java.security.CodeSigner Java Examples

@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
    try {
        return super.findClass(name);
    } catch (ClassFormatError e) {
        String path = name.replace('.', '/').concat(".class");
        URL url = findResource(path);
        if (url == null) {
            throw new ClassNotFoundException(name, e);
        }
        try (InputStream in = url.openStream()) {
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            XKit.transfer(in, bos);
            byte[] bytes = bos.toByteArray();
            Object resource = getResource.invoke(urlClassPath, path);
            URL codeSourceURL = (URL) getCodeSourceURL.invoke(resource);
            CodeSigner[] codeSigners = (CodeSigner[]) getCodeSigners.invoke(resource);
            CodeSource codeSource = new CodeSource(codeSourceURL, codeSigners);
            return defineClass(name, bytes, 0, bytes.length, codeSource);
        } catch (Throwable t) {
            throw new ClassNotFoundException(name, t);
        }
    }
}
 

/**
 * Gets all JAR file entry certificates.
 * Method scans entry for signers and than collects all their certificates.
 *
 * @param entry JAR file entry.
 * @return Array of certificates which corresponds to the entry.
 */
private static Certificate[] getCertificates(JarEntry entry) {
    Certificate[] certs = null;

    CodeSigner[] signers = entry.getCodeSigners();

    // Extract the certificates in each code signer's cert chain.
    if (signers != null) {
        List<Certificate> certChains = new ArrayList<>();

        for (CodeSigner signer : signers)
            certChains.addAll(signer.getSignerCertPath().getCertificates());

        // Convert into a Certificate[]
        return certChains.toArray(new Certificate[certChains.size()]);
    }

    return certs;
}
 

/**
 * process the signature block file. Goes through the .SF file
 * and adds code signers for each section where the .SF section
 * hash was verified against the Manifest section.
 *
 *
 */
public void process(Hashtable<String, CodeSigner[]> signers,
        List<Object> manifestDigests)
    throws IOException, SignatureException, NoSuchAlgorithmException,
        JarException, CertificateException
{
    // calls Signature.getInstance() and MessageDigest.getInstance()
    // need to use local providers here, see Providers class
    Object obj = null;
    try {
        obj = Providers.startJarVerification();
        processImpl(signers, manifestDigests);
    } finally {
        Providers.stopJarVerification(obj);
    }

}
 

/**
 * process the signature block file. Goes through the .SF file
 * and adds code signers for each section where the .SF section
 * hash was verified against the Manifest section.
 *
 *
 */
public void process(Hashtable<String, CodeSigner[]> signers,
        List<Object> manifestDigests)
    throws IOException, SignatureException, NoSuchAlgorithmException,
        JarException, CertificateException
{
    // calls Signature.getInstance() and MessageDigest.getInstance()
    // need to use local providers here, see Providers class
    Object obj = null;
    try {
        obj = Providers.startJarVerification();
        processImpl(signers, manifestDigests);
    } finally {
        Providers.stopJarVerification(obj);
    }

}
 

/**
 * process the signature block file. Goes through the .SF file
 * and adds code signers for each section where the .SF section
 * hash was verified against the Manifest section.
 *
 *
 */
public void process(Hashtable<String, CodeSigner[]> signers,
        List<Object> manifestDigests)
    throws IOException, SignatureException, NoSuchAlgorithmException,
        JarException, CertificateException
{
    // calls Signature.getInstance() and MessageDigest.getInstance()
    // need to use local providers here, see Providers class
    Object obj = null;
    try {
        obj = Providers.startJarVerification();
        processImpl(signers, manifestDigests);
    } finally {
        Providers.stopJarVerification(obj);
    }

}
 

/**
 * Create the named SignatureFileVerifier.
 *
 * @param name the name of the signature block file (.DSA/.RSA/.EC)
 *
 * @param rawBytes the raw bytes of the signature block file
 */
public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache,
                             ManifestDigester md,
                             String name,
                             byte[] rawBytes)
    throws IOException, CertificateException
{
    // new PKCS7() calls CertificateFactory.getInstance()
    // need to use local providers here, see Providers class
    Object obj = null;
    try {
        obj = Providers.startJarVerification();
        block = new PKCS7(rawBytes);
        sfBytes = block.getContentInfo().getData();
        certificateFactory = CertificateFactory.getInstance("X509");
    } finally {
        Providers.stopJarVerification(obj);
    }
    this.name = name.substring(0, name.lastIndexOf('.'))
                                               .toUpperCase(Locale.ENGLISH);
    this.md = md;
    this.signerCache = signerCache;
}
 

/**
 * Create the named SignatureFileVerifier.
 *
 * @param name the name of the signature block file (.DSA/.RSA/.EC)
 *
 * @param rawBytes the raw bytes of the signature block file
 */
public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache,
                             ManifestDigester md,
                             String name,
                             byte[] rawBytes)
    throws IOException, CertificateException
{
    // new PKCS7() calls CertificateFactory.getInstance()
    // need to use local providers here, see Providers class
    Object obj = null;
    try {
        obj = Providers.startJarVerification();
        block = new PKCS7(rawBytes);
        sfBytes = block.getContentInfo().getData();
        certificateFactory = CertificateFactory.getInstance("X509");
    } finally {
        Providers.stopJarVerification(obj);
    }
    this.name = name.substring(0, name.lastIndexOf('.'))
                                               .toUpperCase(Locale.ENGLISH);
    this.md = md;
    this.signerCache = signerCache;
}
 

public static void main(String[] args) throws Exception {

        // Create a certpath consisting of one certificate
        File f = new File(System.getProperty("test.src", "."), "cert_file");
        FileInputStream fis = new FileInputStream(f);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        Certificate c = cf.generateCertificate(fis);
        fis.close();
        CertPath cp = cf.generateCertPath(Collections.singletonList(c));

        // Create a code signer
        CodeSigner cs = new CodeSigner(cp, new Timestamp(new Date(), cp));

        // Serialize the code signer
        ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteOut);
        out.writeObject(cs);
        out.close();

        // Deserialize the code signer
        byte[] data = byteOut.toByteArray();
        CodeSigner cs2 = (CodeSigner) new ObjectInputStream(
            new ByteArrayInputStream(data)).readObject();

        // Test for equality
        if (!cs.equals(cs2) || cs.hashCode() != cs2.hashCode()) {
            throw new Exception("CodeSigner serialization test FAILED");
        }
    }
 

private Class<?> remappedFindClass(String name) throws ClassNotFoundException {
    Class<?> result = null;

    try {
        String path = name.replace('.', '/').concat(".class");
        URL url = this.findResource(path);
        if (url != null) {
            InputStream stream = url.openStream();
            if (stream != null) {
                byte[] bytecode;

                bytecode = remapper.remapClassFile(stream, RuntimeRepo.getInstance());
                bytecode = Transformer.transform(bytecode);

                JarURLConnection jarURLConnection = (JarURLConnection) url.openConnection();
                URL jarURL = jarURLConnection.getJarFileURL();
                CodeSource codeSource = new CodeSource(jarURL, new CodeSigner[0]);

                result = this.defineClass(name, bytecode, 0, bytecode.length, codeSource);
                if (result != null) {
                    this.resolveClass(result);
                }
            }
        }
    } catch (Throwable t) {
        throw new ClassNotFoundException("Failed to remap class " + name, t);
    }

    return result;
}
 

/**
 * Returns the code signers for the digital signatures associated with the
 * JAR file. If there is no such code signer, it returns {@code null}. Make
 * sure that the everything is read from the input stream before calling
 * this method, or else the method returns {@code null}.
 *
 * @return the code signers for the JAR entry.
 * @see CodeSigner
 */
public CodeSigner[] getCodeSigners() {
	if (signers == null) {
		signers = getCodeSigners(getCertificates());
	}
	if (signers == null) {
		return null;
	}

	CodeSigner[] tmp = new CodeSigner[signers.length];
	System.arraycopy(signers, 0, tmp, 0, tmp.length);
	return tmp;
}
 

/**
 * timestamp can be null
 */
public final void testCodeSigner_01() {
    try {
        CodeSigner cs = new CodeSigner(cpath, null);
        assertNotNull(cs);
    } catch (Exception e) {
        fail("Unexpected exception");
    }
}
 

public static void main(String[] args) throws Exception {

        // Create a certpath consisting of one certificate
        File f = new File(System.getProperty("test.src", "."), "cert_file");
        FileInputStream fis = new FileInputStream(f);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        Certificate c = cf.generateCertificate(fis);
        fis.close();
        CertPath cp = cf.generateCertPath(Collections.singletonList(c));

        // Create a code signer
        CodeSigner cs = new CodeSigner(cp, new Timestamp(new Date(), cp));

        // Serialize the code signer
        ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteOut);
        out.writeObject(cs);
        out.close();

        // Deserialize the code signer
        byte[] data = byteOut.toByteArray();
        CodeSigner cs2 = (CodeSigner) new ObjectInputStream(
            new ByteArrayInputStream(data)).readObject();

        // Test for equality
        if (!cs.equals(cs2) || cs.hashCode() != cs2.hashCode()) {
            throw new Exception("CodeSigner serialization test FAILED");
        }
    }
 

public CodeSigner[] getCodeSigners() {
    try {
        maybeInstantiateVerifier();
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    if (signers == null && jv != null) {
        signers = jv.getCodeSigners(JarFile.this, this);
    }
    return signers == null ? null : signers.clone();
}
 

private static ProtectionDomain createMinimalPermissionDomain() {
    // Generated classes need to have at least the permission to access Nashorn runtime and runtime.linker packages.
    final Permissions permissions = new Permissions();
    permissions.add(new RuntimePermission("accessClassInPackage.jdk.nashorn.internal.objects"));
    permissions.add(new RuntimePermission("accessClassInPackage.jdk.nashorn.internal.runtime"));
    permissions.add(new RuntimePermission("accessClassInPackage.jdk.nashorn.internal.runtime.linker"));
    return new ProtectionDomain(new CodeSource(null, (CodeSigner[])null), permissions);
}
 

static boolean contains(CodeSigner[] set, CodeSigner signer)
{
    for (int i = 0; i < set.length; i++) {
        if (set[i].equals(signer))
            return true;
    }
    return false;
}
 

public static void main(String[] args) throws Exception {

        // Create a certpath consisting of one certificate
        File f = new File(System.getProperty("test.src", "."), "cert_file");
        FileInputStream fis = new FileInputStream(f);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        Certificate c = cf.generateCertificate(fis);
        fis.close();
        CertPath cp = cf.generateCertPath(Collections.singletonList(c));

        // Create a code signer
        CodeSigner cs = new CodeSigner(cp, new Timestamp(new Date(), cp));

        // Serialize the code signer
        ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteOut);
        out.writeObject(cs);
        out.close();

        // Deserialize the code signer
        byte[] data = byteOut.toByteArray();
        CodeSigner cs2 = (CodeSigner) new ObjectInputStream(
            new ByteArrayInputStream(data)).readObject();

        // Test for equality
        if (!cs.equals(cs2) || cs.hashCode() != cs2.hashCode()) {
            throw new Exception("CodeSigner serialization test FAILED");
        }
    }
 

/**
 * Given the PKCS7 block and SignerInfo[], create an array of
 * CodeSigner objects. We do this only *once* for a given
 * signature block file.
 */
private CodeSigner[] getSigners(SignerInfo infos[], PKCS7 block)
    throws IOException, NoSuchAlgorithmException, SignatureException,
        CertificateException {

    ArrayList<CodeSigner> signers = null;

    for (int i = 0; i < infos.length; i++) {

        SignerInfo info = infos[i];
        ArrayList<X509Certificate> chain = info.getCertificateChain(block);
        CertPath certChain = certificateFactory.generateCertPath(chain);
        if (signers == null) {
            signers = new ArrayList<CodeSigner>();
        }
        // Append the new code signer
        signers.add(new CodeSigner(certChain, info.getTimestamp()));

        if (debug != null) {
            debug.println("Signature Block Certificate: " +
                chain.get(0));
        }
    }

    if (signers != null) {
        return signers.toArray(new CodeSigner[signers.size()]);
    } else {
        return null;
    }
}
 

/**
 * Given the PKCS7 block and SignerInfo[], create an array of
 * CodeSigner objects. We do this only *once* for a given
 * signature block file.
 */
private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block)
    throws IOException, NoSuchAlgorithmException, SignatureException,
        CertificateException {

    ArrayList<CodeSigner> signers = null;

    for (int i = 0; i < infos.length; i++) {

        SignerInfo info = infos[i];
        ArrayList<X509Certificate> chain = info.getCertificateChain(block);
        CertPath certChain = certificateFactory.generateCertPath(chain);
        if (signers == null) {
            signers = new ArrayList<>();
        }
        // Append the new code signer. If timestamp is invalid, this
        // jar will be treated as unsigned.
        signers.add(new CodeSigner(certChain, info.getTimestamp()));

        if (debug != null) {
            debug.println("Signature Block Certificate: " +
                chain.get(0));
        }
    }

    if (signers != null) {
        return signers.toArray(new CodeSigner[signers.size()]);
    } else {
        return null;
    }
}
 

static boolean isSubSet(CodeSigner[] subset, CodeSigner[] set)
{
    // check for the same object
    if (set == subset)
        return true;

    boolean match;
    for (int i = 0; i < subset.length; i++) {
        if (!contains(set, subset[i]))
            return false;
    }
    return true;
}
 

/**
 * Given the PKCS7 block and SignerInfo[], create an array of
 * CodeSigner objects. We do this only *once* for a given
 * signature block file.
 */
private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block)
    throws IOException, NoSuchAlgorithmException, SignatureException,
        CertificateException {

    ArrayList<CodeSigner> signers = null;

    for (int i = 0; i < infos.length; i++) {

        SignerInfo info = infos[i];
        ArrayList<X509Certificate> chain = info.getCertificateChain(block);
        CertPath certChain = certificateFactory.generateCertPath(chain);
        if (signers == null) {
            signers = new ArrayList<>();
        }
        // Append the new code signer. If timestamp is invalid, this
        // jar will be treated as unsigned.
        signers.add(new CodeSigner(certChain, info.getTimestamp()));

        if (debug != null) {
            debug.println("Signature Block Certificate: " +
                chain.get(0));
        }
    }

    if (signers != null) {
        return signers.toArray(new CodeSigner[signers.size()]);
    } else {
        return null;
    }
}
 

void updateSigners(CodeSigner[] newSigners,
    Hashtable<String, CodeSigner[]> signers, String name) {

    CodeSigner[] oldSigners = signers.get(name);

    // search through the cache for a match, go in reverse order
    // as we are more likely to find a match with the last one
    // added to the cache

    CodeSigner[] cachedSigners;
    for (int i = signerCache.size() - 1; i != -1; i--) {
        cachedSigners = signerCache.get(i);
        if (matches(cachedSigners, oldSigners, newSigners)) {
            signers.put(name, cachedSigners);
            return;
        }
    }

    if (oldSigners == null) {
        cachedSigners = newSigners;
    } else {
        cachedSigners =
            new CodeSigner[oldSigners.length + newSigners.length];
        System.arraycopy(oldSigners, 0, cachedSigners, 0,
            oldSigners.length);
        System.arraycopy(newSigners, 0, cachedSigners, oldSigners.length,
            newSigners.length);
    }
    signerCache.add(cachedSigners);
    signers.put(name, cachedSigners);
}
 

static boolean contains(CodeSigner[] set, CodeSigner signer)
{
    for (int i = 0; i < set.length; i++) {
        if (set[i].equals(signer))
            return true;
    }
    return false;
}
 

@Override
public CodeSigner[] getCodeSigners() {
    if (this.jarFile.isSigned() && this.codeSigners == null) {
        this.jarFile.setupEntryCertificates(this);
    }
    return this.codeSigners;
}
 

static boolean isSubSet(CodeSigner[] subset, CodeSigner[] set)
{
    // check for the same object
    if (set == subset)
        return true;

    boolean match;
    for (int i = 0; i < subset.length; i++) {
        if (!contains(set, subset[i]))
            return false;
    }
    return true;
}
 

private static ProtectionDomain createMinimalPermissionDomain() {
    // Generated classes need to have at least the permission to access Nashorn runtime and runtime.linker packages.
    final Permissions permissions = new Permissions();
    permissions.add(new RuntimePermission("accessClassInPackage.jdk.nashorn.internal.runtime"));
    permissions.add(new RuntimePermission("accessClassInPackage.jdk.nashorn.internal.runtime.linker"));
    return new ProtectionDomain(new CodeSource(null, (CodeSigner[])null), permissions);
}
 

/**
 * Given the PKCS7 block and SignerInfo[], create an array of
 * CodeSigner objects. We do this only *once* for a given
 * signature block file.
 */
private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block)
    throws IOException, NoSuchAlgorithmException, SignatureException,
        CertificateException {

    ArrayList<CodeSigner> signers = null;

    for (int i = 0; i < infos.length; i++) {

        SignerInfo info = infos[i];
        ArrayList<X509Certificate> chain = info.getCertificateChain(block);
        CertPath certChain = certificateFactory.generateCertPath(chain);
        if (signers == null) {
            signers = new ArrayList<>();
        }
        // Append the new code signer
        signers.add(new CodeSigner(certChain, info.getTimestamp()));

        if (debug != null) {
            debug.println("Signature Block Certificate: " +
                chain.get(0));
        }
    }

    if (signers != null) {
        return signers.toArray(new CodeSigner[signers.size()]);
    } else {
        return null;
    }
}
 

public static void main(String[] args) throws Exception {

        System.out.println("Opening " + JAR_LOCATION + "...");
        JarInputStream inStream =
            new JarInputStream(new URL(JAR_LOCATION).openStream(), true);
        JarEntry entry;
        byte[] buffer = new byte[1024];

        while ((entry = inStream.getNextJarEntry()) != null) {

            // need to read the entry's data to see the certs.
            while(inStream.read(buffer) != -1)
                ;

            String name = entry.getName();
            long size = entry.getSize();
            Certificate[] certificates = entry.getCertificates();
            CodeSigner[] signers = entry.getCodeSigners();

            if (signers == null && certificates == null) {
                System.out.println("[unsigned]\t" + name + "\t(" + size +
                    " bytes)");
                if (name.equals("Count.class")) {
                    throw new Exception("Count.class should be signed");
                }
            } else if (signers != null && certificates != null) {
                System.out.println("[" + signers.length +
                    (signers.length == 1 ? " signer" : " signers") + "]\t" +
                    name + "\t(" + size + " bytes)");
            } else {
                System.out.println("[*ERROR*]\t" + name + "\t(" + size +
                    " bytes)");
                throw new Exception("Cannot determine whether the entry is " +
                    "signed or unsigned (signers[] doesn't match certs[]).");
            }
        }
    }
 

/**
 * go through all the digests, calculating the final digest
 * and comparing it to the one in the manifest. If this is
 * the first time we have verified this object, remove its
 * code signers from sigFileSigners and place in verifiedSigners.
 *
 *
 */
public CodeSigner[] verify(Hashtable<String, CodeSigner[]> verifiedSigners,
            Hashtable<String, CodeSigner[]> sigFileSigners)
    throws JarException
{
    if (skip) {
        return null;
    }

    if (signers != null)
        return signers;

    for (int i=0; i < digests.size(); i++) {

        MessageDigest digest  = digests.get(i);
        byte [] manHash = manifestHashes.get(i);
        byte [] theHash = digest.digest();

        if (debug != null) {
            debug.println("Manifest Entry: " +
                               name + " digest=" + digest.getAlgorithm());
            debug.println("  manifest " + toHex(manHash));
            debug.println("  computed " + toHex(theHash));
            debug.println();
        }

        if (!MessageDigest.isEqual(theHash, manHash))
            throw new SecurityException(digest.getAlgorithm()+
                                        " digest error for "+name);
    }

    // take it out of sigFileSigners and put it in verifiedSigners...
    signers = sigFileSigners.remove(name);
    if (signers != null) {
        verifiedSigners.put(name, signers);
    }
    return signers;
}
 

static boolean isSubSet(CodeSigner[] subset, CodeSigner[] set)
{
    // check for the same object
    if (set == subset)
        return true;

    boolean match;
    for (int i = 0; i < subset.length; i++) {
        if (!contains(set, subset[i]))
            return false;
    }
    return true;
}
 

public static void main(String[] args) throws Exception {

        System.out.println("Opening " + JAR_LOCATION + "...");
        JarInputStream inStream =
            new JarInputStream(new URL(JAR_LOCATION).openStream(), true);
        JarEntry entry;
        byte[] buffer = new byte[1024];

        while ((entry = inStream.getNextJarEntry()) != null) {

            // need to read the entry's data to see the certs.
            while(inStream.read(buffer) != -1)
                ;

            String name = entry.getName();
            long size = entry.getSize();
            Certificate[] certificates = entry.getCertificates();
            CodeSigner[] signers = entry.getCodeSigners();

            if (signers == null && certificates == null) {
                System.out.println("[unsigned]\t" + name + "\t(" + size +
                    " bytes)");
                if (name.equals("Count.class")) {
                    throw new Exception("Count.class should be signed");
                }
            } else if (signers != null && certificates != null) {
                System.out.println("[" + signers.length +
                    (signers.length == 1 ? " signer" : " signers") + "]\t" +
                    name + "\t(" + size + " bytes)");
            } else {
                System.out.println("[*ERROR*]\t" + name + "\t(" + size +
                    " bytes)");
                throw new Exception("Cannot determine whether the entry is " +
                    "signed or unsigned (signers[] doesn't match certs[]).");
            }
        }
    }