1017 lines
44 KiB
Java
1017 lines
44 KiB
Java
|
/*
|
||
|
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||
|
*
|
||
|
* This code is free software; you can redistribute it and/or modify it
|
||
|
* under the terms of the GNU General Public License version 2 only, as
|
||
|
* published by the Free Software Foundation.
|
||
|
*
|
||
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||
|
* version 2 for more details (a copy is included in the LICENSE file that
|
||
|
* accompanied this code).
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License version
|
||
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
||
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||
|
*
|
||
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||
|
* or visit www.oracle.com if you need additional information or have any
|
||
|
* questions.
|
||
|
*/
|
||
|
|
||
|
import java.io.ByteArrayOutputStream;
|
||
|
import java.io.File;
|
||
|
import java.io.FilterOutputStream;
|
||
|
import java.io.IOException;
|
||
|
import java.io.InputStream;
|
||
|
import java.io.OutputStream;
|
||
|
import java.io.PrintStream;
|
||
|
import java.nio.file.Files;
|
||
|
import java.nio.file.Path;
|
||
|
import java.util.ArrayList;
|
||
|
import java.util.Arrays;
|
||
|
import java.util.List;
|
||
|
import java.util.Map;
|
||
|
import java.util.Collections;
|
||
|
import java.util.stream.Collectors;
|
||
|
import java.util.function.Function;
|
||
|
import java.util.jar.Attributes;
|
||
|
import java.util.jar.Attributes.Name;
|
||
|
import java.util.jar.Manifest;
|
||
|
import java.util.jar.JarEntry;
|
||
|
import java.util.jar.JarFile;
|
||
|
import java.util.zip.ZipFile;
|
||
|
import java.util.zip.ZipEntry;
|
||
|
import jdk.test.lib.process.OutputAnalyzer;
|
||
|
import jdk.test.lib.Platform;
|
||
|
import jdk.test.lib.SecurityTools;
|
||
|
import jdk.test.lib.util.JarUtils;
|
||
|
import org.testng.annotations.BeforeTest;
|
||
|
import org.testng.annotations.DataProvider;
|
||
|
import org.testng.annotations.Test;
|
||
|
|
||
|
import static java.nio.charset.StandardCharsets.UTF_8;
|
||
|
import static org.testng.Assert.*;
|
||
|
|
||
|
/**
|
||
|
* @test
|
||
|
* @bug 8217375
|
||
|
* @library /test/lib
|
||
|
* @modules jdk.jartool/sun.security.tools.jarsigner
|
||
|
* @run testng/timeout=1200 PreserveRawManifestEntryAndDigest
|
||
|
* @summary Verifies that JarSigner does not change manifest file entries
|
||
|
* in a binary view if its decoded map view does not change so that an
|
||
|
* unchanged (individual section) entry continues to produce the same digest.
|
||
|
* The same manifest (in terms of {@link Manifest#equals}) could be encoded
|
||
|
* with different line breaks ("{@code \r}", "{@code \n}", or "{@code \r\n}")
|
||
|
* or with arbitrary line break positions (as is also the case with the change
|
||
|
* of the default line width in JDK 11, bug 6372077) resulting in a different
|
||
|
* digest for manifest entries with identical values.
|
||
|
*
|
||
|
* <p>See also:<ul>
|
||
|
* <li>{@code oldsig.sh} and {@code diffend.sh} in
|
||
|
* {@code /test/jdk/sun/security/tools/jarsigner/}</li>
|
||
|
* <li>{@code Compatibility.java} in
|
||
|
* {@code /test/jdk/sun/security/tools/jarsigner/compatibility}</li>
|
||
|
* <li>{@link ReproduceRaw} testing relevant
|
||
|
* {@sun.security.util.ManifestDigester} api in much more detail</li>
|
||
|
* </ul>
|
||
|
*/
|
||
|
/*
|
||
|
* debug with "run testng" += "/othervm -Djava.security.debug=jar"
|
||
|
*/
|
||
|
public class PreserveRawManifestEntryAndDigest {
|
||
|
|
||
|
static final String KEYSTORE_FILENAME = "test.jks";
|
||
|
static final String FILENAME_INITIAL_CONTENTS = "initial-contents";
|
||
|
static final String FILENAME_UPDATED_CONTENTS = "updated-contents";
|
||
|
|
||
|
/**
|
||
|
* @see sun.security.tools.jarsigner.Main#run
|
||
|
*/
|
||
|
static final int NOTSIGNEDBYALIASORALIASNOTINSTORE = 32;
|
||
|
|
||
|
@BeforeTest
|
||
|
public void prepareContentFiles() throws IOException {
|
||
|
Files.write(Path.of(FILENAME_INITIAL_CONTENTS),
|
||
|
FILENAME_INITIAL_CONTENTS.getBytes(UTF_8));
|
||
|
Files.write(Path.of(FILENAME_UPDATED_CONTENTS),
|
||
|
FILENAME_UPDATED_CONTENTS.getBytes(UTF_8));
|
||
|
}
|
||
|
|
||
|
@BeforeTest
|
||
|
public void prepareCertificates() throws Exception {
|
||
|
SecurityTools.keytool("-genkeypair -keyalg DSA -keystore "
|
||
|
+ KEYSTORE_FILENAME + " -storepass changeit -keypass changeit"
|
||
|
+ " -alias a -dname CN=A").shouldHaveExitValue(0);
|
||
|
SecurityTools.keytool("-genkeypair -keyalg DSA -keystore "
|
||
|
+ KEYSTORE_FILENAME + " -storepass changeit -keypass changeit"
|
||
|
+ " -alias b -dname CN=B").shouldHaveExitValue(0);
|
||
|
}
|
||
|
|
||
|
static class TeeOutputStream extends FilterOutputStream {
|
||
|
final OutputStream tee; // don't flush or close
|
||
|
|
||
|
public TeeOutputStream(OutputStream out, OutputStream tee) {
|
||
|
super(out);
|
||
|
this.tee = tee;
|
||
|
}
|
||
|
|
||
|
@Override
|
||
|
public void write(int b) throws IOException {
|
||
|
super.write(b);
|
||
|
tee.write(b);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* runs jarsigner in its own child process and captures exit code and the
|
||
|
* output of stdout and stderr, as opposed to {@link #karsignerMain}
|
||
|
*/
|
||
|
OutputAnalyzer jarsignerProc(String args) throws Exception {
|
||
|
long start = System.currentTimeMillis();
|
||
|
try {
|
||
|
return SecurityTools.jarsigner(args);
|
||
|
} finally {
|
||
|
long end = System.currentTimeMillis();
|
||
|
System.out.println("jarsignerProc duration [ms]: " + (end - start));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* assume non-zero exit code would call System.exit but is faster than
|
||
|
* {@link #jarsignerProc}
|
||
|
*/
|
||
|
void jarsignerMain(String args) throws Exception {
|
||
|
long start = System.currentTimeMillis();
|
||
|
try {
|
||
|
new sun.security.tools.jarsigner.Main().run(args.split("\\s+"));
|
||
|
} finally {
|
||
|
long end = System.currentTimeMillis();
|
||
|
System.out.println("jarsignerMain duration [ms]: " + (end - start));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
void createSignedJarA(String jarFilename, Manifest manifest,
|
||
|
String additionalJarsignerOptions, String dummyContentsFilename)
|
||
|
throws Exception {
|
||
|
JarUtils.createJarFile(Path.of(jarFilename), manifest, Path.of("."),
|
||
|
dummyContentsFilename == null ? new Path[]{} :
|
||
|
new Path[] { Path.of(dummyContentsFilename) });
|
||
|
jarsignerMain("-keystore " + KEYSTORE_FILENAME + " -storepass changeit"
|
||
|
+ (additionalJarsignerOptions == null ? "" :
|
||
|
" " + additionalJarsignerOptions) +
|
||
|
" -verbose -debug " + jarFilename + " a");
|
||
|
Utils.echoManifest(Utils.readJarManifestBytes(
|
||
|
jarFilename), "original signed jar by signer a");
|
||
|
// check assumption that jar is valid at this point
|
||
|
jarsignerMain("-verify -keystore " + KEYSTORE_FILENAME +
|
||
|
" -storepass changeit -verbose -debug " + jarFilename + " a");
|
||
|
}
|
||
|
|
||
|
void manipulateManifestSignAgainA(String srcJarFilename, String tmpFilename,
|
||
|
String dstJarFilename, String additionalJarsignerOptions,
|
||
|
Function<Manifest, byte[]> manifestManipulation) throws Exception {
|
||
|
Manifest mf;
|
||
|
try (JarFile jar = new JarFile(srcJarFilename)) {
|
||
|
mf = jar.getManifest();
|
||
|
}
|
||
|
byte[] manipulatedManifest = manifestManipulation.apply(mf);
|
||
|
Utils.echoManifest(manipulatedManifest, "manipulated manifest");
|
||
|
JarUtils.updateJar(srcJarFilename, tmpFilename, Map.of(
|
||
|
JarFile.MANIFEST_NAME, manipulatedManifest,
|
||
|
// add a fake sig-related file to trigger wasSigned in JarSigner
|
||
|
"META-INF/.SF", Name.SIGNATURE_VERSION + ": 1.0\r\n"));
|
||
|
jarsignerMain("-keystore " + KEYSTORE_FILENAME + " -storepass changeit"
|
||
|
+ (additionalJarsignerOptions == null ? "" :
|
||
|
" " + additionalJarsignerOptions) +
|
||
|
" -verbose -debug " + tmpFilename + " a");
|
||
|
// remove META-INF/.SF from signed jar again which would not validate
|
||
|
JarUtils.updateJar(tmpFilename, dstJarFilename,
|
||
|
Map.of("META-INF/.SF", false));
|
||
|
|
||
|
Utils.echoManifest(Utils.readJarManifestBytes(
|
||
|
dstJarFilename), "manipulated jar signed again with a");
|
||
|
// check assumption that jar is valid at this point
|
||
|
jarsignerMain("-verify -keystore " + KEYSTORE_FILENAME + " " +
|
||
|
"-storepass changeit -verbose -debug " + dstJarFilename + " a");
|
||
|
}
|
||
|
|
||
|
OutputAnalyzer signB(String jarFilename, String additionalJarsignerOptions,
|
||
|
int updateExitCodeVerifyA) throws Exception {
|
||
|
jarsignerMain("-keystore " + KEYSTORE_FILENAME + " -storepass changeit"
|
||
|
+ (additionalJarsignerOptions == null ? "" :
|
||
|
" " + additionalJarsignerOptions)
|
||
|
+ " -verbose -debug " + jarFilename + " b");
|
||
|
Utils.echoManifest(Utils.readJarManifestBytes(
|
||
|
jarFilename), "signed again with signer b");
|
||
|
// check assumption that jar is valid at this point with any alias
|
||
|
jarsignerMain("-verify -strict -keystore " + KEYSTORE_FILENAME +
|
||
|
" -storepass changeit -debug -verbose " + jarFilename);
|
||
|
// check assumption that jar is valid at this point with b just signed
|
||
|
jarsignerMain("-verify -strict -keystore " + KEYSTORE_FILENAME +
|
||
|
" -storepass changeit -debug -verbose " + jarFilename + " b");
|
||
|
// return result of verification of signature by a before update
|
||
|
return jarsignerProc("-verify -strict " + "-keystore " +
|
||
|
KEYSTORE_FILENAME + " -storepass changeit " + "-debug " +
|
||
|
"-verbose " + jarFilename + " a")
|
||
|
.shouldHaveExitValue(updateExitCodeVerifyA);
|
||
|
}
|
||
|
|
||
|
String[] fromFirstToSecondEmptyLine(String[] lines) {
|
||
|
int from = 0;
|
||
|
for (int i = 0; i < lines.length; i++) {
|
||
|
if ("".equals(lines[i])) {
|
||
|
from = i + 1;
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
int to = lines.length - 1;
|
||
|
for (int i = from; i < lines.length; i++) {
|
||
|
if ("".equals(lines[i])) {
|
||
|
to = i - 1;
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return Arrays.copyOfRange(lines, from, to + 1);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* @see "concise_jarsigner.sh"
|
||
|
*/
|
||
|
String[] getExpectedJarSignerOutputUpdatedContentNotValidatedBySignerA(
|
||
|
String jarFilename, String digestalg,
|
||
|
String firstAddedFilename, String secondAddedFilename) {
|
||
|
final String TS = ".{28,29}"; // matches a timestamp
|
||
|
List<String> expLines = new ArrayList<>();
|
||
|
expLines.add("s k *\\d+ " + TS + " META-INF/MANIFEST[.]MF");
|
||
|
expLines.add(" *\\d+ " + TS + " META-INF/B[.]SF");
|
||
|
expLines.add(" *\\d+ " + TS + " META-INF/B[.]DSA");
|
||
|
expLines.add(" *\\d+ " + TS + " META-INF/A[.]SF");
|
||
|
expLines.add(" *\\d+ " + TS + " META-INF/A[.]DSA");
|
||
|
if (firstAddedFilename != null) {
|
||
|
expLines.add("smk *\\d+ " + TS + " " + firstAddedFilename);
|
||
|
}
|
||
|
if (secondAddedFilename != null) {
|
||
|
expLines.add("smkX *\\d+ " + TS + " " + secondAddedFilename);
|
||
|
}
|
||
|
return expLines.toArray(new String[expLines.size()]);
|
||
|
}
|
||
|
|
||
|
void assertMatchByLines(String[] actLines, String[] expLines) {
|
||
|
for (int i = 0; i < actLines.length && i < expLines.length; i++) {
|
||
|
String actLine = actLines[i];
|
||
|
String expLine = expLines[i];
|
||
|
assertTrue(actLine.matches("^" + expLine + "$"),
|
||
|
"\"" + actLine + "\" should have matched \"" + expLine + "\"");
|
||
|
}
|
||
|
assertEquals(actLines.length, expLines.length);
|
||
|
}
|
||
|
|
||
|
String test(String name, Function<Manifest, byte[]> mm) throws Exception {
|
||
|
return test(name, FILENAME_INITIAL_CONTENTS, FILENAME_UPDATED_CONTENTS,
|
||
|
mm);
|
||
|
}
|
||
|
|
||
|
String test(String name,
|
||
|
String firstAddedFilename, String secondAddedFilename,
|
||
|
Function<Manifest, byte[]> mm) throws Exception {
|
||
|
return test(name, firstAddedFilename, secondAddedFilename, mm, null,
|
||
|
true, true);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Essentially, creates a first signed JAR file with a single contained
|
||
|
* file or without and a manipulation applied to its manifest signed by
|
||
|
* signer a and then signes it again with a different signer b.
|
||
|
* The jar file is signed twice with signer a in order to make the digests
|
||
|
* available to the manipulation function that might use it.
|
||
|
*
|
||
|
* @param name Prefix for the JAR filenames used throughout the test.
|
||
|
* @param firstAddedFilename Name of a file to add before the first
|
||
|
* signature by signer a or null. The name will also become the contents
|
||
|
* if not null.
|
||
|
* @param secondAddedFilename Name of a file to add after the first
|
||
|
* signature by signer a and before the second signature by signer b or
|
||
|
* null. The name will also become the contents if not null.
|
||
|
* @param manifestManipulation A callback hook to manipulate the manifest
|
||
|
* after the first signature by signer a and before the second signature by
|
||
|
* signer b.
|
||
|
* @param digestalg The digest algorithm name to be used or null for
|
||
|
* default.
|
||
|
* @param assertMainAttrsDigestsUnchanged Assert that the
|
||
|
* manifest main attributes digests have not changed. In any case the test
|
||
|
* also checks that the digests are still valid whether changed or not
|
||
|
* by {@code jarsigner -verify} which might use
|
||
|
* {@link ManifestDigester.Entry#digestWorkaround}
|
||
|
* @param assertFirstAddedFileDigestsUnchanged Assert that the
|
||
|
* digest of the file firstAddedFilename has not changed with the second
|
||
|
* signature. In any case the test checks that the digests are valid whether
|
||
|
* changed or not by {@code jarsigner -verify} which might use
|
||
|
* {@link ManifestDigester.Entry#digestWorkaround}
|
||
|
* @return The name of the resulting JAR file that has passed the common
|
||
|
* assertions ready for further examination
|
||
|
*/
|
||
|
String test(String name,
|
||
|
String firstAddedFilename, String secondAddedFilename,
|
||
|
Function<Manifest, byte[]> manifestManipulation,
|
||
|
String digestalg, boolean assertMainAttrsDigestsUnchanged,
|
||
|
boolean assertFirstAddedFileDigestsUnchanged)
|
||
|
throws Exception {
|
||
|
String digOpts = (digestalg != null ? "-digestalg " + digestalg : "");
|
||
|
String jarFilename1 = "test-" + name + "-step1.jar";
|
||
|
createSignedJarA(jarFilename1,
|
||
|
/* no manifest will let jarsigner create a default one */ null,
|
||
|
digOpts, firstAddedFilename);
|
||
|
|
||
|
// manipulate the manifest, write it back, and sign the jar again with
|
||
|
// the same certificate a as before overwriting the first signature
|
||
|
String jarFilename2 = "test-" + name + "-step2.jar";
|
||
|
String jarFilename3 = "test-" + name + "-step3.jar";
|
||
|
manipulateManifestSignAgainA(jarFilename1, jarFilename2, jarFilename3,
|
||
|
digOpts, manifestManipulation);
|
||
|
|
||
|
// add another file, sign it with the other certificate, and verify it
|
||
|
String jarFilename4 = "test-" + name + "-step4.jar";
|
||
|
JarUtils.updateJar(jarFilename3, jarFilename4,
|
||
|
secondAddedFilename != null ?
|
||
|
Map.of(secondAddedFilename, secondAddedFilename)
|
||
|
: Collections.EMPTY_MAP);
|
||
|
OutputAnalyzer o = signB(jarFilename4, digOpts,
|
||
|
secondAddedFilename != null ? NOTSIGNEDBYALIASORALIASNOTINSTORE : 0);
|
||
|
// check that secondAddedFilename is the only entry which is not signed
|
||
|
// by signer with alias "a" unless secondAddedFilename is null
|
||
|
assertMatchByLines(
|
||
|
fromFirstToSecondEmptyLine(o.getStdout().split("\\R")),
|
||
|
getExpectedJarSignerOutputUpdatedContentNotValidatedBySignerA(
|
||
|
jarFilename4, digestalg,
|
||
|
firstAddedFilename, secondAddedFilename));
|
||
|
|
||
|
// double-check reading the files with a verifying JarFile
|
||
|
try (JarFile jar = new JarFile(jarFilename4, true)) {
|
||
|
if (firstAddedFilename != null) {
|
||
|
JarEntry je1 = jar.getJarEntry(firstAddedFilename);
|
||
|
jar.getInputStream(je1).readAllBytes();
|
||
|
assertTrue(je1.getCodeSigners().length > 0);
|
||
|
}
|
||
|
if (secondAddedFilename != null) {
|
||
|
JarEntry je2 = jar.getJarEntry(secondAddedFilename);
|
||
|
jar.getInputStream(je2).readAllBytes();
|
||
|
assertTrue(je2.getCodeSigners().length > 0);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// assert that the signature of firstAddedFilename signed by signer
|
||
|
// with alias "a" is not lost and its digest remains the same
|
||
|
try (ZipFile zip = new ZipFile(jarFilename4)) {
|
||
|
ZipEntry ea = zip.getEntry("META-INF/A.SF");
|
||
|
Manifest sfa = new Manifest(zip.getInputStream(ea));
|
||
|
ZipEntry eb = zip.getEntry("META-INF/B.SF");
|
||
|
Manifest sfb = new Manifest(zip.getInputStream(eb));
|
||
|
if (assertMainAttrsDigestsUnchanged) {
|
||
|
String mainAttrsDigKey =
|
||
|
(digestalg != null ? digestalg : "SHA-256") +
|
||
|
"-Digest-Manifest-Main-Attributes";
|
||
|
assertEquals(sfa.getMainAttributes().getValue(mainAttrsDigKey),
|
||
|
sfb.getMainAttributes().getValue(mainAttrsDigKey));
|
||
|
}
|
||
|
if (assertFirstAddedFileDigestsUnchanged) {
|
||
|
assertEquals(sfa.getAttributes(firstAddedFilename),
|
||
|
sfb.getAttributes(firstAddedFilename));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return jarFilename4;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Test that signing a jar with manifest entries with arbitrary line break
|
||
|
* positions in individual section headers does not destroy an existing
|
||
|
* signature<ol>
|
||
|
* <li>create two self-signed certificates</li>
|
||
|
* <li>sign a jar with at least one non-META-INF file in it with a JDK
|
||
|
* before 11 or place line breaks not at 72 bytes in an individual section
|
||
|
* header</li>
|
||
|
* <li>add a new file to the jar</li>
|
||
|
* <li>sign the jar with a JDK 11, 12, or 13 with bug 8217375 not yet
|
||
|
* resolved with a different signer</li>
|
||
|
* </ol>→ first signature will not validate anymore even though it
|
||
|
* should.
|
||
|
*/
|
||
|
@Test
|
||
|
public void arbitraryLineBreaksSectionName() throws Exception {
|
||
|
test("arbitraryLineBreaksSectionName", m -> {
|
||
|
return (
|
||
|
Name.MANIFEST_VERSION + ": 1.0\r\n" +
|
||
|
"Created-By: " +
|
||
|
m.getMainAttributes().getValue("Created-By") + "\r\n" +
|
||
|
"\r\n" +
|
||
|
"Name: Test\r\n" +
|
||
|
" -\r\n" +
|
||
|
" Section\r\n" +
|
||
|
"Key: Value \r\n" +
|
||
|
"\r\n" +
|
||
|
"Name: " + FILENAME_INITIAL_CONTENTS.substring(0, 1) + "\r\n" +
|
||
|
" " + FILENAME_INITIAL_CONTENTS.substring(1, 8) + "\r\n" +
|
||
|
" " + FILENAME_INITIAL_CONTENTS.substring(8) + "\r\n" +
|
||
|
"SHA-256-Digest: " + m.getAttributes(FILENAME_INITIAL_CONTENTS)
|
||
|
.getValue("SHA-256-Digest") + "\r\n" +
|
||
|
"\r\n"
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Test that signing a jar with manifest entries with arbitrary line break
|
||
|
* positions in individual section headers does not destroy an existing
|
||
|
* signature<ol>
|
||
|
* <li>create two self-signed certificates</li>
|
||
|
* <li>sign a jar with at least one non-META-INF file in it with a JDK
|
||
|
* before 11 or place line breaks not at 72 bytes in an individual section
|
||
|
* header</li>
|
||
|
* <li>add a new file to the jar</li>
|
||
|
* <li>sign the jar with a JDK 11 or 12 with a different signer</li>
|
||
|
* </ol>→ first signature will not validate anymore even though it
|
||
|
* should.
|
||
|
*/
|
||
|
@Test
|
||
|
public void arbitraryLineBreaksHeader() throws Exception {
|
||
|
test("arbitraryLineBreaksHeader", m -> {
|
||
|
String digest = m.getAttributes(FILENAME_INITIAL_CONTENTS)
|
||
|
.getValue("SHA-256-Digest");
|
||
|
return (
|
||
|
Name.MANIFEST_VERSION + ": 1.0\r\n" +
|
||
|
"Created-By: " +
|
||
|
m.getMainAttributes().getValue("Created-By") + "\r\n" +
|
||
|
"\r\n" +
|
||
|
"Name: Test-Section\r\n" +
|
||
|
"Key: Value \r\n" +
|
||
|
" with\r\n" +
|
||
|
" strange \r\n" +
|
||
|
" line breaks.\r\n" +
|
||
|
"\r\n" +
|
||
|
"Name: " + FILENAME_INITIAL_CONTENTS + "\r\n" +
|
||
|
"SHA-256-Digest: " + digest.substring(0, 11) + "\r\n" +
|
||
|
" " + digest.substring(11) + "\r\n" +
|
||
|
"\r\n"
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Breaks {@code line} at 70 bytes even though the name says 72 but when
|
||
|
* also counting the line delimiter ("{@code \r\n}") the line totals to 72
|
||
|
* bytes.
|
||
|
* Borrowed from {@link Manifest#make72Safe} before JDK 11
|
||
|
*
|
||
|
* @see Manifest#make72Safe
|
||
|
*/
|
||
|
static void make72Safe(StringBuffer line) {
|
||
|
int length = line.length();
|
||
|
if (length > 72) {
|
||
|
int index = 70;
|
||
|
while (index < length - 2) {
|
||
|
line.insert(index, "\r\n ");
|
||
|
index += 72;
|
||
|
length += 3;
|
||
|
}
|
||
|
}
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Test that signing a jar with manifest entries with line breaks at
|
||
|
* position where Manifest would not place them now anymore (72 instead of
|
||
|
* 70 bytes after line starts) does not destroy an existing signature<ol>
|
||
|
* <li>create two self-signed certificates</li>
|
||
|
* <li>simulate a manifest as it would have been written by a JDK before 11
|
||
|
* by re-positioning line breaks at 70 bytes (which makes a difference by
|
||
|
* digests that grow headers longer than 70 characters such as SHA-512 as
|
||
|
* opposed to default SHA-256, long file names, or manual editing)</li>
|
||
|
* <li>add a new file to the jar</li>
|
||
|
* <li>sign the jar with a JDK 11 or 12 with a different signer</li>
|
||
|
* </ol><p>→
|
||
|
* The first signature will not validate anymore even though it should.
|
||
|
*/
|
||
|
public void lineWidth70(String name, String digestalg) throws Exception {
|
||
|
Files.write(Path.of(name), name.getBytes(UTF_8));
|
||
|
test(name, name, FILENAME_UPDATED_CONTENTS, m -> {
|
||
|
// force a line break with a header exceeding line width limit
|
||
|
m.getEntries().put("Test-Section", new Attributes());
|
||
|
m.getAttributes("Test-Section").put(
|
||
|
Name.IMPLEMENTATION_VERSION, "1" + "0".repeat(100));
|
||
|
|
||
|
StringBuilder sb = new StringBuilder();
|
||
|
StringBuffer[] buf = new StringBuffer[] { null };
|
||
|
manifestToString(m).lines().forEach(line -> {
|
||
|
if (line.startsWith(" ")) {
|
||
|
buf[0].append(line.substring(1));
|
||
|
} else {
|
||
|
if (buf[0] != null) {
|
||
|
make72Safe(buf[0]);
|
||
|
sb.append(buf[0].toString());
|
||
|
sb.append("\r\n");
|
||
|
}
|
||
|
buf[0] = new StringBuffer();
|
||
|
buf[0].append(line);
|
||
|
}
|
||
|
});
|
||
|
make72Safe(buf[0]);
|
||
|
sb.append(buf[0].toString());
|
||
|
sb.append("\r\n");
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
}, digestalg, false, false);
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void lineWidth70Filename() throws Exception {
|
||
|
lineWidth70(
|
||
|
"lineWidth70".repeat(6) /* 73 chars total with "Name: " */, null);
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void lineWidth70Digest() throws Exception {
|
||
|
lineWidth70("lineWidth70digest", "SHA-512");
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Test that signing a jar with a manifest with line delimiter other than
|
||
|
* "{@code \r\n}" does not destroy an existing signature<ol>
|
||
|
* <li>create two self-signed certificates</li>
|
||
|
* <li>sign a jar with at least one non-META-INF file in it</li>
|
||
|
* <li>extract the manifest, and change its line delimiters
|
||
|
* (for example dos2unix)</li>
|
||
|
* <li>update the jar with the updated manifest</li>
|
||
|
* <li>sign it again with the same signer as before</li>
|
||
|
* <li>add a new file to the jar</li>
|
||
|
* <li>sign the jar with a JDK before 13 with a different signer<li>
|
||
|
* </ol><p>→
|
||
|
* The first signature will not validate anymore even though it should.
|
||
|
*/
|
||
|
public void lineBreak(String lineBreak) throws Exception {
|
||
|
test("lineBreak" + byteArrayToIntList(lineBreak.getBytes(UTF_8)).stream
|
||
|
().map(i -> "" + i).collect(Collectors.joining("")), m -> {
|
||
|
StringBuilder sb = new StringBuilder();
|
||
|
manifestToString(m).lines().forEach(l -> {
|
||
|
sb.append(l);
|
||
|
sb.append(lineBreak);
|
||
|
});
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void lineBreakCr() throws Exception {
|
||
|
lineBreak("\r");
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void lineBreakLf() throws Exception {
|
||
|
lineBreak("\n");
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void lineBreakCrLf() throws Exception {
|
||
|
lineBreak("\r\n");
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void testAdjacentRepeatedSection() throws Exception {
|
||
|
test("adjacent", m -> {
|
||
|
return (manifestToString(m) +
|
||
|
"Name: " + FILENAME_INITIAL_CONTENTS + "\r\n" +
|
||
|
"Foo: Bar\r\n" +
|
||
|
"\r\n"
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void testIntermittentRepeatedSection() throws Exception {
|
||
|
test("intermittent", m -> {
|
||
|
return (manifestToString(m) +
|
||
|
"Name: don't know\r\n" +
|
||
|
"Foo: Bar\r\n" +
|
||
|
"\r\n" +
|
||
|
"Name: " + FILENAME_INITIAL_CONTENTS + "\r\n" +
|
||
|
"Foo: Bar\r\n" +
|
||
|
"\r\n"
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
@Test
|
||
|
public void testNameImmediatelyContinued() throws Exception {
|
||
|
test("testNameImmediatelyContinued", m -> {
|
||
|
// places a continuation line break and space at the first allowed
|
||
|
// position after ": " and before the first character of the value
|
||
|
return (manifestToString(m).replaceAll(FILENAME_INITIAL_CONTENTS,
|
||
|
"\r\n " + FILENAME_INITIAL_CONTENTS + "\r\nFoo: Bar")
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* "malicious" '\r' after continuation line continued
|
||
|
*/
|
||
|
@Test
|
||
|
public void testNameContinuedContinuedWithCr() throws Exception {
|
||
|
test("testNameContinuedContinuedWithCr", m -> {
|
||
|
return (manifestToString(m).replaceAll(FILENAME_INITIAL_CONTENTS,
|
||
|
FILENAME_INITIAL_CONTENTS.substring(0, 1) + "\r\n " +
|
||
|
FILENAME_INITIAL_CONTENTS.substring(1, 4) + "\r " +
|
||
|
FILENAME_INITIAL_CONTENTS.substring(4) + "\r\n" +
|
||
|
"Foo: Bar")
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* "malicious" '\r' after continued continuation line
|
||
|
*/
|
||
|
@Test
|
||
|
public void testNameContinuedContinuedEndingWithCr() throws Exception {
|
||
|
test("testNameContinuedContinuedEndingWithCr", m -> {
|
||
|
return (manifestToString(m).replaceAll(FILENAME_INITIAL_CONTENTS,
|
||
|
FILENAME_INITIAL_CONTENTS.substring(0, 1) + "\r\n " +
|
||
|
FILENAME_INITIAL_CONTENTS.substring(1, 4) + "\r\n " +
|
||
|
FILENAME_INITIAL_CONTENTS.substring(4) + "\r" + // no '\n'
|
||
|
"Foo: Bar")
|
||
|
).getBytes(UTF_8);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
@DataProvider(name = "trailingSeqParams", parallel = true)
|
||
|
public static Object[][] trailingSeqParams() {
|
||
|
return new Object[][] {
|
||
|
{""},
|
||
|
{"\r"},
|
||
|
{"\n"},
|
||
|
{"\r\n"},
|
||
|
{"\r\r"},
|
||
|
{"\n\n"},
|
||
|
{"\n\r"},
|
||
|
{"\r\r\r"},
|
||
|
{"\r\r\n"},
|
||
|
{"\r\n\r"},
|
||
|
{"\r\n\n"},
|
||
|
{"\n\r\r"},
|
||
|
{"\n\r\n"},
|
||
|
{"\n\n\r"},
|
||
|
{"\n\n\n"},
|
||
|
{"\r\r\r\n"},
|
||
|
{"\r\r\n\r"},
|
||
|
{"\r\r\n\n"},
|
||
|
{"\r\n\r\r"},
|
||
|
{"\r\n\r\n"},
|
||
|
{"\r\n\n\r"},
|
||
|
{"\r\n\n\n"},
|
||
|
{"\n\r\r\n"},
|
||
|
{"\n\r\n\r"},
|
||
|
{"\n\r\n\n"},
|
||
|
{"\n\n\r\n"},
|
||
|
{"\r\r\n\r\n"},
|
||
|
{"\r\n\r\r\n"},
|
||
|
{"\r\n\r\n\r"},
|
||
|
{"\r\n\r\n\n"},
|
||
|
{"\r\n\n\r\n"},
|
||
|
{"\n\r\n\r\n"},
|
||
|
{"\r\n\r\n\r\n"},
|
||
|
{"\r\n\r\n\r\n\r\n"}
|
||
|
};
|
||
|
}
|
||
|
|
||
|
boolean isSufficientSectionDelimiter(String trailingSeq) {
|
||
|
if (trailingSeq.length() < 2) return false;
|
||
|
if (trailingSeq.startsWith("\r\n")) {
|
||
|
trailingSeq = trailingSeq.substring(2);
|
||
|
} else if (trailingSeq.startsWith("\r") ||
|
||
|
trailingSeq.startsWith("\n")) {
|
||
|
trailingSeq = trailingSeq.substring(1);
|
||
|
} else {
|
||
|
return false;
|
||
|
}
|
||
|
if (trailingSeq.startsWith("\r\n")) {
|
||
|
return true;
|
||
|
} else if (trailingSeq.startsWith("\r") ||
|
||
|
trailingSeq.startsWith("\n")) {
|
||
|
return true;
|
||
|
}
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
Function<Manifest, byte[]> replaceTrailingLineBreaksManipulation(
|
||
|
String trailingSeq) {
|
||
|
return m -> {
|
||
|
StringBuilder sb = new StringBuilder(manifestToString(m));
|
||
|
// cut off default trailing line break characters
|
||
|
while ("\r\n".contains(sb.substring(sb.length() - 1))) {
|
||
|
sb.deleteCharAt(sb.length() - 1);
|
||
|
}
|
||
|
// and instead add another trailing sequence
|
||
|
sb.append(trailingSeq);
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
};
|
||
|
}
|
||
|
|
||
|
boolean abSigFilesEqual(String jarFilename,
|
||
|
Function<Manifest,Object> getter) throws IOException {
|
||
|
try (ZipFile zip = new ZipFile(jarFilename)) {
|
||
|
ZipEntry ea = zip.getEntry("META-INF/A.SF");
|
||
|
Manifest sfa = new Manifest(zip.getInputStream(ea));
|
||
|
ZipEntry eb = zip.getEntry("META-INF/B.SF");
|
||
|
Manifest sfb = new Manifest(zip.getInputStream(eb));
|
||
|
return getter.apply(sfa).equals(getter.apply(sfb));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the main attributes and no individual section and hence no file contained
|
||
|
* within the JAR file in order not to produce an individual section,
|
||
|
* then add no other file and sign it with a different signer.
|
||
|
* The manifest is not expected to be changed during the second signature.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void emptyJarTrailingSeq(String trailingSeq) throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
if (trailingSeq.isEmpty()) {
|
||
|
return; // invalid manifest without trailing line break
|
||
|
}
|
||
|
|
||
|
test("emptyJarTrailingSeq" + trailingSeqEscaped, null, null,
|
||
|
replaceTrailingLineBreaksManipulation(trailingSeq));
|
||
|
|
||
|
// test called above already asserts by default that the main attributes
|
||
|
// digests have not changed.
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the main attributes and no individual section and hence no file contained
|
||
|
* within the JAR file in order not to produce an individual section,
|
||
|
* then add another file and sign it with a different signer so that the
|
||
|
* originally trailing sequence after the main attributes might have to be
|
||
|
* completed to a full section delimiter or reproduced only partially
|
||
|
* before the new individual section with the added file digest can be
|
||
|
* appended. The main attributes digests are expected to change if the
|
||
|
* first signed trailing sequence did not contain a blank line and are not
|
||
|
* expected to change if superfluous parts of the trailing sequence were
|
||
|
* not reproduced. All digests are expected to validate either with digest
|
||
|
* or with digestWorkaround.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void emptyJarTrailingSeqAddFile(String trailingSeq) throws Exception{
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
if (!isSufficientSectionDelimiter(trailingSeq)) {
|
||
|
return; // invalid manifest without trailing blank line
|
||
|
}
|
||
|
boolean expectUnchangedDigests =
|
||
|
isSufficientSectionDelimiter(trailingSeq);
|
||
|
System.out.println("expectUnchangedDigests = " + expectUnchangedDigests);
|
||
|
String jarFilename = test("emptyJarTrailingSeqAddFile" +
|
||
|
trailingSeqEscaped, null, FILENAME_UPDATED_CONTENTS,
|
||
|
replaceTrailingLineBreaksManipulation(trailingSeq),
|
||
|
null, expectUnchangedDigests, false);
|
||
|
|
||
|
// Check that the digests have changed only if another line break had
|
||
|
// to be added before a new individual section. That both also are valid
|
||
|
// with either digest or digestWorkaround has been checked by test
|
||
|
// before.
|
||
|
assertEquals(abSigFilesEqual(jarFilename, sf -> sf.getMainAttributes()
|
||
|
.getValue("SHA-256-Digest-Manifest-Main-Attributes")),
|
||
|
expectUnchangedDigests);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the only individual section holding the digest of the only file contained
|
||
|
* within the JAR file,
|
||
|
* then add no other file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature only
|
||
|
* by removing superfluous line break characters which are not digested
|
||
|
* and the manifest entry digest is expected not to change.
|
||
|
* The individual section is expected to be reproduced without additional
|
||
|
* line breaks even if the trailing sequence does not properly delimit
|
||
|
* another section.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void singleIndividualSectionTrailingSeq(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
if (trailingSeq.isEmpty()) {
|
||
|
return; // invalid manifest without trailing line break
|
||
|
}
|
||
|
String jarFilename = test("singleIndividualSectionTrailingSeq"
|
||
|
+ trailingSeqEscaped, FILENAME_INITIAL_CONTENTS, null,
|
||
|
replaceTrailingLineBreaksManipulation(trailingSeq));
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the first individual section holding the digest of the only file
|
||
|
* contained within the JAR file and a second individual section with the
|
||
|
* same name to be both digested into the same entry digest,
|
||
|
* then add no other file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature
|
||
|
* by removing superfluous line break characters which are not digested
|
||
|
* anyway or if the trailingSeq is not a sufficient delimiter that both
|
||
|
* intially provided sections are treated as only one which is maybe not
|
||
|
* perfect but does at least not result in an invalid signed jar file.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void firstIndividualSectionTrailingSeq(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
String jarFilename;
|
||
|
jarFilename = test("firstIndividualSectionTrailingSeq"
|
||
|
+ trailingSeqEscaped, FILENAME_INITIAL_CONTENTS, null, m -> {
|
||
|
StringBuilder sb = new StringBuilder(manifestToString(m));
|
||
|
// cut off default trailing line break characters
|
||
|
while ("\r\n".contains(sb.substring(sb.length() - 1))) {
|
||
|
sb.deleteCharAt(sb.length() - 1);
|
||
|
}
|
||
|
// and instead add another trailing sequence
|
||
|
sb.append(trailingSeq);
|
||
|
// now add another section with the same name assuming sb
|
||
|
// already contains one entry for FILENAME_INITIAL_CONTENTS
|
||
|
sb.append("Name: " + FILENAME_INITIAL_CONTENTS + "\r\n");
|
||
|
sb.append("Foo: Bar\r\n");
|
||
|
sb.append("\r\n");
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
});
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with two individual sections for the same
|
||
|
* contained file (corresponding by name) the first of which properly
|
||
|
* delimited and the second of which followed by a strange sequence of
|
||
|
* line breaks both digested into the same entry digest,
|
||
|
* then add no other file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature
|
||
|
* by removing superfluous line break characters which are not digested
|
||
|
* anyway.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void secondIndividualSectionTrailingSeq(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
String jarFilename = test("secondIndividualSectionTrailingSeq" +
|
||
|
trailingSeqEscaped, FILENAME_INITIAL_CONTENTS, null, m -> {
|
||
|
StringBuilder sb = new StringBuilder(manifestToString(m));
|
||
|
sb.append("Name: " + FILENAME_INITIAL_CONTENTS + "\r\n");
|
||
|
sb.append("Foo: Bar");
|
||
|
sb.append(trailingSeq);
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
});
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the only individual section holding the digest of the only file contained
|
||
|
* within the JAR file,
|
||
|
* then add another file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature by
|
||
|
* removing superfluous line break characters which are not digested
|
||
|
* anyway or adding another line break to complete to a proper section
|
||
|
* delimiter blank line.
|
||
|
* The first file entry digest is expected to change only if another
|
||
|
* line break has been added.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void singleIndividualSectionTrailingSeqAddFile(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
if (!isSufficientSectionDelimiter(trailingSeq)) {
|
||
|
return; // invalid manifest without trailing blank line
|
||
|
}
|
||
|
String jarFilename = test("singleIndividualSectionTrailingSeqAddFile"
|
||
|
+ trailingSeqEscaped,
|
||
|
FILENAME_INITIAL_CONTENTS, FILENAME_UPDATED_CONTENTS,
|
||
|
replaceTrailingLineBreaksManipulation(trailingSeq),
|
||
|
null, true, true);
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with a strange sequence of line breaks after
|
||
|
* the first individual section holding the digest of the only file
|
||
|
* contained within the JAR file and a second individual section with the
|
||
|
* same name to be both digested into the same entry digest,
|
||
|
* then add another file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature
|
||
|
* by removing superfluous line break characters which are not digested
|
||
|
* anyway or if the trailingSeq is not a sufficient delimiter that both
|
||
|
* intially provided sections are treated as only one which is maybe not
|
||
|
* perfect but does at least not result in an invalid signed jar file.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void firstIndividualSectionTrailingSeqAddFile(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
String jarFilename = test("firstIndividualSectionTrailingSeqAddFile"
|
||
|
+ trailingSeqEscaped,
|
||
|
FILENAME_INITIAL_CONTENTS, FILENAME_UPDATED_CONTENTS, m -> {
|
||
|
StringBuilder sb = new StringBuilder(manifestToString(m));
|
||
|
// cut off default trailing line break characters
|
||
|
while ("\r\n".contains(sb.substring(sb.length() - 1))) {
|
||
|
sb.deleteCharAt(sb.length() - 1);
|
||
|
}
|
||
|
// and instead add another trailing sequence
|
||
|
sb.append(trailingSeq);
|
||
|
// now add another section with the same name assuming sb
|
||
|
// already contains one entry for FILENAME_INITIAL_CONTENTS
|
||
|
sb.append("Name: " + FILENAME_INITIAL_CONTENTS + "\r\n");
|
||
|
sb.append("Foo: Bar\r\n");
|
||
|
sb.append("\r\n");
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
});
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Create a signed JAR file with two individual sections for the same
|
||
|
* contained file (corresponding by name) the first of which properly
|
||
|
* delimited and the second of which followed by a strange sequence of
|
||
|
* line breaks both digested into the same entry digest,
|
||
|
* then add another file and sign it with a different signer.
|
||
|
* The manifest is expected to be changed during the second signature
|
||
|
* by removing superfluous line break characters which are not digested
|
||
|
* anyway or by adding a proper section delimiter.
|
||
|
* The digests are expected to be changed only if another line break is
|
||
|
* added to properly delimit the next section both digests of which are
|
||
|
* expected to validate with either digest or digestWorkaround.
|
||
|
*/
|
||
|
@Test(dataProvider = "trailingSeqParams")
|
||
|
public void secondIndividualSectionTrailingSeqAddFile(String trailingSeq)
|
||
|
throws Exception {
|
||
|
String trailingSeqEscaped = byteArrayToIntList(trailingSeq.getBytes(
|
||
|
UTF_8)).stream().map(i -> "" + i).collect(Collectors.joining(""));
|
||
|
System.out.println("trailingSeq = " + trailingSeqEscaped);
|
||
|
if (!isSufficientSectionDelimiter(trailingSeq)) {
|
||
|
return; // invalid manifest without trailing blank line
|
||
|
}
|
||
|
String jarFilename = test("secondIndividualSectionTrailingSeqAddFile" +
|
||
|
trailingSeqEscaped,
|
||
|
FILENAME_INITIAL_CONTENTS, FILENAME_UPDATED_CONTENTS, m -> {
|
||
|
StringBuilder sb = new StringBuilder(manifestToString(m));
|
||
|
sb.append("Name: " + FILENAME_INITIAL_CONTENTS + "\r\n");
|
||
|
sb.append("Foo: Bar");
|
||
|
sb.append(trailingSeq);
|
||
|
return sb.toString().getBytes(UTF_8);
|
||
|
}, null, true, true);
|
||
|
|
||
|
assertTrue(abSigFilesEqual(jarFilename, sf -> sf.getAttributes(
|
||
|
FILENAME_INITIAL_CONTENTS).getValue("SHA-256-Digest")));
|
||
|
}
|
||
|
|
||
|
String manifestToString(Manifest mf) {
|
||
|
try (ByteArrayOutputStream out = new ByteArrayOutputStream()) {
|
||
|
mf.write(out);
|
||
|
return new String(out.toByteArray(), UTF_8);
|
||
|
} catch (IOException e) {
|
||
|
throw new RuntimeException(e);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static List<Integer> byteArrayToIntList(byte[] bytes) {
|
||
|
List<Integer> list = new ArrayList<>();
|
||
|
for (int i = 0; i < bytes.length; i++) {
|
||
|
list.add((int) bytes[i]);
|
||
|
}
|
||
|
return list;
|
||
|
}
|
||
|
|
||
|
}
|