提交 d36537a3 编写于 作者: A asaha

Merge

...@@ -542,6 +542,7 @@ f3e86cc607260bae368b52d88d7bc8883ee767e3 jdk8u72-b15 ...@@ -542,6 +542,7 @@ f3e86cc607260bae368b52d88d7bc8883ee767e3 jdk8u72-b15
e829ab80dfd828803aa8837411900faeaa1254a5 jdk8u74-b01 e829ab80dfd828803aa8837411900faeaa1254a5 jdk8u74-b01
32c49f4a16599e376e4e46bb33c7bcc486e52ff3 jdk8u74-b02 32c49f4a16599e376e4e46bb33c7bcc486e52ff3 jdk8u74-b02
9c828e688240362b6f1b761b619cdaa070462c4e jdk8u74-b31 9c828e688240362b6f1b761b619cdaa070462c4e jdk8u74-b31
6968ca30f8fdc9429fcd56187e16f46b215b474b jdk8u74-b32
1d4b343084874b1afa1cdd504b9b1e50bab7f121 jdk8u72-b31 1d4b343084874b1afa1cdd504b9b1e50bab7f121 jdk8u72-b31
7cfd2c51c501df909833aa0fb6e40c50c61621ed jdk8u75-b00 7cfd2c51c501df909833aa0fb6e40c50c61621ed jdk8u75-b00
9e00a43602f87930c2318b2567002871ad9c59dd jdk8u75-b01 9e00a43602f87930c2318b2567002871ad9c59dd jdk8u75-b01
......
...@@ -93,6 +93,9 @@ class TimerQueue implements Runnable ...@@ -93,6 +93,9 @@ class TimerQueue implements Runnable
void startIfNeeded() { void startIfNeeded() {
if (! running) { if (! running) {
runningLock.lock(); runningLock.lock();
if (running) {
return;
}
try { try {
final ThreadGroup threadGroup = final ThreadGroup threadGroup =
AppContext.getAppContext().getThreadGroup(); AppContext.getAppContext().getThreadGroup();
...@@ -168,15 +171,17 @@ class TimerQueue implements Runnable ...@@ -168,15 +171,17 @@ class TimerQueue implements Runnable
try { try {
while (running) { while (running) {
try { try {
Timer timer = queue.take().getTimer(); DelayedTimer runningTimer = queue.take();
Timer timer = runningTimer.getTimer();
timer.getLock().lock(); timer.getLock().lock();
try { try {
DelayedTimer delayedTimer = timer.delayedTimer; DelayedTimer delayedTimer = timer.delayedTimer;
if (delayedTimer != null) { if (delayedTimer == runningTimer) {
/* /*
* Timer is not removed after we get it from * Timer is not removed (delayedTimer != null)
* the queue and before the lock on the timer is * or not removed and added (runningTimer == delayedTimer)
* acquired * after we get it from the queue and before the
* lock on the timer is acquired
*/ */
timer.post(); // have timer post an event timer.post(); // have timer post an event
timer.delayedTimer = null; timer.delayedTimer = null;
......
...@@ -802,7 +802,8 @@ public class PKCS7 { ...@@ -802,7 +802,8 @@ public class PKCS7 {
byte[] content, byte[] content,
String signatureAlgorithm, String signatureAlgorithm,
URI tsaURI, URI tsaURI,
String tSAPolicyID) String tSAPolicyID,
String tSADigestAlg)
throws CertificateException, IOException, NoSuchAlgorithmException throws CertificateException, IOException, NoSuchAlgorithmException
{ {
...@@ -811,7 +812,8 @@ public class PKCS7 { ...@@ -811,7 +812,8 @@ public class PKCS7 {
if (tsaURI != null) { if (tsaURI != null) {
// Timestamp the signature // Timestamp the signature
HttpTimestamper tsa = new HttpTimestamper(tsaURI); HttpTimestamper tsa = new HttpTimestamper(tsaURI);
byte[] tsToken = generateTimestampToken(tsa, tSAPolicyID, signature); byte[] tsToken = generateTimestampToken(
tsa, tSAPolicyID, tSADigestAlg, signature);
// Insert the timestamp token into the PKCS #7 signer info element // Insert the timestamp token into the PKCS #7 signer info element
// (as an unsigned attribute) // (as an unsigned attribute)
...@@ -869,6 +871,7 @@ public class PKCS7 { ...@@ -869,6 +871,7 @@ public class PKCS7 {
*/ */
private static byte[] generateTimestampToken(Timestamper tsa, private static byte[] generateTimestampToken(Timestamper tsa,
String tSAPolicyID, String tSAPolicyID,
String tSADigestAlg,
byte[] toBeTimestamped) byte[] toBeTimestamped)
throws IOException, CertificateException throws IOException, CertificateException
{ {
...@@ -876,11 +879,10 @@ public class PKCS7 { ...@@ -876,11 +879,10 @@ public class PKCS7 {
MessageDigest messageDigest = null; MessageDigest messageDigest = null;
TSRequest tsQuery = null; TSRequest tsQuery = null;
try { try {
// SHA-1 is always used. messageDigest = MessageDigest.getInstance(tSADigestAlg);
messageDigest = MessageDigest.getInstance("SHA-1");
tsQuery = new TSRequest(tSAPolicyID, toBeTimestamped, messageDigest); tsQuery = new TSRequest(tSAPolicyID, toBeTimestamped, messageDigest);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
// ignore throw new IllegalArgumentException(e);
} }
// Generate a nonce // Generate a nonce
...@@ -908,9 +910,13 @@ public class PKCS7 { ...@@ -908,9 +910,13 @@ public class PKCS7 {
PKCS7 tsToken = tsReply.getToken(); PKCS7 tsToken = tsReply.getToken();
TimestampToken tst = tsReply.getTimestampToken(); TimestampToken tst = tsReply.getTimestampToken();
if (!tst.getHashAlgorithm().getName().equals("SHA-1")) { try {
throw new IOException("Digest algorithm not SHA-1 in " if (!tst.getHashAlgorithm().equals(AlgorithmId.get(tSADigestAlg))) {
+ "timestamp token"); throw new IOException("Digest algorithm not " + tSADigestAlg + " in "
+ "timestamp token");
}
} catch (NoSuchAlgorithmException nase) {
throw new IllegalArgumentException(); // should have been caught before
} }
if (!MessageDigest.isEqual(tst.getHashedMessage(), if (!MessageDigest.isEqual(tst.getHashedMessage(),
tsQuery.getHashedMessage())) { tsQuery.getHashedMessage())) {
......
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.tools.jarsigner;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.net.URI;
import java.util.zip.*;
import com.sun.jarsigner.ContentSignerParameters;
class JarSignerParameters implements ContentSignerParameters {
private String[] args;
private URI tsa;
private X509Certificate tsaCertificate;
private byte[] signature;
private String signatureAlgorithm;
private X509Certificate[] signerCertificateChain;
private byte[] content;
private ZipFile source;
private String tSAPolicyID;
private String tSADigestAlg;
/**
* Create a new object.
*/
JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
String tSAPolicyID, String tSADigestAlg,
byte[] signature, String signatureAlgorithm,
X509Certificate[] signerCertificateChain, byte[] content,
ZipFile source) {
if (signature == null || signatureAlgorithm == null ||
signerCertificateChain == null || tSADigestAlg == null) {
throw new NullPointerException();
}
this.args = args;
this.tsa = tsa;
this.tsaCertificate = tsaCertificate;
this.tSAPolicyID = tSAPolicyID;
this.tSADigestAlg = tSADigestAlg;
this.signature = signature;
this.signatureAlgorithm = signatureAlgorithm;
this.signerCertificateChain = signerCertificateChain;
this.content = content;
this.source = source;
}
/**
* Retrieves the command-line arguments.
*
* @return The command-line arguments. May be null.
*/
public String[] getCommandLine() {
return args;
}
/**
* Retrieves the identifier for a Timestamping Authority (TSA).
*
* @return The TSA identifier. May be null.
*/
public URI getTimestampingAuthority() {
return tsa;
}
/**
* Retrieves the certificate for a Timestamping Authority (TSA).
*
* @return The TSA certificate. May be null.
*/
public X509Certificate getTimestampingAuthorityCertificate() {
return tsaCertificate;
}
public String getTSAPolicyID() {
return tSAPolicyID;
}
public String getTSADigestAlg() {
return tSADigestAlg;
}
/**
* Retrieves the signature.
*
* @return The non-null signature bytes.
*/
public byte[] getSignature() {
return signature;
}
/**
* Retrieves the name of the signature algorithm.
*
* @return The non-null string name of the signature algorithm.
*/
public String getSignatureAlgorithm() {
return signatureAlgorithm;
}
/**
* Retrieves the signer's X.509 certificate chain.
*
* @return The non-null array of X.509 public-key certificates.
*/
public X509Certificate[] getSignerCertificateChain() {
return signerCertificateChain;
}
/**
* Retrieves the content that was signed.
*
* @return The content bytes. May be null.
*/
public byte[] getContent() {
return content;
}
/**
* Retrieves the original source ZIP file before it was signed.
*
* @return The original ZIP file. May be null.
*/
public ZipFile getSource() {
return source;
}
}
...@@ -139,6 +139,7 @@ public class Main { ...@@ -139,6 +139,7 @@ public class Main {
String tsaAlias; // alias for the Timestamping Authority's certificate String tsaAlias; // alias for the Timestamping Authority's certificate
String altCertChain; // file to read alternative cert chain from String altCertChain; // file to read alternative cert chain from
String tSAPolicyID; String tSAPolicyID;
String tSADigestAlg = "SHA-256";
boolean verify = false; // verify the jar boolean verify = false; // verify the jar
String verbose = null; // verbose output when signing/verifying String verbose = null; // verbose output when signing/verifying
boolean showcerts = false; // show certs when verifying boolean showcerts = false; // show certs when verifying
...@@ -342,6 +343,9 @@ public class Main { ...@@ -342,6 +343,9 @@ public class Main {
} else if (collator.compare(flags, "-tsapolicyid") ==0) { } else if (collator.compare(flags, "-tsapolicyid") ==0) {
if (++n == args.length) usageNoArg(); if (++n == args.length) usageNoArg();
tSAPolicyID = args[n]; tSAPolicyID = args[n];
} else if (collator.compare(flags, "-tsadigestalg") ==0) {
if (++n == args.length) usageNoArg();
tSADigestAlg = args[n];
} else if (collator.compare(flags, "-debug") ==0) { } else if (collator.compare(flags, "-debug") ==0) {
debug = true; debug = true;
} else if (collator.compare(flags, "-keypass") ==0) { } else if (collator.compare(flags, "-keypass") ==0) {
...@@ -535,6 +539,9 @@ public class Main { ...@@ -535,6 +539,9 @@ public class Main {
System.out.println(rb.getString System.out.println(rb.getString
(".tsapolicyid.tsapolicyid.for.Timestamping.Authority")); (".tsapolicyid.tsapolicyid.for.Timestamping.Authority"));
System.out.println(); System.out.println();
System.out.println(rb.getString
(".tsadigestalg.algorithm.of.digest.data.in.timestamping.request"));
System.out.println();
System.out.println(rb.getString System.out.println(rb.getString
(".altsigner.class.class.name.of.an.alternative.signing.mechanism")); (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
System.out.println(); System.out.println();
...@@ -1270,8 +1277,8 @@ public class Main { ...@@ -1270,8 +1277,8 @@ public class Main {
try { try {
block = block =
sf.generateBlock(privateKey, sigalg, certChain, sf.generateBlock(privateKey, sigalg, certChain,
externalSF, tsaUrl, tsaCert, tSAPolicyID, signingMechanism, args, externalSF, tsaUrl, tsaCert, tSAPolicyID, tSADigestAlg,
zipFile); signingMechanism, args, zipFile);
} catch (SocketTimeoutException e) { } catch (SocketTimeoutException e) {
// Provide a helpful message when TSA is beyond a firewall // Provide a helpful message when TSA is beyond a firewall
error(rb.getString("unable.to.sign.jar.") + error(rb.getString("unable.to.sign.jar.") +
...@@ -2268,13 +2275,14 @@ class SignatureFile { ...@@ -2268,13 +2275,14 @@ class SignatureFile {
boolean externalSF, String tsaUrl, boolean externalSF, String tsaUrl,
X509Certificate tsaCert, X509Certificate tsaCert,
String tSAPolicyID, String tSAPolicyID,
String tSADigestAlg,
ContentSigner signingMechanism, ContentSigner signingMechanism,
String[] args, ZipFile zipFile) String[] args, ZipFile zipFile)
throws NoSuchAlgorithmException, InvalidKeyException, IOException, throws NoSuchAlgorithmException, InvalidKeyException, IOException,
SignatureException, CertificateException SignatureException, CertificateException
{ {
return new Block(this, privateKey, sigalg, certChain, externalSF, return new Block(this, privateKey, sigalg, certChain, externalSF,
tsaUrl, tsaCert, tSAPolicyID, signingMechanism, args, zipFile); tsaUrl, tsaCert, tSAPolicyID, tSADigestAlg, signingMechanism, args, zipFile);
} }
...@@ -2288,8 +2296,8 @@ class SignatureFile { ...@@ -2288,8 +2296,8 @@ class SignatureFile {
*/ */
Block(SignatureFile sfg, PrivateKey privateKey, String sigalg, Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
X509Certificate[] certChain, boolean externalSF, String tsaUrl, X509Certificate[] certChain, boolean externalSF, String tsaUrl,
X509Certificate tsaCert, String tSAPolicyID, ContentSigner signingMechanism, X509Certificate tsaCert, String tSAPolicyID, String tSADigestAlg,
String[] args, ZipFile zipFile) ContentSigner signingMechanism, String[] args, ZipFile zipFile)
throws NoSuchAlgorithmException, InvalidKeyException, IOException, throws NoSuchAlgorithmException, InvalidKeyException, IOException,
SignatureException, CertificateException { SignatureException, CertificateException {
...@@ -2371,7 +2379,8 @@ class SignatureFile { ...@@ -2371,7 +2379,8 @@ class SignatureFile {
// Assemble parameters for the signing mechanism // Assemble parameters for the signing mechanism
ContentSignerParameters params = ContentSignerParameters params =
new JarSignerParameters(args, tsaUri, tsaCert, tSAPolicyID, signature, new JarSignerParameters(args, tsaUri, tsaCert, tSAPolicyID,
tSADigestAlg, signature,
signatureAlgorithm, certChain, content, zipFile); signatureAlgorithm, certChain, content, zipFile);
// Generate the signature block // Generate the signature block
...@@ -2400,120 +2409,3 @@ class SignatureFile { ...@@ -2400,120 +2409,3 @@ class SignatureFile {
} }
} }
} }
/*
* This object encapsulates the parameters used to perform content signing.
*/
class JarSignerParameters implements ContentSignerParameters {
private String[] args;
private URI tsa;
private X509Certificate tsaCertificate;
private byte[] signature;
private String signatureAlgorithm;
private X509Certificate[] signerCertificateChain;
private byte[] content;
private ZipFile source;
private String tSAPolicyID;
/**
* Create a new object.
*/
JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
String tSAPolicyID,
byte[] signature, String signatureAlgorithm,
X509Certificate[] signerCertificateChain, byte[] content,
ZipFile source) {
if (signature == null || signatureAlgorithm == null ||
signerCertificateChain == null) {
throw new NullPointerException();
}
this.args = args;
this.tsa = tsa;
this.tsaCertificate = tsaCertificate;
this.tSAPolicyID = tSAPolicyID;
this.signature = signature;
this.signatureAlgorithm = signatureAlgorithm;
this.signerCertificateChain = signerCertificateChain;
this.content = content;
this.source = source;
}
/**
* Retrieves the command-line arguments.
*
* @return The command-line arguments. May be null.
*/
public String[] getCommandLine() {
return args;
}
/**
* Retrieves the identifier for a Timestamping Authority (TSA).
*
* @return The TSA identifier. May be null.
*/
public URI getTimestampingAuthority() {
return tsa;
}
/**
* Retrieves the certificate for a Timestamping Authority (TSA).
*
* @return The TSA certificate. May be null.
*/
public X509Certificate getTimestampingAuthorityCertificate() {
return tsaCertificate;
}
public String getTSAPolicyID() {
return tSAPolicyID;
}
/**
* Retrieves the signature.
*
* @return The non-null signature bytes.
*/
public byte[] getSignature() {
return signature;
}
/**
* Retrieves the name of the signature algorithm.
*
* @return The non-null string name of the signature algorithm.
*/
public String getSignatureAlgorithm() {
return signatureAlgorithm;
}
/**
* Retrieves the signer's X.509 certificate chain.
*
* @return The non-null array of X.509 public-key certificates.
*/
public X509Certificate[] getSignerCertificateChain() {
return signerCertificateChain;
}
/**
* Retrieves the content that was signed.
*
* @return The content bytes. May be null.
*/
public byte[] getContent() {
return content;
}
/**
* Retrieves the original source ZIP file before it was signed.
*
* @return The original ZIP file. May be null.
*/
public ZipFile getSource() {
return source;
}
}
...@@ -88,6 +88,8 @@ public class Resources extends java.util.ListResourceBundle { ...@@ -88,6 +88,8 @@ public class Resources extends java.util.ListResourceBundle {
"[-tsacert <alias>] public key certificate for Timestamping Authority"}, "[-tsacert <alias>] public key certificate for Timestamping Authority"},
{".tsapolicyid.tsapolicyid.for.Timestamping.Authority", {".tsapolicyid.tsapolicyid.for.Timestamping.Authority",
"[-tsapolicyid <oid>] TSAPolicyID for Timestamping Authority"}, "[-tsapolicyid <oid>] TSAPolicyID for Timestamping Authority"},
{".tsadigestalg.algorithm.of.digest.data.in.timestamping.request",
"[-tsadigestalg <algorithm>] algorithm of digest data in timestamping request"},
{".altsigner.class.class.name.of.an.alternative.signing.mechanism", {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
"[-altsigner <class>] class name of an alternative signing mechanism"}, "[-altsigner <class>] class name of an alternative signing mechanism"},
{".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism", {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",
......
...@@ -132,9 +132,14 @@ public final class TimestampedSigner extends ContentSigner { ...@@ -132,9 +132,14 @@ public final class TimestampedSigner extends ContentSigner {
} }
} }
} }
String tSADigestAlg = "SHA-256";
if (params instanceof JarSignerParameters) {
tSADigestAlg = ((JarSignerParameters)params).getTSADigestAlg();
}
return PKCS7.generateSignedData(signature, signerChain, content, return PKCS7.generateSignedData(signature, signerChain, content,
params.getSignatureAlgorithm(), tsaURI, params.getSignatureAlgorithm(), tsaURI,
params.getTSAPolicyID()); params.getTSAPolicyID(),
tSADigestAlg);
} }
/** /**
......
...@@ -24,10 +24,9 @@ ...@@ -24,10 +24,9 @@
import com.sun.net.httpserver.*; import com.sun.net.httpserver.*;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.io.OutputStream; import java.io.OutputStream;
import java.math.BigInteger; import java.math.BigInteger;
...@@ -38,9 +37,15 @@ import java.security.Signature; ...@@ -38,9 +37,15 @@ import java.security.Signature;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Calendar; import java.util.Calendar;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import sun.misc.IOUtils;
import sun.security.pkcs.ContentInfo; import sun.security.pkcs.ContentInfo;
import sun.security.pkcs.PKCS7; import sun.security.pkcs.PKCS7;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs.SignerInfo; import sun.security.pkcs.SignerInfo;
import sun.security.timestamp.TimestampToken;
import sun.security.util.DerOutputStream; import sun.security.util.DerOutputStream;
import sun.security.util.DerValue; import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier; import sun.security.util.ObjectIdentifier;
...@@ -51,6 +56,8 @@ public class TimestampCheck { ...@@ -51,6 +56,8 @@ public class TimestampCheck {
static final String TSKS = "tsks"; static final String TSKS = "tsks";
static final String JAR = "old.jar"; static final String JAR = "old.jar";
static final String defaultPolicyId = "2.3.4.5";
static class Handler implements HttpHandler { static class Handler implements HttpHandler {
public void handle(HttpExchange t) throws IOException { public void handle(HttpExchange t) throws IOException {
int len = 0; int len = 0;
...@@ -94,6 +101,11 @@ public class TimestampCheck { ...@@ -94,6 +101,11 @@ public class TimestampCheck {
* 6: extension is missing * 6: extension is missing
* 7: extension is non-critical * 7: extension is non-critical
* 8: extension does not have timestamping * 8: extension does not have timestamping
* 9: no cert in response
* 10: normal
* 11: always return default policy id
* 12: normal
* otherwise: normal
* @returns the signed * @returns the signed
*/ */
byte[] sign(byte[] input, int path) throws Exception { byte[] sign(byte[] input, int path) throws Exception {
...@@ -106,6 +118,7 @@ public class TimestampCheck { ...@@ -106,6 +118,7 @@ public class TimestampCheck {
messageImprint.data.getDerValue()); messageImprint.data.getDerValue());
System.err.println("AlgorithmId: " + aid); System.err.println("AlgorithmId: " + aid);
ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
BigInteger nonce = null; BigInteger nonce = null;
while (value.data.available() > 0) { while (value.data.available() > 0) {
DerValue v = value.data.getDerValue(); DerValue v = value.data.getDerValue();
...@@ -114,6 +127,9 @@ public class TimestampCheck { ...@@ -114,6 +127,9 @@ public class TimestampCheck {
System.err.println("nonce: " + nonce); System.err.println("nonce: " + nonce);
} else if (v.tag == DerValue.tag_Boolean) { } else if (v.tag == DerValue.tag_Boolean) {
System.err.println("certReq: " + v.getBoolean()); System.err.println("certReq: " + v.getBoolean());
} else if (v.tag == DerValue.tag_ObjectId) {
policyId = v.getOID();
System.err.println("PolicyID: " + policyId);
} }
} }
...@@ -127,6 +143,10 @@ public class TimestampCheck { ...@@ -127,6 +143,10 @@ public class TimestampCheck {
if (path == 7) alias = "tsbad2"; if (path == 7) alias = "tsbad2";
if (path == 8) alias = "tsbad3"; if (path == 8) alias = "tsbad3";
if (path == 11) {
policyId = new ObjectIdentifier(defaultPolicyId);
}
DerOutputStream statusInfo = new DerOutputStream(); DerOutputStream statusInfo = new DerOutputStream();
statusInfo.putInteger(0); statusInfo.putInteger(0);
...@@ -150,7 +170,7 @@ public class TimestampCheck { ...@@ -150,7 +170,7 @@ public class TimestampCheck {
DerOutputStream tst = new DerOutputStream(); DerOutputStream tst = new DerOutputStream();
tst.putInteger(1); tst.putInteger(1);
tst.putOID(new ObjectIdentifier("1.2.3.4")); // policy tst.putOID(policyId);
if (path != 3 && path != 4) { if (path != 3 && path != 4) {
tst.putDerValue(messageImprint); tst.putDerValue(messageImprint);
...@@ -260,15 +280,43 @@ public class TimestampCheck { ...@@ -260,15 +280,43 @@ public class TimestampCheck {
jarsigner(cmd, 7, false); // tsbad2 jarsigner(cmd, 7, false); // tsbad2
jarsigner(cmd, 8, false); // tsbad3 jarsigner(cmd, 8, false); // tsbad3
jarsigner(cmd, 9, false); // no cert in timestamp jarsigner(cmd, 9, false); // no cert in timestamp
jarsigner(cmd + " -tsapolicyid 1.2.3.4", 0, true); jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
jarsigner(cmd + " -tsapolicyid 1.2.3.5", 0, false); checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
jarsigner(cmd + " -tsadigestalg SHA", 12, true);
checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
} else { // Run as a standalone server } else { // Run as a standalone server
System.err.println("Press Enter to quit server"); System.err.println("Press Enter to quit server");
System.in.read(); System.in.read();
} }
} finally { } finally {
server.stop(0); server.stop(0);
new File("x.jar").delete(); }
}
static void checkTimestamp(String file, String policyId, String digestAlg)
throws Exception {
try (JarFile jf = new JarFile(file)) {
JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
try (InputStream is = jf.getInputStream(je)) {
byte[] content = IOUtils.readFully(is, -1, true);
PKCS7 p7 = new PKCS7(content);
SignerInfo[] si = p7.getSignerInfos();
if (si == null || si.length == 0) {
throw new Exception("Not signed");
}
PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
.getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
TimestampToken tt =
new TimestampToken(tsToken.getContentInfo().getData());
if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
throw new Exception("Digest alg different");
}
if (!tt.getPolicyID().equals(policyId)) {
throw new Exception("policyId different");
}
}
} }
} }
......
...@@ -86,6 +86,6 @@ $KT -alias tsbad3 -certreq | \ ...@@ -86,6 +86,6 @@ $KT -alias tsbad3 -certreq | \
$KT -alias ca -gencert -ext eku:critical=cs | \ $KT -alias ca -gencert -ext eku:critical=cs | \
$KT -alias tsbad3 -importcert $KT -alias tsbad3 -importcert
$JAVAC -d . ${TESTSRC}/TimestampCheck.java $JAVAC -XDignore.symbol.file -d . ${TESTSRC}/TimestampCheck.java
$JAVA ${TESTVMOPTS} TimestampCheck $JAVA ${TESTVMOPTS} TimestampCheck
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册