Example 11 with CodeSigner
use of java.security.CodeSigner in project Bytecoder by mirkosertic.
the class Pair method doPrintCert.
private void doPrintCert(final PrintStream out) throws Exception {
if (jarfile != null) {
// reset "jdk.certpath.disabledAlgorithms" security property
// to be able to read jars which were signed with weak algorithms
Security.setProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS, "");
JarFile jf = new JarFile(jarfile, true);
Enumeration<JarEntry> entries = jf.entries();
Set<CodeSigner> ss = new HashSet<>();
byte[] buffer = new byte[8192];
int pos = 0;
while (entries.hasMoreElements()) {
JarEntry je = entries.nextElement();
try (InputStream is = jf.getInputStream(je)) {
while (is.read(buffer) != -1) {
// we just read. this will throw a SecurityException
// if a signature/digest check fails. This also
// populate the signers
}
}
CodeSigner[] signers = je.getCodeSigners();
if (signers != null) {
for (CodeSigner signer : signers) {
if (!ss.contains(signer)) {
ss.add(signer);
out.printf(rb.getString("Signer.d."), ++pos);
out.println();
out.println();
out.println(rb.getString("Signature."));
out.println();
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
int cc = 0;
for (Certificate cert : certs) {
X509Certificate x = (X509Certificate) cert;
if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
}
out.println();
checkWeak(oneInMany(rb.getString("the.certificate"), cc++, certs.size()), x);
}
Timestamp ts = signer.getTimestamp();
if (ts != null) {
out.println(rb.getString("Timestamp."));
out.println();
certs = ts.getSignerCertPath().getCertificates();
cc = 0;
for (Certificate cert : certs) {
X509Certificate x = (X509Certificate) cert;
if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
}
out.println();
checkWeak(oneInMany(rb.getString("the.tsa.certificate"), cc++, certs.size()), x);
}
}
}
}
}
}
jf.close();
if (ss.isEmpty()) {
out.println(rb.getString("Not.a.signed.jar.file"));
}
} else if (sslserver != null) {
CertStore cs = SSLServerCertStore.getInstance(new URI("https://" + sslserver));
Collection<? extends Certificate> chain;
try {
chain = cs.getCertificates(null);
if (chain.isEmpty()) {
// even if the URL connection is successful.
throw new Exception(rb.getString("No.certificate.from.the.SSL.server"));
}
} catch (CertStoreException cse) {
if (cse.getCause() instanceof IOException) {
throw new Exception(rb.getString("No.certificate.from.the.SSL.server"), cse.getCause());
} else {
throw cse;
}
}
int i = 0;
for (Certificate cert : chain) {
try {
if (rfc) {
dumpCert(cert, out);
} else {
out.println("Certificate #" + i++);
out.println("====================================");
printX509Cert((X509Certificate) cert, out);
out.println();
}
checkWeak(oneInMany(rb.getString("the.certificate"), i, chain.size()), cert);
} catch (Exception e) {
if (debug) {
e.printStackTrace();
}
}
}
} else {
if (filename != null) {
try (FileInputStream inStream = new FileInputStream(filename)) {
printCertFromStream(inStream, out);
}
} else {
printCertFromStream(System.in, out);
}
}
}
Also used :
CertStoreException(java.security.cert.CertStoreException)
JarFile(java.util.jar.JarFile)
JarEntry(java.util.jar.JarEntry)
Timestamp(java.security.Timestamp)
URI(java.net.URI)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
CertStoreException(java.security.cert.CertStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
SSLServerCertStore(sun.security.provider.certpath.ssl.SSLServerCertStore)
CertStore(java.security.cert.CertStore)
CodeSigner(java.security.CodeSigner)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 12 with CodeSigner
use of java.security.CodeSigner in project Bytecoder by mirkosertic.
the class FactoryURLClassLoader method defineClass.
/*
* Defines a Class using the class bytes obtained from the specified
* Resource. The resulting Class must be resolved before it can be
* used.
*/
private Class<?> defineClass(String name, Resource res) throws IOException {
long t0 = System.nanoTime();
int i = name.lastIndexOf('.');
URL url = res.getCodeSourceURL();
if (i != -1) {
String pkgname = name.substring(0, i);
// Check if package already loaded.
Manifest man = res.getManifest();
if (getAndVerifyPackage(pkgname, man, url) == null) {
try {
if (man != null) {
definePackage(pkgname, man, url);
} else {
definePackage(pkgname, null, null, null, null, null, null, null);
}
} catch (IllegalArgumentException iae) {
// race condition
if (getAndVerifyPackage(pkgname, man, url) == null) {
// Should never happen
throw new AssertionError("Cannot find package " + pkgname);
}
}
}
}
// Now read the class bytes and define the class
java.nio.ByteBuffer bb = res.getByteBuffer();
if (bb != null) {
// Use (direct) ByteBuffer:
CodeSigner[] signers = res.getCodeSigners();
CodeSource cs = new CodeSource(url, signers);
PerfCounter.getReadClassBytesTime().addElapsedTimeFrom(t0);
return defineClass(name, bb, cs);
} else {
byte[] b = res.getBytes();
// must read certificates AFTER reading bytes.
CodeSigner[] signers = res.getCodeSigners();
CodeSource cs = new CodeSource(url, signers);
PerfCounter.getReadClassBytesTime().addElapsedTimeFrom(t0);
return defineClass(name, b, 0, b.length, cs);
}
}
Also used :
Manifest(java.util.jar.Manifest)
CodeSource(java.security.CodeSource)
CodeSigner(java.security.CodeSigner)
Example 13 with CodeSigner
use of java.security.CodeSigner in project Bytecoder by mirkosertic.
the class SignatureFileVerifier method getSigners.
/**
* Given the PKCS7 block and SignerInfo[], create an array of
* CodeSigner objects. We do this only *once* for a given
* signature block file.
*/
private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block) throws IOException, NoSuchAlgorithmException, SignatureException, CertificateException {
ArrayList<CodeSigner> signers = null;
for (int i = 0; i < infos.length; i++) {
SignerInfo info = infos[i];
ArrayList<X509Certificate> chain = info.getCertificateChain(block);
CertPath certChain = certificateFactory.generateCertPath(chain);
if (signers == null) {
signers = new ArrayList<>();
}
// Append the new code signer
signers.add(new CodeSigner(certChain, info.getTimestamp()));
if (debug != null) {
debug.println("Signature Block Certificate: " + chain.get(0));
}
}
if (signers != null) {
return signers.toArray(new CodeSigner[signers.size()]);
} else {
return null;
}
}
Also used :
SignerInfo(sun.security.pkcs.SignerInfo)
CertPath(java.security.cert.CertPath)
CodeSigner(java.security.CodeSigner)
X509Certificate(java.security.cert.X509Certificate)
Example 14 with CodeSigner
use of java.security.CodeSigner in project Bytecoder by mirkosertic.
the class SignatureFileVerifier method processImpl.
private void processImpl(Hashtable<String, CodeSigner[]> signers, List<Object> manifestDigests) throws IOException, SignatureException, NoSuchAlgorithmException, JarException, CertificateException {
Manifest sf = new Manifest();
sf.read(new ByteArrayInputStream(sfBytes));
String version = sf.getMainAttributes().getValue(Attributes.Name.SIGNATURE_VERSION);
if ((version == null) || !(version.equalsIgnoreCase("1.0"))) {
// for now we just ignore this signature file
return;
}
SignerInfo[] infos = block.verify(sfBytes);
if (infos == null) {
throw new SecurityException("cannot verify signature block file " + name);
}
CodeSigner[] newSigners = getSigners(infos, block);
// make sure we have something to do all this work for...
if (newSigners == null)
return;
/*
* Look for the latest timestamp in the signature block. If an entry
* has no timestamp, use current time (aka null).
*/
for (CodeSigner s : newSigners) {
if (debug != null) {
debug.println("Gathering timestamp for: " + s.toString());
}
if (s.getTimestamp() == null) {
timestamp = null;
break;
} else if (timestamp == null) {
timestamp = s.getTimestamp();
} else {
if (timestamp.getTimestamp().before(s.getTimestamp().getTimestamp())) {
timestamp = s.getTimestamp();
}
}
}
Iterator<Map.Entry<String, Attributes>> entries = sf.getEntries().entrySet().iterator();
// see if we can verify the whole manifest first
boolean manifestSigned = verifyManifestHash(sf, md, manifestDigests);
// verify manifest main attributes
if (!manifestSigned && !verifyManifestMainAttrs(sf, md)) {
throw new SecurityException("Invalid signature file digest for Manifest main attributes");
}
// go through each section in the signature file
while (entries.hasNext()) {
Map.Entry<String, Attributes> e = entries.next();
String name = e.getKey();
if (manifestSigned || (verifySection(e.getValue(), name, md))) {
if (name.startsWith("./"))
name = name.substring(2);
if (name.startsWith("/"))
name = name.substring(1);
updateSigners(newSigners, signers, name);
if (debug != null) {
debug.println("processSignature signed name = " + name);
}
} else if (debug != null) {
debug.println("processSignature unsigned name = " + name);
}
}
// MANIFEST.MF is always regarded as signed
updateSigners(newSigners, signers, JarFile.MANIFEST_NAME);
}
Also used :
Attributes(java.util.jar.Attributes)
GeneralSecurityException(java.security.GeneralSecurityException)
Manifest(java.util.jar.Manifest)
SignerInfo(sun.security.pkcs.SignerInfo)
ByteArrayInputStream(java.io.ByteArrayInputStream)
HashMap(java.util.HashMap)
Map(java.util.Map)
CodeSigner(java.security.CodeSigner)
Example 15 with CodeSigner
use of java.security.CodeSigner in project Bytecoder by mirkosertic.
the class BuiltinClassLoader method defineClass.
/**
* Defines the given binary class name to the VM, loading the class
* bytes via the given Resource object.
*
* @return the resulting Class
* @throws IOException if reading the resource fails
* @throws SecurityException if there is a sealing violation (JAR spec)
*/
private Class<?> defineClass(String cn, Resource res) throws IOException {
URL url = res.getCodeSourceURL();
// if class is in a named package then ensure that the package is defined
int pos = cn.lastIndexOf('.');
if (pos != -1) {
String pn = cn.substring(0, pos);
Manifest man = res.getManifest();
defineOrCheckPackage(pn, man, url);
}
// defines the class to the runtime
ByteBuffer bb = res.getByteBuffer();
if (bb != null) {
CodeSigner[] signers = res.getCodeSigners();
CodeSource cs = new CodeSource(url, signers);
return defineClass(cn, bb, cs);
} else {
byte[] b = res.getBytes();
CodeSigner[] signers = res.getCodeSigners();
CodeSource cs = new CodeSource(url, signers);
return defineClass(cn, b, 0, b.length, cs);
}
}
Also used :
Manifest(java.util.jar.Manifest)
CodeSource(java.security.CodeSource)
ByteBuffer(java.nio.ByteBuffer)
URL(java.net.URL)
CodeSigner(java.security.CodeSigner)
Aggregations
CodeSigner (java.security.CodeSigner)31
Certificate (java.security.cert.Certificate)8
CodeSource (java.security.CodeSource)7
X509Certificate (java.security.cert.X509Certificate)6
Manifest (java.util.jar.Manifest)5
IOException (java.io.IOException)4
URL (java.net.URL)4
ByteBuffer (java.nio.ByteBuffer)4
CertPath (java.security.cert.CertPath)4
JarEntry (java.util.jar.JarEntry)4
JarFile (java.util.jar.JarFile)4
SignerInfo (sun.security.pkcs.SignerInfo)4
Timestamp (java.security.Timestamp)3
ArrayList (java.util.ArrayList)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
InputStream (java.io.InputStream)2
InvocationTargetException (java.lang.reflect.InvocationTargetException)2
URI (java.net.URI)2
GeneralSecurityException (java.security.GeneralSecurityException)2
KeyStoreException (java.security.KeyStoreException)2
