Пример #1
0
 /** update a single byte. */
 public void update(int b, ManifestEntryVerifier mev) throws IOException {
   if (b != -1) {
     if (parsingBlockOrSF) {
       baos.write(b);
     } else {
       mev.update((byte) b);
     }
   } else {
     processEntry(mev);
   }
 }
Пример #2
0
 /** update an array of bytes. */
 public void update(int n, byte[] b, int off, int len, ManifestEntryVerifier mev)
     throws IOException {
   if (n != -1) {
     if (parsingBlockOrSF) {
       baos.write(b, off, n);
     } else {
       mev.update(b, off, n);
     }
   } else {
     processEntry(mev);
   }
 }
Пример #3
0
  /** called when we reach the end of entry in one of the read() methods. */
  private void processEntry(ManifestEntryVerifier mev) throws IOException {
    if (!parsingBlockOrSF) {
      JarEntry je = mev.getEntry();
      if ((je != null) && (je.signers == null)) {
        je.signers = mev.verify(verifiedSigners, sigFileSigners);
        je.certs = mapSignersToCertArray(je.signers);
      }
    } else {

      try {
        parsingBlockOrSF = false;

        if (debug != null) {
          debug.println("processEntry: processing block");
        }

        String uname = mev.getEntry().getName().toUpperCase(Locale.ENGLISH);

        if (uname.endsWith(".SF")) {
          String key = uname.substring(0, uname.length() - 3);
          byte bytes[] = baos.toByteArray();
          // add to sigFileData in case future blocks need it
          sigFileData.put(key, bytes);
          // check pending blocks, we can now process
          // anyone waiting for this .SF file
          Iterator it = pendingBlocks.iterator();
          while (it.hasNext()) {
            SignatureFileVerifier sfv = (SignatureFileVerifier) it.next();
            if (sfv.needSignatureFile(key)) {
              if (debug != null) {
                debug.println("processEntry: processing pending block");
              }

              sfv.setSignatureFile(bytes);
              sfv.process(sigFileSigners, manifestDigests);
            }
          }
          return;
        }

        // now we are parsing a signature block file

        String key = uname.substring(0, uname.lastIndexOf("."));

        if (signerCache == null) signerCache = new ArrayList();

        if (manDig == null) {
          synchronized (manifestRawBytes) {
            if (manDig == null) {
              manDig = new ManifestDigester(manifestRawBytes);
              manifestRawBytes = null;
            }
          }
        }

        SignatureFileVerifier sfv =
            new SignatureFileVerifier(signerCache, manDig, uname, baos.toByteArray());

        if (sfv.needSignatureFileBytes()) {
          // see if we have already parsed an external .SF file
          byte[] bytes = (byte[]) sigFileData.get(key);

          if (bytes == null) {
            // put this block on queue for later processing
            // since we don't have the .SF bytes yet
            // (uname, block);
            if (debug != null) {
              debug.println("adding pending block");
            }
            pendingBlocks.add(sfv);
            return;
          } else {
            sfv.setSignatureFile(bytes);
          }
        }
        sfv.process(sigFileSigners, manifestDigests);

      } catch (IOException ioe) {
        // e.g. sun.security.pkcs.ParsingException
        if (debug != null) debug.println("processEntry caught: " + ioe);
        // ignore and treat as unsigned
      } catch (SignatureException se) {
        if (debug != null) debug.println("processEntry caught: " + se);
        // ignore and treat as unsigned
      } catch (NoSuchAlgorithmException nsae) {
        if (debug != null) debug.println("processEntry caught: " + nsae);
        // ignore and treat as unsigned
      } catch (CertificateException ce) {
        if (debug != null) debug.println("processEntry caught: " + ce);
        // ignore and treat as unsigned
      }
    }
  }
Пример #4
0
  /**
   * This method scans to see which entry we're parsing and keeps various state information
   * depending on what type of file is being parsed.
   */
  public void beginEntry(JarEntry je, ManifestEntryVerifier mev) throws IOException {
    if (je == null) return;

    if (debug != null) {
      debug.println("beginEntry " + je.getName());
    }

    String name = je.getName();

    /*
     * Assumptions:
     * 1. The manifest should be the first entry in the META-INF directory.
     * 2. The .SF/.DSA/.EC files follow the manifest, before any normal entries
     * 3. Any of the following will throw a SecurityException:
     *    a. digest mismatch between a manifest section and
     *       the SF section.
     *    b. digest mismatch between the actual jar entry and the manifest
     */

    if (parsingMeta) {
      String uname = name.toUpperCase(Locale.ENGLISH);
      if ((uname.startsWith("META-INF/") || uname.startsWith("/META-INF/"))) {

        if (je.isDirectory()) {
          mev.setEntry(null, je);
          return;
        }

        if (uname.equals(JarFile.MANIFEST_NAME) || uname.equals(JarIndex.INDEX_NAME)) {
          return;
        }

        if (SignatureFileVerifier.isBlockOrSF(uname)) {
          /* We parse only DSA, RSA or EC PKCS7 blocks. */
          parsingBlockOrSF = true;
          baos.reset();
          mev.setEntry(null, je);
          return;
        }

        // If a META-INF entry is not MF or block or SF, they should
        // be normal entries. According to 2 above, no more block or
        // SF will appear. Let's doneWithMeta.
      }
    }

    if (parsingMeta) {
      doneWithMeta();
    }

    if (je.isDirectory()) {
      mev.setEntry(null, je);
      return;
    }

    // be liberal in what you accept. If the name starts with ./, remove
    // it as we internally canonicalize it with out the ./.
    if (name.startsWith("./")) name = name.substring(2);

    // be liberal in what you accept. If the name starts with /, remove
    // it as we internally canonicalize it with out the /.
    if (name.startsWith("/")) name = name.substring(1);

    // only set the jev object for entries that have a signature
    // (either verified or not)
    if (sigFileSigners.get(name) != null || verifiedSigners.get(name) != null) {
      mev.setEntry(name, je);
      return;
    }

    // don't compute the digest for this entry
    mev.setEntry(null, je);

    return;
  }