/**
* Returns a string describing this code signer.
*
* @return A string comprising the signer's certificate and a timestamp, if present.
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("(");
sb.append("Signer: " + signerCertPath.getCertificates().get(0));
if (timestamp != null) {
sb.append("timestamp: " + timestamp);
}
sb.append(")");
return sb.toString();
}
/**
* Validates an attribute certificate with the given certificate path.
*
* <p><code>params</code> must be an instance of <code>ExtendedPKIXParameters</code>.
*
* <p>The target constraints in the <code>params</code> must be an <code>
* X509AttributeCertStoreSelector</code> with at least the attribute certificate criterion set.
* Obey that also target informations may be necessary to correctly validate this attribute
* certificate.
*
* <p>The attribute certificate issuer must be added to the trusted attribute issuers with {@link
* ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
*
* @param certPath The certificate path which belongs to the attribute certificate issuer public
* key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the <code>
* certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
* validator.
* @throws CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params)
throws CertPathValidatorException, InvalidAlgorithmParameterException {
if (!(params instanceof ExtendedPKIXParameters)) {
throw new InvalidAlgorithmParameterException(
"Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
}
ExtendedPKIXParameters pkixParams = (ExtendedPKIXParameters) params;
Selector certSelect = pkixParams.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new InvalidAlgorithmParameterException(
"TargetConstraints must be an instance of "
+ X509AttributeCertStoreSelector.class.getName()
+ " for "
+ this.getClass().getName()
+ " class.");
}
X509AttributeCertificate attrCert =
((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, pkixParams);
CertPathValidatorResult result =
RFC3281CertPathUtilities.processAttrCert2(certPath, pkixParams);
X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, pkixParams);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, pkixParams);
RFC3281CertPathUtilities.processAttrCert5(attrCert, pkixParams);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
RFC3281CertPathUtilities.additionalChecks(attrCert, pkixParams);
Date date = null;
try {
date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(pkixParams, null, -1);
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
RFC3281CertPathUtilities.checkCRLs(
attrCert, pkixParams, issuerCert, date, certPath.getCertificates());
return result;
}
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
throws CertificateException {
List list = path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert == null) {
throw new ValidatorException("TrustAnchor must be specified as certificate");
}
chain[chain.length - 1] = trustedCert;
return chain;
}
protected static Date getValidCertDateFromValidityModel(
ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) throws AnnotatedException {
if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
// if end cert use given signing/encryption/... time
if (index <= 0) {
return CertPathValidatorUtilities.getValidDate(paramsPKIX);
// else use time when previous cert was created
} else {
if (index - 1 == 0) {
DERGeneralizedTime dateOfCertgen = null;
try {
byte[] extBytes =
((X509Certificate) certPath.getCertificates().get(index - 1))
.getExtensionValue(
ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId());
if (extBytes != null) {
dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes));
}
} catch (IOException e) {
throw new AnnotatedException("Date of cert gen extension could not be read.");
} catch (IllegalArgumentException e) {
throw new AnnotatedException("Date of cert gen extension could not be read.");
}
if (dateOfCertgen != null) {
try {
return dateOfCertgen.getDate();
} catch (ParseException e) {
throw new AnnotatedException(
"Date from date of cert gen extension could not be parsed.", e);
}
}
return ((X509Certificate) certPath.getCertificates().get(index - 1)).getNotBefore();
} else {
return ((X509Certificate) certPath.getCertificates().get(index - 1)).getNotBefore();
}
}
} else {
return getValidDate(paramsPKIX);
}
}
public String toString() {
return "Signature verification ["
+ "\n signName="
+ signName
+ "\n name="
+ name
+ "\n subject="
+ subject
+ "\n date="
+ date.getTime()
+ "\n reason="
+ reason
+ "\n location="
+ location
+ "\n revision="
+ revision
+ "\n wholeDocument="
+ wholeDocument
+ "\n modified="
+ modified
+ "\n certificationLevel="
+ getCertificationLevel().name()
+ "\n signCertTrustedAndValid="
+ signCertTrustedAndValid
+ "\n ocspPresent="
+ ocspPresent
+ "\n ocspValid="
+ ocspValid
+ "\n crlPresent="
+ crlPresent
+ "\n ocspInCertPresent="
+ ocspInCertPresent
+ "\n ocspInCertValid="
+ ocspInCertValid
+ "\n timeStampTokenPresent="
+ tsTokenPresent
+ "\n timeStampTokenValidationFail="
+ (tsTokenValidationResult == null ? "no" : tsTokenValidationResult.getMessage())
+ "\n fails="
+ (fails == null ? "no" : Arrays.asList(fails))
+ "\n certPath="
+ (certPath == null ? "no" : certPath.getCertificates())
+ "\n signingCertificate="
+ (signingCertificate == null ? "no" : signingCertificate.toString())
+ "\n]";
}
/** 读取指定路径下APK文件签名 */
@SuppressWarnings({"unchecked"})
public static String getJarSignature(String filePath) throws Exception {
if (null == filePath) {
return null;
}
String resultSign = "";
String resultKey = "";
List<ZipEntry> names = new ArrayList<ZipEntry>();
ZipFile zf = new ZipFile(filePath);
Enumeration<ZipEntry> zi = (Enumeration<ZipEntry>) zf.entries();
while (zi.hasMoreElements()) {
ZipEntry ze = zi.nextElement();
String name = ze.getName();
if (name.startsWith("META-INF/") && (name.endsWith(".RSA") || name.endsWith(".DSA"))) {
names.add(ze);
}
}
Collections.sort(
names,
new Comparator<ZipEntry>() {
@Override
public int compare(ZipEntry obj1, ZipEntry obj2) {
if (obj1 != null && obj2 != null) {
return obj1.getName().compareToIgnoreCase(obj2.getName());
}
return 0;
}
});
for (ZipEntry ze : names) {
InputStream is = zf.getInputStream(ze);
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(is, "PKCS7");
List<?> list = cp.getCertificates();
for (Object obj : list) {
if (!(obj instanceof X509Certificate)) continue;
X509Certificate cert = (X509Certificate) obj;
StringBuilder builder = new StringBuilder();
builder.setLength(0);
byte[] key = getPKBytes(cert.getPublicKey());
for (byte aKey : key) {
builder.append(String.format("%02X", aKey));
}
resultKey += builder.toString();
builder.setLength(0);
byte[] signature = cert.getSignature();
for (byte aSignature : signature) {
builder.append(String.format("%02X", aSignature));
}
resultSign += builder.toString();
}
} catch (CertificateException e) {
Logger.i(e.toString());
}
is.close();
}
if (!TextUtils.isEmpty(resultKey) && !TextUtils.isEmpty(resultSign)) {
return hashCode(resultKey) + "," + hashCode(resultSign);
}
return null;
}
public void performTest() throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate rootCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(rootCertBin));
X509Certificate interCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(interCertBin));
X509Certificate finalCert =
(X509Certificate) cf.generateCertificate(new ByteArrayInputStream(finalCertBin));
// Testing CertPath generation from List
List list = new ArrayList();
list.add(interCert);
CertPath certPath1 = cf.generateCertPath(list);
// Testing CertPath encoding as PkiPath
byte[] encoded = certPath1.getEncoded("PkiPath");
// Testing CertPath generation from InputStream
ByteArrayInputStream inStream = new ByteArrayInputStream(encoded);
CertPath certPath2 = cf.generateCertPath(inStream, "PkiPath");
// Comparing both CertPathes
if (!certPath2.equals(certPath1)) {
fail("CertPath differ after encoding and decoding.");
}
encoded = certPath1.getEncoded("PKCS7");
// Testing CertPath generation from InputStream
inStream = new ByteArrayInputStream(encoded);
certPath2 = cf.generateCertPath(inStream, "PKCS7");
// Comparing both CertPathes
if (!certPath2.equals(certPath1)) {
fail("CertPath differ after encoding and decoding.");
}
encoded = certPath1.getEncoded("PEM");
// Testing CertPath generation from InputStream
inStream = new ByteArrayInputStream(encoded);
certPath2 = cf.generateCertPath(inStream, "PEM");
// Comparing both CertPathes
if (!certPath2.equals(certPath1)) {
fail("CertPath differ after encoding and decoding.");
}
//
// empty list test
//
list = new ArrayList();
CertPath certPath = CertificateFactory.getInstance("X.509", "BC").generateCertPath(list);
if (certPath.getCertificates().size() != 0) {
fail("list wrong size.");
}
//
// exception tests
//
testExceptions();
}
public static X509Certificate[] getX509Certificates(CertPath certPath) {
Preconditions.checkArgument(certPath.getType().equals(CertificateFactories.X_509));
List<X509Certificate> certificates = (List<X509Certificate>) certPath.getCertificates();
return certificates.toArray(new X509Certificate[certificates.size()]);
}
/* */ public CertPathValidatorResult engineValidate(
CertPath paramCertPath, CertPathParameters paramCertPathParameters)
/* */ throws CertPathValidatorException, InvalidAlgorithmParameterException
/* */ {
/* 98 */ if (debug != null) {
/* 99 */ debug.println("PKIXCertPathValidator.engineValidate()...");
/* */ }
/* 101 */ if (!(paramCertPathParameters instanceof PKIXParameters)) {
/* 102 */ throw new InvalidAlgorithmParameterException(
"inappropriate parameters, must be an instance of PKIXParameters");
/* */ }
/* */
/* 106 */ if ((!paramCertPath.getType().equals("X.509"))
&& (!paramCertPath.getType().equals("X509"))) {
/* 107 */ throw new InvalidAlgorithmParameterException(
"inappropriate certification path type specified, must be X.509 or X509");
/* */ }
/* */
/* 111 */ PKIXParameters localPKIXParameters = (PKIXParameters) paramCertPathParameters;
/* */
/* 115 */ Set localSet = localPKIXParameters.getTrustAnchors();
/* 116 */ for (Object localObject1 = localSet.iterator();
((Iterator) localObject1).hasNext(); ) {
localObject2 = (TrustAnchor) ((Iterator) localObject1).next();
/* 117 */ if (((TrustAnchor) localObject2).getNameConstraints() != null) {
/* 118 */ throw new InvalidAlgorithmParameterException(
"name constraints in trust anchor not supported");
/* */ }
/* */
/* */ }
/* */
/* 133 */ localObject1 = new ArrayList(paramCertPath.getCertificates());
/* */
/* 135 */ if (debug != null) {
/* 136 */ if (((ArrayList) localObject1).isEmpty()) {
/* 137 */ debug.println("PKIXCertPathValidator.engineValidate() certList is empty");
/* */ }
/* */
/* 140 */ debug.println("PKIXCertPathValidator.engineValidate() reversing certpath...");
/* */ }
/* */
/* 143 */ Collections.reverse((List) localObject1);
/* */
/* 148 */ populateVariables(localPKIXParameters);
/* */
/* 152 */ Object localObject2 = null;
/* 153 */ if (!((ArrayList) localObject1).isEmpty()) {
/* 154 */ localObject2 = (X509Certificate) ((ArrayList) localObject1).get(0);
/* */ }
/* */
/* 157 */ Object localObject3 = null;
/* */
/* 161 */ for (TrustAnchor localTrustAnchor : localSet) {
/* 162 */ X509Certificate localX509Certificate = localTrustAnchor.getTrustedCert();
/* 163 */ if (localX509Certificate != null) {
/* 164 */ if (debug != null) {
/* 165 */ debug.println(
"PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null");
/* */ }
/* */
/* 171 */ if (isWorthTrying(localX509Certificate, (X509Certificate) localObject2))
/* */ {
/* 175 */ if (debug != null)
/* 176 */ debug.println(
"anchor.getTrustedCert().getSubjectX500Principal() = "
+ localX509Certificate.getSubjectX500Principal());
/* */ }
/* */ }
/* */ else
/* */ {
/* 181 */ if (debug != null) {
/* 182 */ debug.println(
"PKIXCertPathValidator.engineValidate(): anchor.getTrustedCert() == null");
/* */ }
/* */
/* */ try
/* */ {
/* 188 */ PolicyNodeImpl localPolicyNodeImpl =
new PolicyNodeImpl(
null, "2.5.29.32.0", null, false, Collections.singleton("2.5.29.32.0"), false);
/* */
/* 191 */ PolicyNode localPolicyNode =
doValidate(
localTrustAnchor,
paramCertPath,
(ArrayList) localObject1,
localPKIXParameters,
localPolicyNodeImpl);
/* */
/* 194 */ return new PKIXCertPathValidatorResult(
localTrustAnchor, localPolicyNode, this.basicChecker.getPublicKey());
/* */ }
/* */ catch (CertPathValidatorException localCertPathValidatorException)
/* */ {
/* 198 */ localObject3 = localCertPathValidatorException;
/* */ }
/* */ }
/* */
/* */ }
/* */
/* 204 */ if (localObject3 != null) {
/* 205 */ throw localObject3;
/* */ }
/* */
/* 208 */ throw new CertPathValidatorException(
"Path does not chain with any of the trust anchors",
null,
null,
-1,
PKIXReason.NO_TRUST_ANCHOR);
/* */ }