From 794e99c0306d78fc58751c73ba7bbd50eb5c1443 Mon Sep 17 00:00:00 2001 From: vinnie Date: Mon, 8 Apr 2013 21:12:28 +0100 Subject: [PATCH] 8009235: Improve handling of TSA data Reviewed-by: ahgross, mullan --- .../classes/sun/security/pkcs/SignerInfo.java | 31 +++++++++++++++++++ .../security/timestamp/TimestampToken.java | 6 +++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/src/share/classes/sun/security/pkcs/SignerInfo.java b/src/share/classes/sun/security/pkcs/SignerInfo.java index 1d327706d..43c5ac7b8 100644 --- a/src/share/classes/sun/security/pkcs/SignerInfo.java +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java @@ -34,6 +34,7 @@ import java.security.cert.CertPath; import java.security.cert.X509Certificate; import java.security.*; import java.util.ArrayList; +import java.util.Arrays; import sun.security.timestamp.TimestampToken; import sun.security.util.*; @@ -57,6 +58,7 @@ public class SignerInfo implements DerEncoder { byte[] encryptedDigest; Timestamp timestamp; private boolean hasTimestamp = true; + private static final Debug debug = Debug.getInstance("jar"); PKCS9Attributes authenticatedAttributes; PKCS9Attributes unauthenticatedAttributes; @@ -499,11 +501,40 @@ public class SignerInfo implements DerEncoder { CertPath tsaChain = cf.generateCertPath(chain); // Create a timestamp token info object TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); + // Check that the signature timestamp applies to this signature + verifyTimestamp(tsTokenInfo); // Create a timestamp object timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain); return timestamp; } + /* + * Check that the signature timestamp applies to this signature. + * Match the hash present in the signature timestamp token against the hash + * of this signature. + */ + private void verifyTimestamp(TimestampToken token) + throws NoSuchAlgorithmException, SignatureException { + + MessageDigest md = + MessageDigest.getInstance(token.getHashAlgorithm().getName()); + + if (!Arrays.equals(token.getHashedMessage(), + md.digest(encryptedDigest))) { + + throw new SignatureException("Signature timestamp (#" + + token.getSerialNumber() + ") generated on " + token.getDate() + + " is inapplicable"); + } + + if (debug != null) { + debug.println(); + debug.println("Detected signature timestamp (#" + + token.getSerialNumber() + ") generated on " + token.getDate()); + debug.println(); + } + } + public String toString() { HexDumpEncoder hexDump = new HexDumpEncoder(); diff --git a/src/share/classes/sun/security/timestamp/TimestampToken.java b/src/share/classes/sun/security/timestamp/TimestampToken.java index a9ec092dd..5ca1d62fb 100644 --- a/src/share/classes/sun/security/timestamp/TimestampToken.java +++ b/src/share/classes/sun/security/timestamp/TimestampToken.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -115,6 +115,10 @@ public class TimestampToken { return nonce; } + public BigInteger getSerialNumber() { + return serialNumber; + } + /* * Parses the timestamp token info. * -- GitLab