23
24 import com.sun.net.httpserver.*;
25 import java.io.BufferedReader;
26 import java.io.ByteArrayOutputStream;
27 import java.io.FileInputStream;
28 import java.io.IOException;
29 import java.io.InputStream;
30 import java.io.InputStreamReader;
31 import java.io.OutputStream;
32 import java.math.BigInteger;
33 import java.net.InetSocketAddress;
34 import java.security.KeyStore;
35 import java.security.PrivateKey;
36 import java.security.Signature;
37 import java.security.cert.Certificate;
38 import java.security.cert.X509Certificate;
39 import java.util.Calendar;
40 import java.util.jar.JarEntry;
41 import java.util.jar.JarFile;
42
43 import sun.misc.IOUtils;
44 import sun.security.pkcs.ContentInfo;
45 import sun.security.pkcs.PKCS7;
46 import sun.security.pkcs.PKCS9Attribute;
47 import sun.security.pkcs.SignerInfo;
48 import sun.security.timestamp.TimestampToken;
49 import sun.security.util.DerOutputStream;
50 import sun.security.util.DerValue;
51 import sun.security.util.ObjectIdentifier;
52 import sun.security.x509.AlgorithmId;
53 import sun.security.x509.X500Name;
54
55 public class TimestampCheck {
56 static final String TSKS = "tsks";
57 static final String JAR = "old.jar";
58
59 static final String defaultPolicyId = "2.3.4.5";
60
61 static class Handler implements HttpHandler, AutoCloseable {
62
63 private final HttpServer httpServer;
326 jarsigner(cmd, 7, false); // tsbad2
327 jarsigner(cmd, 8, false); // tsbad3
328 jarsigner(cmd, 9, false); // no cert in timestamp
329 jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
330 checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
331 jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
332 jarsigner(cmd + " -tsadigestalg SHA", 12, true);
333 checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
334 } else { // Run as a standalone server
335 System.err.println("Press Enter to quit server");
336 System.in.read();
337 }
338 }
339 }
340
341 static void checkTimestamp(String file, String policyId, String digestAlg)
342 throws Exception {
343 try (JarFile jf = new JarFile(file)) {
344 JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
345 try (InputStream is = jf.getInputStream(je)) {
346 byte[] content = IOUtils.readFully(is, -1, true);
347 PKCS7 p7 = new PKCS7(content);
348 SignerInfo[] si = p7.getSignerInfos();
349 if (si == null || si.length == 0) {
350 throw new Exception("Not signed");
351 }
352 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
353 .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
354 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
355 TimestampToken tt =
356 new TimestampToken(tsToken.getContentInfo().getData());
357 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
358 throw new Exception("Digest alg different");
359 }
360 if (!tt.getPolicyID().equals(policyId)) {
361 throw new Exception("policyId different");
362 }
363 }
364 }
365 }
366
|
23
24 import com.sun.net.httpserver.*;
25 import java.io.BufferedReader;
26 import java.io.ByteArrayOutputStream;
27 import java.io.FileInputStream;
28 import java.io.IOException;
29 import java.io.InputStream;
30 import java.io.InputStreamReader;
31 import java.io.OutputStream;
32 import java.math.BigInteger;
33 import java.net.InetSocketAddress;
34 import java.security.KeyStore;
35 import java.security.PrivateKey;
36 import java.security.Signature;
37 import java.security.cert.Certificate;
38 import java.security.cert.X509Certificate;
39 import java.util.Calendar;
40 import java.util.jar.JarEntry;
41 import java.util.jar.JarFile;
42
43 import sun.security.pkcs.ContentInfo;
44 import sun.security.pkcs.PKCS7;
45 import sun.security.pkcs.PKCS9Attribute;
46 import sun.security.pkcs.SignerInfo;
47 import sun.security.timestamp.TimestampToken;
48 import sun.security.util.DerOutputStream;
49 import sun.security.util.DerValue;
50 import sun.security.util.ObjectIdentifier;
51 import sun.security.x509.AlgorithmId;
52 import sun.security.x509.X500Name;
53
54 public class TimestampCheck {
55 static final String TSKS = "tsks";
56 static final String JAR = "old.jar";
57
58 static final String defaultPolicyId = "2.3.4.5";
59
60 static class Handler implements HttpHandler, AutoCloseable {
61
62 private final HttpServer httpServer;
325 jarsigner(cmd, 7, false); // tsbad2
326 jarsigner(cmd, 8, false); // tsbad3
327 jarsigner(cmd, 9, false); // no cert in timestamp
328 jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
329 checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
330 jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
331 jarsigner(cmd + " -tsadigestalg SHA", 12, true);
332 checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
333 } else { // Run as a standalone server
334 System.err.println("Press Enter to quit server");
335 System.in.read();
336 }
337 }
338 }
339
340 static void checkTimestamp(String file, String policyId, String digestAlg)
341 throws Exception {
342 try (JarFile jf = new JarFile(file)) {
343 JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
344 try (InputStream is = jf.getInputStream(je)) {
345 byte[] content = is.readAllBytes();
346 PKCS7 p7 = new PKCS7(content);
347 SignerInfo[] si = p7.getSignerInfos();
348 if (si == null || si.length == 0) {
349 throw new Exception("Not signed");
350 }
351 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
352 .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
353 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
354 TimestampToken tt =
355 new TimestampToken(tsToken.getContentInfo().getData());
356 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
357 throw new Exception("Digest alg different");
358 }
359 if (!tt.getPolicyID().equals(policyId)) {
360 throw new Exception("policyId different");
361 }
362 }
363 }
364 }
365
|