Examples with SignerInfo org.eclipse.osgi.signedcontent.SignerInfo used on opensource projects

Example 1 with SignerInfo

use of org.eclipse.osgi.signedcontent.SignerInfo in project rt.equinox.framework by eclipse.

the class SignatureBlockProcessor method process.

public SignedContentImpl process() throws IOException, InvalidKeyException, SignatureException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
    BundleFile wrappedBundleFile = signedBundle.getBundleFile();
    BundleEntry be = wrappedBundleFile.getEntry(META_INF_MANIFEST_MF);
    if (be == null)
        return createUnsignedContent();
    // read all the signature block file names into a list
    Enumeration<String> en = wrappedBundleFile.getEntryPaths(META_INF);
    List<String> signers = new ArrayList<>(2);
    while (en.hasMoreElements()) {
        String name = en.nextElement();
        if ((name.endsWith(DOT_DSA) || name.endsWith(DOT_RSA)) && name.indexOf('/') == name.lastIndexOf('/'))
            signers.add(name);
    }
    // this means the jar is not signed
    if (signers.size() == 0)
        return createUnsignedContent();
    byte[] manifestBytes = readIntoArray(be);
    for (Iterator<String> iSigners = signers.iterator(); iSigners.hasNext(); ) processSigner(wrappedBundleFile, manifestBytes, iSigners.next());
    // done processing now create a SingedContent to return
    SignerInfo[] allSigners = signerInfos.toArray(new SignerInfo[signerInfos.size()]);
    for (Iterator<Map.Entry<String, Object>> iResults = contentMDResults.entrySet().iterator(); iResults.hasNext(); ) {
        Map.Entry<String, Object> entry = iResults.next();
        @SuppressWarnings("unchecked") List<Object>[] value = (List<Object>[]) entry.getValue();
        SignerInfo[] entrySigners = value[0].toArray(new SignerInfo[value[0].size()]);
        byte[][] entryResults = value[1].toArray(new byte[value[1].size()][]);
        entry.setValue(new Object[] { entrySigners, entryResults });
    }
    SignedContentImpl result = new SignedContentImpl(allSigners, (supportFlags & SignedBundleHook.VERIFY_RUNTIME) != 0 ? contentMDResults : null);
    result.setContent(signedBundle);
    result.setTSASignerInfos(tsaSignerInfos);
    return result;
}

Example 2 with SignerInfo

use of org.eclipse.osgi.signedcontent.SignerInfo in project rt.equinox.framework by eclipse.

the class TrustEngineListener method removedTrustAnchor.

public void removedTrustAnchor(Certificate anchor) {
    // find any signed content that has signerinfos with the supplied anchor
    // re-evaluate trust and check authorization again.
    Bundle[] bundles = context.getBundles();
    Set<Bundle> usingAnchor = new HashSet<>();
    Set<SignerInfo> untrustedSigners = new HashSet<>();
    for (int i = 0; i < bundles.length; i++) {
        SignedContentImpl signedContent = getSignedContent(bundles[i]);
        if (signedContent != null && signedContent.isSigned()) {
            // check signer infos for this content
            SignerInfo[] infos = signedContent.getSignerInfos();
            for (int j = 0; j < infos.length; j++) {
                if (anchor.equals(infos[j].getTrustAnchor())) {
                    // one of the signers uses this anchor
                    untrustedSigners.add(infos[j]);
                    usingAnchor.add(bundles[i]);
                }
                SignerInfo tsa = signedContent.getTSASignerInfo(infos[j]);
                if (tsa != null && anchor.equals(tsa.getTrustAnchor())) {
                    // one of the tsa signers uses this anchor
                    usingAnchor.add(bundles[i]);
                    untrustedSigners.add(tsa);
                }
            }
        }
    }
    // remove trust anchors from untrusted signers
    for (Iterator<SignerInfo> untrusted = untrustedSigners.iterator(); untrusted.hasNext(); ) ((SignerInfoImpl) untrusted.next()).setTrustAnchor(null);
    // re-establish trust
    for (Iterator<Bundle> untrustedBundles = usingAnchor.iterator(); untrustedBundles.hasNext(); ) {
        Bundle bundle = untrustedBundles.next();
        SignedContentImpl signedContent = getSignedContent(bundle);
        // found an signer using the anchor for this bundle re-evaluate trust
        signedBundleHook.determineTrust(signedContent, SignedBundleHook.VERIFY_TRUST);
    }
}

Example 3 with SignerInfo

use of org.eclipse.osgi.signedcontent.SignerInfo in project rt.equinox.framework by eclipse.

the class EquinoxBundle method getSignerCertificates.

@Override
public Map<X509Certificate, List<X509Certificate>> getSignerCertificates(int signersType) {
    SignedContentFactory factory = equinoxContainer.getSignedContentFactory();
    if (factory == null) {
        return Collections.emptyMap();
    }
    try {
        SignerInfo[] infos = signerInfos;
        if (infos == null) {
            SignedContent signedContent = factory.getSignedContent(this);
            infos = signedContent.getSignerInfos();
            signerInfos = infos;
        }
        if (infos.length == 0)
            return Collections.emptyMap();
        Map<X509Certificate, List<X509Certificate>> results = new HashMap<>(infos.length);
        for (int i = 0; i < infos.length; i++) {
            if (signersType == SIGNERS_TRUSTED && !infos[i].isTrusted())
                continue;
            Certificate[] certs = infos[i].getCertificateChain();
            if (certs == null || certs.length == 0)
                continue;
            List<X509Certificate> certChain = new ArrayList<>();
            for (int j = 0; j < certs.length; j++) certChain.add((X509Certificate) certs[j]);
            results.put((X509Certificate) certs[0], certChain);
        }
        return results;
    } catch (Exception e) {
        return Collections.emptyMap();
    }
}

Example 4 with SignerInfo

use of org.eclipse.osgi.signedcontent.SignerInfo in project rt.equinox.framework by eclipse.

the class SignerInfoImpl method equals.

public boolean equals(Object obj) {
    if (!(obj instanceof SignerInfo))
        return false;
    if (obj == this)
        return true;
    SignerInfo other = (SignerInfo) obj;
    if (!mdAlgorithm.equals(other.getMessageDigestAlgorithm()))
        return false;
    Certificate[] otherCerts = other.getCertificateChain();
    if (otherCerts.length != chain.length)
        return false;
    for (int i = 0; i < chain.length; i++) if (!chain[i].equals(otherCerts[i]))
        return false;
    return trustAnchor == null ? other.getTrustAnchor() == null : trustAnchor.equals(other.getTrustAnchor());
}

Example 5 with SignerInfo

use of org.eclipse.osgi.signedcontent.SignerInfo in project rt.equinox.framework by eclipse.

the class ModuleClassLoader method createProtectionDomain.

/**
 * Creates a ProtectionDomain which uses specified BundleFile and the permissions of the baseDomain
 * @param bundlefile The source bundlefile the domain is for.
 * @param domainGeneration the source generation for the domain
 * @return a ProtectionDomain which uses specified BundleFile and the permissions of the baseDomain
 */
@SuppressWarnings("deprecation")
protected ProtectionDomain createProtectionDomain(BundleFile bundlefile, Generation domainGeneration) {
    // create a protection domain which knows about the codesource for this classpath entry (bug 89904)
    ProtectionDomain baseDomain = domainGeneration.getDomain();
    try {
        // use the permissions supplied by the domain passed in from the framework
        PermissionCollection permissions;
        if (baseDomain != null) {
            permissions = baseDomain.getPermissions();
        } else {
            // no domain specified.  Better use a collection that has all permissions
            // this is done just incase someone sets the security manager later
            permissions = ALLPERMISSIONS;
        }
        Certificate[] certs = null;
        SignedContent signedContent = null;
        if (bundlefile instanceof BundleFileWrapperChain) {
            BundleFileWrapperChain wrapper = (BundleFileWrapperChain) bundlefile;
            while (wrapper != null && (!(wrapper.getWrapped() instanceof SignedContent))) wrapper = wrapper.getNext();
            signedContent = wrapper == null ? null : (SignedContent) wrapper.getWrapped();
        }
        if (getConfiguration().CLASS_CERTIFICATE && signedContent != null && signedContent.isSigned()) {
            SignerInfo[] signers = signedContent.getSignerInfos();
            if (signers.length > 0)
                certs = signers[0].getCertificateChain();
        }
        File file = bundlefile.getBaseFile();
        // Bug 477787: file will be null when the osgi.framework configuration property contains an invalid value.
        return new GenerationProtectionDomain(file == null ? null : new CodeSource(file.toURL(), certs), permissions, getGeneration());
    // return new ProtectionDomain(new CodeSource(bundlefile.getBaseFile().toURL(), certs), permissions);
    } catch (MalformedURLException e) {
        // Failed to create our own domain; just return the baseDomain
        return baseDomain;
    }
}