Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
 Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/tools/jarsigner/TimestampedSigner.java
38923 views
1
/*

2
 * Copyright (c) 2007, 2019, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package sun.security.tools.jarsigner;

27


28
import java.io.IOException;

29
import java.net.URI;

30
import java.security.NoSuchAlgorithmException;

31
import java.security.cert.CertificateException;

32
import java.security.cert.X509Certificate;

33


34
import com.sun.jarsigner.*;

35
import sun.security.pkcs.PKCS7;

36
import sun.security.util.*;

37
import sun.security.x509.*;

38


39
/**

40
 * This class implements a content signing service.

41
 * It generates a timestamped signature for a given content according to

42
 * <a href="http://www.ietf.org/rfc/rfc3161.txt">RFC 3161</a>.

43
 * The signature along with a trusted timestamp and the signer's certificate

44
 * are all packaged into a standard PKCS #7 Signed Data message.

45
 *

46
 * @author Vincent Ryan

47
 */

48


49
public final class TimestampedSigner extends ContentSigner {

50


51
    /*

52
     * Object identifier for the subject information access X.509 certificate

53
     * extension.

54
     */

55
    private static final String SUBJECT_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.11";

56


57
    /*

58
     * Object identifier for the timestamping access descriptors.

59
     */

60
    private static final ObjectIdentifier AD_TIMESTAMPING_Id;

61
    static {

62
        ObjectIdentifier tmp = null;

63
        try {

64
            tmp = new ObjectIdentifier("1.3.6.1.5.5.7.48.3");

65
        } catch (IOException e) {

66
            // ignore

67
        }

68
        AD_TIMESTAMPING_Id = tmp;

69
    }

70


71
    /**

72
     * Instantiates a content signer that supports timestamped signatures.

73
     */

74
    public TimestampedSigner() {

75
    }

76


77
    /**

78
     * Generates a PKCS #7 signed data message that includes a signature

79
     * timestamp.

80
     * This method is used when a signature has already been generated.

81
     * The signature, a signature timestamp, the signer's certificate chain,

82
     * and optionally the content that was signed, are packaged into a PKCS #7

83
     * signed data message.

84
     *

85
     * @param params The non-null input parameters.

86
     * @param omitContent true if the content should be omitted from the

87
     *        signed data message. Otherwise the content is included.

88
     * @param applyTimestamp true if the signature should be timestamped.

89
     *        Otherwise timestamping is not performed.

90
     * @return A PKCS #7 signed data message including a signature timestamp.

91
     * @throws NoSuchAlgorithmException The exception is thrown if the signature

92
     *         algorithm is unrecognised.

93
     * @throws CertificateException The exception is thrown if an error occurs

94
     *         while processing the signer's certificate or the TSA's

95
     *         certificate.

96
     * @throws IOException The exception is thrown if an error occurs while

97
     *         generating the signature timestamp or while generating the signed

98
     *         data message.

99
     * @throws NullPointerException The exception is thrown if parameters is

100
     *         null.

101
     */

102
    public byte[] generateSignedData(ContentSignerParameters params,

103
        boolean omitContent, boolean applyTimestamp)

104
            throws NoSuchAlgorithmException, CertificateException, IOException {

105


106
        if (params == null) {

107
            throw new NullPointerException();

108
        }

109


110
        // Parse the signature algorithm to extract the digest

111
        // algorithm. The expected format is:

112
        //     "<digest>with<encryption>"

113
        // or  "<digest>with<encryption>and<mgf>"

114
        String signatureAlgorithm = params.getSignatureAlgorithm();

115


116
        X509Certificate[] signerChain = params.getSignerCertificateChain();

117
        byte[] signature = params.getSignature();

118


119
        // Include or exclude content

120
        byte[] content = (omitContent == true) ? null : params.getContent();

121


122
        URI tsaURI = null;

123
        if (applyTimestamp) {

124
            tsaURI = params.getTimestampingAuthority();

125
            if (tsaURI == null) {

126
                // Examine TSA cert

127
                tsaURI = getTimestampingURI(

128
                    params.getTimestampingAuthorityCertificate());

129
                if (tsaURI == null) {

130
                    throw new CertificateException(

131
                        "Subject Information Access extension not found");

132
                }

133
            }

134
        }

135
        String tSADigestAlg = "SHA-256";

136
        if (params instanceof JarSignerParameters) {

137
            tSADigestAlg = ((JarSignerParameters)params).getTSADigestAlg();

138
        }

139
        return PKCS7.generateSignedData(signature, signerChain, content,

140
                                        params.getSignatureAlgorithm(), tsaURI,

141
                                        params.getTSAPolicyID(),

142
                                        tSADigestAlg);

143
    }

144


145
    /**

146
     * Examine the certificate for a Subject Information Access extension

147
     * (<a href="http://tools.ietf.org/html/rfc5280">RFC 5280</a>).

148
     * The extension's {@code accessMethod} field should contain the object

149
     * identifier defined for timestamping: 1.3.6.1.5.5.7.48.3 and its

150
     * {@code accessLocation} field should contain an HTTP or HTTPS URL.

151
     *

152
     * @param tsaCertificate An X.509 certificate for the TSA.

153
     * @return An HTTP or HTTPS URI or null if none was found.

154
     */

155
    public static URI getTimestampingURI(X509Certificate tsaCertificate) {

156


157
        if (tsaCertificate == null) {

158
            return null;

159
        }

160
        // Parse the extensions

161
        try {

162
            byte[] extensionValue =

163
                tsaCertificate.getExtensionValue(SUBJECT_INFO_ACCESS_OID);

164
            if (extensionValue == null) {

165
                return null;

166
            }

167
            DerInputStream der = new DerInputStream(extensionValue);

168
            der = new DerInputStream(der.getOctetString());

169
            DerValue[] derValue = der.getSequence(5);

170
            AccessDescription description;

171
            GeneralName location;

172
            URIName uri;

173
            for (int i = 0; i < derValue.length; i++) {

174
                description = new AccessDescription(derValue[i]);

175
                if (description.getAccessMethod()

176
                        .equals((Object)AD_TIMESTAMPING_Id)) {

177
                    location = description.getAccessLocation();

178
                    if (location.getType() == GeneralNameInterface.NAME_URI) {

179
                        uri = (URIName) location.getName();

180
                        if (uri.getScheme().equalsIgnoreCase("http") ||

181
                                uri.getScheme().equalsIgnoreCase("https")) {

182
                            return uri.getURI();

183
                        }

184
                    }

185
                }

186
            }

187
        } catch (IOException ioe) {

188
            // ignore

189
        }

190
        return null;

191
    }

192
}

193


194