001: /*
002: * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved.
003: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004: *
005: * This code is free software; you can redistribute it and/or modify it
006: * under the terms of the GNU General Public License version 2 only, as
007: * published by the Free Software Foundation. Sun designates this
008: * particular file as subject to the "Classpath" exception as provided
009: * by Sun in the LICENSE file that accompanied this code.
010: *
011: * This code is distributed in the hope that it will be useful, but WITHOUT
012: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014: * version 2 for more details (a copy is included in the LICENSE file that
015: * accompanied this code).
016: *
017: * You should have received a copy of the GNU General Public License version
018: * 2 along with this work; if not, write to the Free Software Foundation,
019: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020: *
021: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022: * CA 95054 USA or visit www.sun.com if you need additional information or
023: * have any questions.
024: */
025:
026: package sun.security.util;
027:
028: import java.security.*;
029: import java.io.*;
030: import java.security.CodeSigner;
031: import java.util.*;
032: import java.util.jar.*;
033:
034: import sun.misc.BASE64Decoder;
035:
036: import sun.security.jca.Providers;
037:
038: /**
039: * This class is used to verify each entry in a jar file with its
040: * manifest value.
041: */
042:
043: public class ManifestEntryVerifier {
044:
045: private static final Debug debug = Debug.getInstance("jar");
046:
047: private static final Provider digestProvider = Providers
048: .getSunProvider();
049:
050: /** the created digest objects */
051: HashMap<String, MessageDigest> createdDigests;
052:
053: /** the digests in use for a given entry*/
054: ArrayList<MessageDigest> digests;
055:
056: /** the manifest hashes for the digests in use */
057: ArrayList<byte[]> manifestHashes;
058:
059: private BASE64Decoder decoder = null;
060: private String name = null;
061: private Manifest man;
062:
063: private boolean skip = true;
064:
065: private JarEntry entry;
066:
067: private CodeSigner[] signers = null;
068:
069: /**
070: * Create a new ManifestEntryVerifier object.
071: */
072: public ManifestEntryVerifier(Manifest man) {
073: createdDigests = new HashMap<String, MessageDigest>(11);
074: digests = new ArrayList<MessageDigest>();
075: manifestHashes = new ArrayList<byte[]>();
076: decoder = new BASE64Decoder();
077: this .man = man;
078: }
079:
080: /**
081: * Find the hashes in the
082: * manifest for this entry, save them, and set the MessageDigest
083: * objects to calculate the hashes on the fly. If name is
084: * null it signifies that update/verify should ignore this entry.
085: */
086: public void setEntry(String name, JarEntry entry)
087: throws IOException {
088: digests.clear();
089: manifestHashes.clear();
090: this .name = name;
091: this .entry = entry;
092:
093: skip = true;
094: signers = null;
095:
096: if (man == null || name == null) {
097: return;
098: }
099:
100: /* get the headers from the manifest for this entry */
101: /* if there aren't any, we can't verify any digests for this entry */
102:
103: Attributes attr = man.getAttributes(name);
104: if (attr == null) {
105: // ugh. we should be able to remove this at some point.
106: // there are broken jars floating around with ./name and /name
107: // in the manifest, and "name" in the zip/jar file.
108: attr = man.getAttributes("./" + name);
109: if (attr == null) {
110: attr = man.getAttributes("/" + name);
111: if (attr == null)
112: return;
113: }
114: }
115:
116: for (Map.Entry<Object, Object> se : attr.entrySet()) {
117: String key = se.getKey().toString();
118:
119: if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
120: // 7 is length of "-Digest"
121: String algorithm = key.substring(0, key.length() - 7);
122:
123: MessageDigest digest = createdDigests.get(algorithm);
124:
125: if (digest == null) {
126: try {
127:
128: digest = MessageDigest.getInstance(algorithm,
129: digestProvider);
130: createdDigests.put(algorithm, digest);
131: } catch (NoSuchAlgorithmException nsae) {
132: // ignore
133: }
134: }
135:
136: if (digest != null) {
137: skip = false;
138: digest.reset();
139: digests.add(digest);
140: manifestHashes.add(decoder.decodeBuffer((String) se
141: .getValue()));
142: }
143: }
144: }
145: }
146:
147: /**
148: * update the digests for the digests we are interested in
149: */
150: public void update(byte buffer) {
151: if (skip)
152: return;
153:
154: for (int i = 0; i < digests.size(); i++) {
155: digests.get(i).update(buffer);
156: }
157: }
158:
159: /**
160: * update the digests for the digests we are interested in
161: */
162: public void update(byte buffer[], int off, int len) {
163: if (skip)
164: return;
165:
166: for (int i = 0; i < digests.size(); i++) {
167: digests.get(i).update(buffer, off, len);
168: }
169: }
170:
171: /**
172: * get the JarEntry for this object
173: */
174: public JarEntry getEntry() {
175: return entry;
176: }
177:
178: /**
179: * go through all the digests, calculating the final digest
180: * and comparing it to the one in the manifest. If this is
181: * the first time we have verified this object, remove its
182: * code signers from sigFileSigners and place in verifiedSigners.
183: *
184: *
185: */
186: public CodeSigner[] verify(
187: Hashtable<String, CodeSigner[]> verifiedSigners,
188: Hashtable<String, CodeSigner[]> sigFileSigners)
189: throws JarException {
190: if (skip)
191: return null;
192:
193: if (signers != null)
194: return signers;
195:
196: for (int i = 0; i < digests.size(); i++) {
197:
198: MessageDigest digest = digests.get(i);
199: byte[] manHash = manifestHashes.get(i);
200: byte[] theHash = digest.digest();
201:
202: if (debug != null) {
203: debug.println("Manifest Entry: " + name + " digest="
204: + digest.getAlgorithm());
205: debug.println(" manifest " + toHex(manHash));
206: debug.println(" computed " + toHex(theHash));
207: debug.println();
208: }
209:
210: if (!MessageDigest.isEqual(theHash, manHash))
211: throw new SecurityException(digest.getAlgorithm()
212: + " digest error for " + name);
213: }
214:
215: // take it out of sigFileSigners and put it in verifiedSigners...
216: signers = (CodeSigner[]) sigFileSigners.remove(name);
217: if (signers != null) {
218: verifiedSigners.put(name, signers);
219: }
220: return signers;
221: }
222:
223: // for the toHex function
224: private static final char[] hexc = { '0', '1', '2', '3', '4', '5',
225: '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
226:
227: /**
228: * convert a byte array to a hex string for debugging purposes
229: * @param data the binary data to be converted to a hex string
230: * @return an ASCII hex string
231: */
232:
233: static String toHex(byte[] data) {
234:
235: StringBuffer sb = new StringBuffer(data.length * 2);
236:
237: for (int i = 0; i < data.length; i++) {
238: sb.append(hexc[(data[i] >> 4) & 0x0f]);
239: sb.append(hexc[data[i] & 0x0f]);
240: }
241: return sb.toString();
242: }
243:
244: }
|