
certificate
;
try
{
certificate
=
cf
.
generateCertificate
(
in
);
}
catch
(
CertificateException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Files in %s are expected to be either "
+
"certificates or .txt files documenting the certificates, "
+
"but %s did not parse as a certificate. Skipping this file for now."
,
cert
.
getParentFile
().
getAbsolutePath
(),
cert
.
getAbsolutePath
()),
e
);
continue
;
}
finally
{
in
.
close
();
}
try
{
anchors
.
add
(
new
TrustAnchor
((
X509Certificate
)
certificate
,
null
));
}
catch
(
IllegalArgumentException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"The name constraints in the certificate file %s could not be "
+
"decoded. Skipping this file for now."
,
cert
.
getAbsolutePath
()),
e
);
}
}
}
CertificateUtil
.
validatePath
(
certs
,
anchors
);
CertificateUtil
.
validatePath
(
certs
,
loadTrustAnchors
(
cf
));
}
// this is for computing a digest to check sanity
...
...
@@ -191,5 +129,71 @@ public class JSONSignatureValidator {
}
}
protected
Set
<
TrustAnchor
>
loadTrustAnchors
(
CertificateFactory
cf
)
throws
IOException
{
// if we trust default root CAs, we end up trusting anyone who has a valid certificate,
// which isn't useful at all
Set
<
TrustAnchor
>
anchors
=
new
HashSet
<
TrustAnchor
>();
// CertificateUtil.getDefaultRootCAs();
Jenkins
j
=
Jenkins
.
getInstance
();
for
(
String
cert
:
(
Set
<
String
>)
j
.
servletContext
.
getResourcePaths
(
"/WEB-INF/update-center-rootCAs"
))
{
if
(
cert
.
endsWith
(
"/"
)
||
cert
.
endsWith
(
".txt"
))
{
continue
;
// skip directories also any text files that are meant to be documentation
}
InputStream
in
=
j
.
servletContext
.
getResourceAsStream
(
cert
);
if
(
in
==
null
)
continue
;
// our test for paths ending in / should prevent this from happening
Certificate
certificate
;
try
{
certificate
=
cf
.
generateCertificate
(
in
);
}
catch
(
CertificateException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Webapp resources in /WEB-INF/update-center-rootCAs are "
+
"expected to be either certificates or .txt files documenting the "
+
"certificates, but %s did not parse as a certificate. Skipping this "
+
"resource for now."
,
cert
),
e
);
continue
;
}
finally
{
in
.
close
();
}
try
{
anchors
.
add
(
new
TrustAnchor
((
X509Certificate
)
certificate
,
null
));
}
catch
(
IllegalArgumentException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"The name constraints in the certificate resource %s could not be "
+
"decoded. Skipping this resource for now."
,
cert
),
e
);
}
}
File
[]
cas
=
new
File
(
j
.
root
,
"update-center-rootCAs"
).
listFiles
();
if
(
cas
!=
null
)
{
for
(
File
cert
:
cas
)
{
if
(
cert
.
isDirectory
()
||
cert
.
getName
().
endsWith
(
".txt"
))
{
continue
;
// skip directories also any text files that are meant to be documentation
}
FileInputStream
in
=
new
FileInputStream
(
cert
);
Certificate
certificate
;
try
{
certificate
=
cf
.
generateCertificate
(
in
);
}
catch
(
CertificateException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"Files in %s are expected to be either "
+
"certificates or .txt files documenting the certificates, "
+
"but %s did not parse as a certificate. Skipping this file for now."
,
cert
.
getParentFile
().
getAbsolutePath
(),
cert
.
getAbsolutePath
()),
e
);
continue
;
}
finally
{
in
.
close
();
}
try
{
anchors
.
add
(
new
TrustAnchor
((
X509Certificate
)
certificate
,
null
));
}
catch
(
IllegalArgumentException
e
)
{
LOGGER
.
log
(
Level
.
WARNING
,
String
.
format
(
"The name constraints in the certificate file %s could not be "
+
"decoded. Skipping this file for now."
,
cert
.
getAbsolutePath
()),
e
);
}
}
}
return
anchors
;
}
private
static
final
Logger
LOGGER
=
Logger
.
getLogger
(
JSONSignatureValidator
.
class
.
getName
());
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录