test/sun/security/tools/jarsigner/TimestampCheck.java

Print this page




  23 
  24 import com.sun.net.httpserver.*;
  25 import java.io.BufferedReader;
  26 import java.io.ByteArrayOutputStream;
  27 import java.io.FileInputStream;
  28 import java.io.IOException;
  29 import java.io.InputStream;
  30 import java.io.InputStreamReader;
  31 import java.io.OutputStream;
  32 import java.math.BigInteger;
  33 import java.net.InetSocketAddress;
  34 import java.security.KeyStore;
  35 import java.security.PrivateKey;
  36 import java.security.Signature;
  37 import java.security.cert.Certificate;
  38 import java.security.cert.X509Certificate;
  39 import java.util.Calendar;
  40 import java.util.jar.JarEntry;
  41 import java.util.jar.JarFile;
  42 
  43 import sun.misc.IOUtils;
  44 import sun.security.pkcs.ContentInfo;
  45 import sun.security.pkcs.PKCS7;
  46 import sun.security.pkcs.PKCS9Attribute;
  47 import sun.security.pkcs.SignerInfo;
  48 import sun.security.timestamp.TimestampToken;
  49 import sun.security.util.DerOutputStream;
  50 import sun.security.util.DerValue;
  51 import sun.security.util.ObjectIdentifier;
  52 import sun.security.x509.AlgorithmId;
  53 import sun.security.x509.X500Name;
  54 
  55 public class TimestampCheck {
  56     static final String TSKS = "tsks";
  57     static final String JAR = "old.jar";
  58 
  59     static final String defaultPolicyId = "2.3.4.5";
  60 
  61     static class Handler implements HttpHandler, AutoCloseable {
  62 
  63         private final HttpServer httpServer;


 326                 jarsigner(cmd, 7, false);   // tsbad2
 327                 jarsigner(cmd, 8, false);   // tsbad3
 328                 jarsigner(cmd, 9, false);   // no cert in timestamp
 329                 jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
 330                 checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
 331                 jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
 332                 jarsigner(cmd + " -tsadigestalg SHA", 12, true);
 333                 checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
 334             } else {                        // Run as a standalone server
 335                 System.err.println("Press Enter to quit server");
 336                 System.in.read();
 337             }
 338         }
 339     }
 340 
 341     static void checkTimestamp(String file, String policyId, String digestAlg)
 342             throws Exception {
 343         try (JarFile jf = new JarFile(file)) {
 344             JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
 345             try (InputStream is = jf.getInputStream(je)) {
 346                 byte[] content = IOUtils.readFully(is, -1, true);
 347                 PKCS7 p7 = new PKCS7(content);
 348                 SignerInfo[] si = p7.getSignerInfos();
 349                 if (si == null || si.length == 0) {
 350                     throw new Exception("Not signed");
 351                 }
 352                 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
 353                         .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
 354                 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
 355                 TimestampToken tt =
 356                         new TimestampToken(tsToken.getContentInfo().getData());
 357                 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
 358                     throw new Exception("Digest alg different");
 359                 }
 360                 if (!tt.getPolicyID().equals(policyId)) {
 361                     throw new Exception("policyId different");
 362                 }
 363             }
 364         }
 365     }
 366 




  23 
  24 import com.sun.net.httpserver.*;
  25 import java.io.BufferedReader;
  26 import java.io.ByteArrayOutputStream;
  27 import java.io.FileInputStream;
  28 import java.io.IOException;
  29 import java.io.InputStream;
  30 import java.io.InputStreamReader;
  31 import java.io.OutputStream;
  32 import java.math.BigInteger;
  33 import java.net.InetSocketAddress;
  34 import java.security.KeyStore;
  35 import java.security.PrivateKey;
  36 import java.security.Signature;
  37 import java.security.cert.Certificate;
  38 import java.security.cert.X509Certificate;
  39 import java.util.Calendar;
  40 import java.util.jar.JarEntry;
  41 import java.util.jar.JarFile;
  42 

  43 import sun.security.pkcs.ContentInfo;
  44 import sun.security.pkcs.PKCS7;
  45 import sun.security.pkcs.PKCS9Attribute;
  46 import sun.security.pkcs.SignerInfo;
  47 import sun.security.timestamp.TimestampToken;
  48 import sun.security.util.DerOutputStream;
  49 import sun.security.util.DerValue;
  50 import sun.security.util.ObjectIdentifier;
  51 import sun.security.x509.AlgorithmId;
  52 import sun.security.x509.X500Name;
  53 
  54 public class TimestampCheck {
  55     static final String TSKS = "tsks";
  56     static final String JAR = "old.jar";
  57 
  58     static final String defaultPolicyId = "2.3.4.5";
  59 
  60     static class Handler implements HttpHandler, AutoCloseable {
  61 
  62         private final HttpServer httpServer;


 325                 jarsigner(cmd, 7, false);   // tsbad2
 326                 jarsigner(cmd, 8, false);   // tsbad3
 327                 jarsigner(cmd, 9, false);   // no cert in timestamp
 328                 jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
 329                 checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
 330                 jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
 331                 jarsigner(cmd + " -tsadigestalg SHA", 12, true);
 332                 checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
 333             } else {                        // Run as a standalone server
 334                 System.err.println("Press Enter to quit server");
 335                 System.in.read();
 336             }
 337         }
 338     }
 339 
 340     static void checkTimestamp(String file, String policyId, String digestAlg)
 341             throws Exception {
 342         try (JarFile jf = new JarFile(file)) {
 343             JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
 344             try (InputStream is = jf.getInputStream(je)) {
 345                 byte[] content = is.readAllBytes();
 346                 PKCS7 p7 = new PKCS7(content);
 347                 SignerInfo[] si = p7.getSignerInfos();
 348                 if (si == null || si.length == 0) {
 349                     throw new Exception("Not signed");
 350                 }
 351                 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
 352                         .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
 353                 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
 354                 TimestampToken tt =
 355                         new TimestampToken(tsToken.getContentInfo().getData());
 356                 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
 357                     throw new Exception("Digest alg different");
 358                 }
 359                 if (!tt.getPolicyID().equals(policyId)) {
 360                     throw new Exception("policyId different");
 361                 }
 362             }
 363         }
 364     }
 365