Search in sources :

Example 46 with Signature

use of java.security.Signature in project Fairphone by Kwamecorp.

the class RSAUtils method verifySignature.

public static boolean verifySignature(String input, String algorithm, byte[] sign, PublicKey pubKey) throws Exception {
    Signature sg = Signature.getInstance(algorithm);
    sg.initVerify(pubKey);
    Log.i(TAG, "Signature Object Info: ");
    Log.i(TAG, "Algorithm = " + sg.getAlgorithm());
    Log.i(TAG, "Provider = " + sg.getProvider());
    FileInputStream in = new FileInputStream(input);
    byte[] buff = new byte[in.available()];
    in.read(buff);
    in.close();
    sg.update(buff);
    boolean ok = sg.verify(sign);
    Log.i(TAG, "Verify Processing Info: ");
    Log.i(TAG, "Verification result = " + ok);
    return ok;
}
Also used : Signature(java.security.Signature) FileInputStream(java.io.FileInputStream)

Example 47 with Signature

use of java.security.Signature in project walle by Meituan-Dianping.

the class V2SchemeVerifier method parseSigner.

/**
     * Parses the provided signer block and populates the {@code result}.
     *
     * <p>This verifies signatures over {@code signed-data} contained in this block but does not
     * verify the integrity of the rest of the APK. Rather, this method adds to the
     * {@code contentDigestsToVerify}.
     */
private static void parseSigner(ByteBuffer signerBlock, CertificateFactory certFactory, Result.SignerInfo result, Set<ContentDigestAlgorithm> contentDigestsToVerify) throws IOException {
    ByteBuffer signedData = getLengthPrefixedSlice(signerBlock);
    byte[] signedDataBytes = new byte[signedData.remaining()];
    signedData.get(signedDataBytes);
    signedData.flip();
    result.signedData = signedDataBytes;
    ByteBuffer signatures = getLengthPrefixedSlice(signerBlock);
    byte[] publicKeyBytes = readLengthPrefixedByteArray(signerBlock);
    // Parse the signatures block and identify supported signatures
    int signatureCount = 0;
    List<SupportedSignature> supportedSignatures = new ArrayList<>(1);
    while (signatures.hasRemaining()) {
        signatureCount++;
        try {
            ByteBuffer signature = getLengthPrefixedSlice(signatures);
            int sigAlgorithmId = signature.getInt();
            byte[] sigBytes = readLengthPrefixedByteArray(signature);
            result.signatures.add(new Result.SignerInfo.Signature(sigAlgorithmId, sigBytes));
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.findById(sigAlgorithmId);
            if (signatureAlgorithm == null) {
                result.addWarning(Issue.V2_SIG_UNKNOWN_SIG_ALGORITHM, sigAlgorithmId);
                continue;
            }
            supportedSignatures.add(new SupportedSignature(signatureAlgorithm, sigBytes));
        } catch (IOException | BufferUnderflowException e) {
            result.addError(Issue.V2_SIG_MALFORMED_SIGNATURE, signatureCount);
            return;
        }
    }
    if (result.signatures.isEmpty()) {
        result.addError(Issue.V2_SIG_NO_SIGNATURES);
        return;
    }
    // Verify signatures over signed-data block using the public key
    List<SupportedSignature> signaturesToVerify = getSignaturesToVerify(supportedSignatures);
    if (signaturesToVerify.isEmpty()) {
        result.addError(Issue.V2_SIG_NO_SUPPORTED_SIGNATURES);
        return;
    }
    for (SupportedSignature signature : signaturesToVerify) {
        SignatureAlgorithm signatureAlgorithm = signature.algorithm;
        String jcaSignatureAlgorithm = signatureAlgorithm.getJcaSignatureAlgorithmAndParams().getFirst();
        AlgorithmParameterSpec jcaSignatureAlgorithmParams = signatureAlgorithm.getJcaSignatureAlgorithmAndParams().getSecond();
        String keyAlgorithm = signatureAlgorithm.getJcaKeyAlgorithm();
        PublicKey publicKey;
        try {
            publicKey = KeyFactory.getInstance(keyAlgorithm).generatePublic(new X509EncodedKeySpec(publicKeyBytes));
        } catch (Exception e) {
            result.addError(Issue.V2_SIG_MALFORMED_PUBLIC_KEY, e);
            return;
        }
        try {
            Signature sig = Signature.getInstance(jcaSignatureAlgorithm);
            sig.initVerify(publicKey);
            if (jcaSignatureAlgorithmParams != null) {
                sig.setParameter(jcaSignatureAlgorithmParams);
            }
            signedData.position(0);
            sig.update(signedData);
            byte[] sigBytes = signature.signature;
            if (!sig.verify(sigBytes)) {
                result.addError(Issue.V2_SIG_DID_NOT_VERIFY, signatureAlgorithm);
                return;
            }
            result.verifiedSignatures.put(signatureAlgorithm, sigBytes);
            contentDigestsToVerify.add(signatureAlgorithm.getContentDigestAlgorithm());
        } catch (Exception e) {
            result.addError(Issue.V2_SIG_VERIFY_EXCEPTION, signatureAlgorithm, e);
            return;
        }
    }
    // At least one signature over signedData has verified. We can now parse signed-data.
    signedData.position(0);
    ByteBuffer digests = getLengthPrefixedSlice(signedData);
    ByteBuffer certificates = getLengthPrefixedSlice(signedData);
    ByteBuffer additionalAttributes = getLengthPrefixedSlice(signedData);
    // Parse the certificates block
    int certificateIndex = -1;
    while (certificates.hasRemaining()) {
        certificateIndex++;
        byte[] encodedCert = readLengthPrefixedByteArray(certificates);
        X509Certificate certificate;
        try {
            certificate = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(encodedCert));
        } catch (CertificateException e) {
            result.addError(Issue.V2_SIG_MALFORMED_CERTIFICATE, certificateIndex, certificateIndex + 1, e);
            return;
        }
        // Wrap the cert so that the result's getEncoded returns exactly the original encoded
        // form. Without this, getEncoded may return a different form from what was stored in
        // the signature. This is becase some X509Certificate(Factory) implementations re-encode
        // certificates.
        certificate = new GuaranteedEncodedFormX509Certificate(certificate, encodedCert);
        result.certs.add(certificate);
    }
    if (result.certs.isEmpty()) {
        result.addError(Issue.V2_SIG_NO_CERTIFICATES);
        return;
    }
    X509Certificate mainCertificate = result.certs.get(0);
    byte[] certificatePublicKeyBytes = mainCertificate.getPublicKey().getEncoded();
    if (!Arrays.equals(publicKeyBytes, certificatePublicKeyBytes)) {
        result.addError(Issue.V2_SIG_PUBLIC_KEY_MISMATCH_BETWEEN_CERTIFICATE_AND_SIGNATURES_RECORD, toHex(certificatePublicKeyBytes), toHex(publicKeyBytes));
        return;
    }
    // Parse the digests block
    int digestCount = 0;
    while (digests.hasRemaining()) {
        digestCount++;
        try {
            ByteBuffer digest = getLengthPrefixedSlice(digests);
            int sigAlgorithmId = digest.getInt();
            byte[] digestBytes = readLengthPrefixedByteArray(digest);
            result.contentDigests.add(new Result.SignerInfo.ContentDigest(sigAlgorithmId, digestBytes));
        } catch (IOException | BufferUnderflowException e) {
            result.addError(Issue.V2_SIG_MALFORMED_DIGEST, digestCount);
            return;
        }
    }
    List<Integer> sigAlgsFromSignaturesRecord = new ArrayList<>(result.signatures.size());
    for (Result.SignerInfo.Signature signature : result.signatures) {
        sigAlgsFromSignaturesRecord.add(signature.getAlgorithmId());
    }
    List<Integer> sigAlgsFromDigestsRecord = new ArrayList<>(result.contentDigests.size());
    for (Result.SignerInfo.ContentDigest digest : result.contentDigests) {
        sigAlgsFromDigestsRecord.add(digest.getSignatureAlgorithmId());
    }
    if (!sigAlgsFromSignaturesRecord.equals(sigAlgsFromDigestsRecord)) {
        result.addError(Issue.V2_SIG_SIG_ALG_MISMATCH_BETWEEN_SIGNATURES_AND_DIGESTS_RECORDS, sigAlgsFromSignaturesRecord, sigAlgsFromDigestsRecord);
        return;
    }
    // Parse the additional attributes block.
    int additionalAttributeCount = 0;
    while (additionalAttributes.hasRemaining()) {
        additionalAttributeCount++;
        try {
            ByteBuffer attribute = getLengthPrefixedSlice(additionalAttributes);
            int id = attribute.getInt();
            byte[] value = readLengthPrefixedByteArray(attribute);
            result.additionalAttributes.add(new Result.SignerInfo.AdditionalAttribute(id, value));
            result.addWarning(Issue.V2_SIG_UNKNOWN_ADDITIONAL_ATTRIBUTE, id);
        } catch (IOException | BufferUnderflowException e) {
            result.addError(Issue.V2_SIG_MALFORMED_ADDITIONAL_ATTRIBUTE, additionalAttributeCount);
            return;
        }
    }
}
Also used : ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) BufferUnderflowException(java.nio.BufferUnderflowException) PublicKey(java.security.PublicKey) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) IOException(java.io.IOException) ByteBuffer(java.nio.ByteBuffer) DigestException(java.security.DigestException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) BufferUnderflowException(java.nio.BufferUnderflowException) CertificateEncodingException(java.security.cert.CertificateEncodingException) X509Certificate(java.security.cert.X509Certificate) DelegatingX509Certificate(com.android.apksigner.core.internal.util.DelegatingX509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) Signature(java.security.Signature) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Example 48 with Signature

use of java.security.Signature in project android_frameworks_base by ParanoidAndroid.

the class RecoverySystem method verifyPackage.

/**
     * Verify the cryptographic signature of a system update package
     * before installing it.  Note that the package is also verified
     * separately by the installer once the device is rebooted into
     * the recovery system.  This function will return only if the
     * package was successfully verified; otherwise it will throw an
     * exception.
     *
     * Verification of a package can take significant time, so this
     * function should not be called from a UI thread.  Interrupting
     * the thread while this function is in progress will result in a
     * SecurityException being thrown (and the thread's interrupt flag
     * will be cleared).
     *
     * @param packageFile  the package to be verified
     * @param listener     an object to receive periodic progress
     * updates as verification proceeds.  May be null.
     * @param deviceCertsZipFile  the zip file of certificates whose
     * public keys we will accept.  Verification succeeds if the
     * package is signed by the private key corresponding to any
     * public key in this file.  May be null to use the system default
     * file (currently "/system/etc/security/otacerts.zip").
     *
     * @throws IOException if there were any errors reading the
     * package or certs files.
     * @throws GeneralSecurityException if verification failed
     */
public static void verifyPackage(File packageFile, ProgressListener listener, File deviceCertsZipFile) throws IOException, GeneralSecurityException {
    long fileLen = packageFile.length();
    RandomAccessFile raf = new RandomAccessFile(packageFile, "r");
    try {
        int lastPercent = 0;
        long lastPublishTime = System.currentTimeMillis();
        if (listener != null) {
            listener.onProgress(lastPercent);
        }
        raf.seek(fileLen - 6);
        byte[] footer = new byte[6];
        raf.readFully(footer);
        if (footer[2] != (byte) 0xff || footer[3] != (byte) 0xff) {
            throw new SignatureException("no signature in file (no footer)");
        }
        int commentSize = (footer[4] & 0xff) | ((footer[5] & 0xff) << 8);
        int signatureStart = (footer[0] & 0xff) | ((footer[1] & 0xff) << 8);
        byte[] eocd = new byte[commentSize + 22];
        raf.seek(fileLen - (commentSize + 22));
        raf.readFully(eocd);
        // end-of-central-directory record.
        if (eocd[0] != (byte) 0x50 || eocd[1] != (byte) 0x4b || eocd[2] != (byte) 0x05 || eocd[3] != (byte) 0x06) {
            throw new SignatureException("no signature in file (bad footer)");
        }
        for (int i = 4; i < eocd.length - 3; ++i) {
            if (eocd[i] == (byte) 0x50 && eocd[i + 1] == (byte) 0x4b && eocd[i + 2] == (byte) 0x05 && eocd[i + 3] == (byte) 0x06) {
                throw new SignatureException("EOCD marker found after start of EOCD");
            }
        }
        // The following code is largely copied from
        // JarUtils.verifySignature().  We could just *call* that
        // method here if that function didn't read the entire
        // input (ie, the whole OTA package) into memory just to
        // compute its message digest.
        BerInputStream bis = new BerInputStream(new ByteArrayInputStream(eocd, commentSize + 22 - signatureStart, signatureStart));
        ContentInfo info = (ContentInfo) ContentInfo.ASN1.decode(bis);
        SignedData signedData = info.getSignedData();
        if (signedData == null) {
            throw new IOException("signedData is null");
        }
        Collection encCerts = signedData.getCertificates();
        if (encCerts.isEmpty()) {
            throw new IOException("encCerts is empty");
        }
        // Take the first certificate from the signature (packages
        // should contain only one).
        Iterator it = encCerts.iterator();
        X509Certificate cert = null;
        if (it.hasNext()) {
            cert = new X509CertImpl((org.apache.harmony.security.x509.Certificate) it.next());
        } else {
            throw new SignatureException("signature contains no certificates");
        }
        List sigInfos = signedData.getSignerInfos();
        SignerInfo sigInfo;
        if (!sigInfos.isEmpty()) {
            sigInfo = (SignerInfo) sigInfos.get(0);
        } else {
            throw new IOException("no signer infos!");
        }
        // Check that the public key of the certificate contained
        // in the package equals one of our trusted public keys.
        HashSet<Certificate> trusted = getTrustedCerts(deviceCertsZipFile == null ? DEFAULT_KEYSTORE : deviceCertsZipFile);
        PublicKey signatureKey = cert.getPublicKey();
        boolean verified = false;
        for (Certificate c : trusted) {
            if (c.getPublicKey().equals(signatureKey)) {
                verified = true;
                break;
            }
        }
        if (!verified) {
            throw new SignatureException("signature doesn't match any trusted key");
        }
        // The signature cert matches a trusted key.  Now verify that
        // the digest in the cert matches the actual file data.
        // The verifier in recovery *only* handles SHA1withRSA
        // signatures.  SignApk.java always uses SHA1withRSA, no
        // matter what the cert says to use.  Ignore
        // cert.getSigAlgName(), and instead use whatever
        // algorithm is used by the signature (which should be
        // SHA1withRSA).
        String da = sigInfo.getDigestAlgorithm();
        String dea = sigInfo.getDigestEncryptionAlgorithm();
        String alg = null;
        if (da == null || dea == null) {
            // fall back to the cert algorithm if the sig one
            // doesn't look right.
            alg = cert.getSigAlgName();
        } else {
            alg = da + "with" + dea;
        }
        Signature sig = Signature.getInstance(alg);
        sig.initVerify(cert);
        // The signature covers all of the OTA package except the
        // archive comment and its 2-byte length.
        long toRead = fileLen - commentSize - 2;
        long soFar = 0;
        raf.seek(0);
        byte[] buffer = new byte[4096];
        boolean interrupted = false;
        while (soFar < toRead) {
            interrupted = Thread.interrupted();
            if (interrupted)
                break;
            int size = buffer.length;
            if (soFar + size > toRead) {
                size = (int) (toRead - soFar);
            }
            int read = raf.read(buffer, 0, size);
            sig.update(buffer, 0, read);
            soFar += read;
            if (listener != null) {
                long now = System.currentTimeMillis();
                int p = (int) (soFar * 100 / toRead);
                if (p > lastPercent && now - lastPublishTime > PUBLISH_PROGRESS_INTERVAL_MS) {
                    lastPercent = p;
                    lastPublishTime = now;
                    listener.onProgress(lastPercent);
                }
            }
        }
        if (listener != null) {
            listener.onProgress(100);
        }
        if (interrupted) {
            throw new SignatureException("verification was interrupted");
        }
        if (!sig.verify(sigInfo.getEncryptedDigest())) {
            throw new SignatureException("signature digest verification failed");
        }
    } finally {
        raf.close();
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) PublicKey(java.security.PublicKey) SignatureException(java.security.SignatureException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) SignerInfo(org.apache.harmony.security.pkcs7.SignerInfo) RandomAccessFile(java.io.RandomAccessFile) ByteArrayInputStream(java.io.ByteArrayInputStream) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CertImpl(org.apache.harmony.security.provider.cert.X509CertImpl) Signature(java.security.Signature) Iterator(java.util.Iterator) Collection(java.util.Collection) List(java.util.List) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 49 with Signature

use of java.security.Signature in project jersey by jersey.

the class RsaSha1Method method sign.

/**
     * Generates the RSA-SHA1 signature of OAuth request elements.
     *
     * @param baseString the combined OAuth elements to sign.
     * @param secrets the secrets object containing the private key for generating the signature.
     * @return the OAuth signature, in base64-encoded form.
     * @throws InvalidSecretException if the supplied secret is not valid.
     */
@Override
public String sign(final String baseString, final OAuth1Secrets secrets) throws InvalidSecretException {
    final Signature signature;
    try {
        signature = Signature.getInstance(SIGNATURE_ALGORITHM);
    } catch (final NoSuchAlgorithmException nsae) {
        throw new IllegalStateException(nsae);
    }
    byte[] decodedPrivateKey;
    try {
        decodedPrivateKey = Base64.decode(secrets.getConsumerSecret());
    } catch (final IOException ioe) {
        throw new InvalidSecretException(LocalizationMessages.ERROR_INVALID_CONSUMER_SECRET(ioe));
    }
    final KeyFactory keyFactory;
    try {
        keyFactory = KeyFactory.getInstance(KEY_TYPE);
    } catch (final NoSuchAlgorithmException nsae) {
        throw new IllegalStateException(nsae);
    }
    final EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decodedPrivateKey);
    final RSAPrivateKey rsaPrivateKey;
    try {
        rsaPrivateKey = (RSAPrivateKey) keyFactory.generatePrivate(keySpec);
    } catch (final InvalidKeySpecException ikse) {
        throw new IllegalStateException(ikse);
    }
    try {
        signature.initSign(rsaPrivateKey);
    } catch (final InvalidKeyException ike) {
        throw new IllegalStateException(ike);
    }
    try {
        signature.update(baseString.getBytes());
    } catch (final SignatureException se) {
        throw new IllegalStateException(se);
    }
    final byte[] rsasha1;
    try {
        rsasha1 = signature.sign();
    } catch (final SignatureException se) {
        throw new IllegalStateException(se);
    }
    return Base64.encode(rsasha1);
}
Also used : NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) Signature(java.security.Signature) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) KeyFactory(java.security.KeyFactory) EncodedKeySpec(java.security.spec.EncodedKeySpec) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)

Example 50 with Signature

use of java.security.Signature in project XobotOS by xamarin.

the class RecoverySystem method verifyPackage.

/**
     * Verify the cryptographic signature of a system update package
     * before installing it.  Note that the package is also verified
     * separately by the installer once the device is rebooted into
     * the recovery system.  This function will return only if the
     * package was successfully verified; otherwise it will throw an
     * exception.
     *
     * Verification of a package can take significant time, so this
     * function should not be called from a UI thread.  Interrupting
     * the thread while this function is in progress will result in a
     * SecurityException being thrown (and the thread's interrupt flag
     * will be cleared).
     *
     * @param packageFile  the package to be verified
     * @param listener     an object to receive periodic progress
     * updates as verification proceeds.  May be null.
     * @param deviceCertsZipFile  the zip file of certificates whose
     * public keys we will accept.  Verification succeeds if the
     * package is signed by the private key corresponding to any
     * public key in this file.  May be null to use the system default
     * file (currently "/system/etc/security/otacerts.zip").
     *
     * @throws IOException if there were any errors reading the
     * package or certs files.
     * @throws GeneralSecurityException if verification failed
     */
public static void verifyPackage(File packageFile, ProgressListener listener, File deviceCertsZipFile) throws IOException, GeneralSecurityException {
    long fileLen = packageFile.length();
    RandomAccessFile raf = new RandomAccessFile(packageFile, "r");
    try {
        int lastPercent = 0;
        long lastPublishTime = System.currentTimeMillis();
        if (listener != null) {
            listener.onProgress(lastPercent);
        }
        raf.seek(fileLen - 6);
        byte[] footer = new byte[6];
        raf.readFully(footer);
        if (footer[2] != (byte) 0xff || footer[3] != (byte) 0xff) {
            throw new SignatureException("no signature in file (no footer)");
        }
        int commentSize = (footer[4] & 0xff) | ((footer[5] & 0xff) << 8);
        int signatureStart = (footer[0] & 0xff) | ((footer[1] & 0xff) << 8);
        Log.v(TAG, String.format("comment size %d; signature start %d", commentSize, signatureStart));
        byte[] eocd = new byte[commentSize + 22];
        raf.seek(fileLen - (commentSize + 22));
        raf.readFully(eocd);
        // end-of-central-directory record.
        if (eocd[0] != (byte) 0x50 || eocd[1] != (byte) 0x4b || eocd[2] != (byte) 0x05 || eocd[3] != (byte) 0x06) {
            throw new SignatureException("no signature in file (bad footer)");
        }
        for (int i = 4; i < eocd.length - 3; ++i) {
            if (eocd[i] == (byte) 0x50 && eocd[i + 1] == (byte) 0x4b && eocd[i + 2] == (byte) 0x05 && eocd[i + 3] == (byte) 0x06) {
                throw new SignatureException("EOCD marker found after start of EOCD");
            }
        }
        // The following code is largely copied from
        // JarUtils.verifySignature().  We could just *call* that
        // method here if that function didn't read the entire
        // input (ie, the whole OTA package) into memory just to
        // compute its message digest.
        BerInputStream bis = new BerInputStream(new ByteArrayInputStream(eocd, commentSize + 22 - signatureStart, signatureStart));
        ContentInfo info = (ContentInfo) ContentInfo.ASN1.decode(bis);
        SignedData signedData = info.getSignedData();
        if (signedData == null) {
            throw new IOException("signedData is null");
        }
        Collection encCerts = signedData.getCertificates();
        if (encCerts.isEmpty()) {
            throw new IOException("encCerts is empty");
        }
        // Take the first certificate from the signature (packages
        // should contain only one).
        Iterator it = encCerts.iterator();
        X509Certificate cert = null;
        if (it.hasNext()) {
            cert = new X509CertImpl((org.apache.harmony.security.x509.Certificate) it.next());
        } else {
            throw new SignatureException("signature contains no certificates");
        }
        List sigInfos = signedData.getSignerInfos();
        SignerInfo sigInfo;
        if (!sigInfos.isEmpty()) {
            sigInfo = (SignerInfo) sigInfos.get(0);
        } else {
            throw new IOException("no signer infos!");
        }
        // Check that the public key of the certificate contained
        // in the package equals one of our trusted public keys.
        HashSet<Certificate> trusted = getTrustedCerts(deviceCertsZipFile == null ? DEFAULT_KEYSTORE : deviceCertsZipFile);
        PublicKey signatureKey = cert.getPublicKey();
        boolean verified = false;
        for (Certificate c : trusted) {
            if (c.getPublicKey().equals(signatureKey)) {
                verified = true;
                break;
            }
        }
        if (!verified) {
            throw new SignatureException("signature doesn't match any trusted key");
        }
        // The signature cert matches a trusted key.  Now verify that
        // the digest in the cert matches the actual file data.
        // The verifier in recovery *only* handles SHA1withRSA
        // signatures.  SignApk.java always uses SHA1withRSA, no
        // matter what the cert says to use.  Ignore
        // cert.getSigAlgName(), and instead use whatever
        // algorithm is used by the signature (which should be
        // SHA1withRSA).
        String da = sigInfo.getDigestAlgorithm();
        String dea = sigInfo.getDigestEncryptionAlgorithm();
        String alg = null;
        if (da == null || dea == null) {
            // fall back to the cert algorithm if the sig one
            // doesn't look right.
            alg = cert.getSigAlgName();
        } else {
            alg = da + "with" + dea;
        }
        Signature sig = Signature.getInstance(alg);
        sig.initVerify(cert);
        // The signature covers all of the OTA package except the
        // archive comment and its 2-byte length.
        long toRead = fileLen - commentSize - 2;
        long soFar = 0;
        raf.seek(0);
        byte[] buffer = new byte[4096];
        boolean interrupted = false;
        while (soFar < toRead) {
            interrupted = Thread.interrupted();
            if (interrupted)
                break;
            int size = buffer.length;
            if (soFar + size > toRead) {
                size = (int) (toRead - soFar);
            }
            int read = raf.read(buffer, 0, size);
            sig.update(buffer, 0, read);
            soFar += read;
            if (listener != null) {
                long now = System.currentTimeMillis();
                int p = (int) (soFar * 100 / toRead);
                if (p > lastPercent && now - lastPublishTime > PUBLISH_PROGRESS_INTERVAL_MS) {
                    lastPercent = p;
                    lastPublishTime = now;
                    listener.onProgress(lastPercent);
                }
            }
        }
        if (listener != null) {
            listener.onProgress(100);
        }
        if (interrupted) {
            throw new SignatureException("verification was interrupted");
        }
        if (!sig.verify(sigInfo.getEncryptedDigest())) {
            throw new SignatureException("signature digest verification failed");
        }
    } finally {
        raf.close();
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) PublicKey(java.security.PublicKey) SignatureException(java.security.SignatureException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) SignerInfo(org.apache.harmony.security.pkcs7.SignerInfo) RandomAccessFile(java.io.RandomAccessFile) ByteArrayInputStream(java.io.ByteArrayInputStream) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CertImpl(org.apache.harmony.security.provider.cert.X509CertImpl) Signature(java.security.Signature) Iterator(java.util.Iterator) Collection(java.util.Collection) List(java.util.List) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

Signature (java.security.Signature)261 SignatureException (java.security.SignatureException)84 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)70 InvalidKeyException (java.security.InvalidKeyException)61 PublicKey (java.security.PublicKey)61 PrivateKey (java.security.PrivateKey)43 IOException (java.io.IOException)42 KeyFactory (java.security.KeyFactory)41 X509Certificate (java.security.cert.X509Certificate)26 RSAPublicKeySpec (java.security.spec.RSAPublicKeySpec)23 KeyPair (java.security.KeyPair)19 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)19 GeneralSecurityException (java.security.GeneralSecurityException)16 KeyPairGenerator (java.security.KeyPairGenerator)16 MySignature1 (org.apache.harmony.security.tests.support.MySignature1)16 ByteArrayInputStream (java.io.ByteArrayInputStream)14 BigInteger (java.math.BigInteger)14 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)14 CertificateException (java.security.cert.CertificateException)14 X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)14