Loading core/java/android/util/jar/StrictJarVerifier.java +23 −10 Original line number Original line Diff line number Diff line Loading @@ -30,6 +30,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.HashMap; import java.util.Hashtable; import java.util.Hashtable; import java.util.Iterator; import java.util.Iterator; import java.util.List; import java.util.Locale; import java.util.Locale; import java.util.Map; import java.util.Map; import java.util.Set; import java.util.Set; Loading @@ -41,6 +42,7 @@ import android.util.apk.ApkSignatureSchemeV2Verifier; import libcore.io.Base64; import libcore.io.Base64; import sun.security.jca.Providers; import sun.security.jca.Providers; import sun.security.pkcs.PKCS7; import sun.security.pkcs.PKCS7; import sun.security.pkcs.SignerInfo; /** /** * Non-public class used by {@link JarFile} and {@link JarInputStream} to manage * Non-public class used by {@link JarFile} and {@link JarInputStream} to manage Loading Loading @@ -308,18 +310,29 @@ class StrictJarVerifier { obj = Providers.startJarVerification(); obj = Providers.startJarVerification(); PKCS7 block = new PKCS7(blockBytes); PKCS7 block = new PKCS7(blockBytes); if (block.verify(sfBytes) == null) { SignerInfo[] verifiedSignerInfos = block.verify(sfBytes); throw new GeneralSecurityException("Failed to verify signature"); if ((verifiedSignerInfos == null) || (verifiedSignerInfos.length == 0)) { } throw new GeneralSecurityException( X509Certificate[] blockCerts = block.getCertificates(); "Failed to verify signature: no verified SignerInfos"); Certificate[] signerCertChain = null; } if (blockCerts != null) { // Ignore any SignerInfo other than the first one, to be compatible with older Android signerCertChain = new Certificate[blockCerts.length]; // platforms which have been doing this for years. See for (int i = 0; i < blockCerts.length; ++i) { // libcore/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java signerCertChain[i] = blockCerts[i]; // verifySignature method of older platforms. } SignerInfo verifiedSignerInfo = verifiedSignerInfos[0]; } List<X509Certificate> verifiedSignerCertChain = return signerCertChain; verifiedSignerInfo.getCertificateChain(block); if (verifiedSignerCertChain == null) { // Should never happen throw new GeneralSecurityException( "Failed to find verified SignerInfo certificate chain"); } else if (verifiedSignerCertChain.isEmpty()) { // Should never happen throw new GeneralSecurityException( "Verified SignerInfo certificate chain is emtpy"); } return verifiedSignerCertChain.toArray( new X509Certificate[verifiedSignerCertChain.size()]); } catch (IOException e) { } catch (IOException e) { throw new GeneralSecurityException("IO exception verifying jar cert", e); throw new GeneralSecurityException("IO exception verifying jar cert", e); } finally { } finally { Loading Loading
core/java/android/util/jar/StrictJarVerifier.java +23 −10 Original line number Original line Diff line number Diff line Loading @@ -30,6 +30,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.HashMap; import java.util.Hashtable; import java.util.Hashtable; import java.util.Iterator; import java.util.Iterator; import java.util.List; import java.util.Locale; import java.util.Locale; import java.util.Map; import java.util.Map; import java.util.Set; import java.util.Set; Loading @@ -41,6 +42,7 @@ import android.util.apk.ApkSignatureSchemeV2Verifier; import libcore.io.Base64; import libcore.io.Base64; import sun.security.jca.Providers; import sun.security.jca.Providers; import sun.security.pkcs.PKCS7; import sun.security.pkcs.PKCS7; import sun.security.pkcs.SignerInfo; /** /** * Non-public class used by {@link JarFile} and {@link JarInputStream} to manage * Non-public class used by {@link JarFile} and {@link JarInputStream} to manage Loading Loading @@ -308,18 +310,29 @@ class StrictJarVerifier { obj = Providers.startJarVerification(); obj = Providers.startJarVerification(); PKCS7 block = new PKCS7(blockBytes); PKCS7 block = new PKCS7(blockBytes); if (block.verify(sfBytes) == null) { SignerInfo[] verifiedSignerInfos = block.verify(sfBytes); throw new GeneralSecurityException("Failed to verify signature"); if ((verifiedSignerInfos == null) || (verifiedSignerInfos.length == 0)) { } throw new GeneralSecurityException( X509Certificate[] blockCerts = block.getCertificates(); "Failed to verify signature: no verified SignerInfos"); Certificate[] signerCertChain = null; } if (blockCerts != null) { // Ignore any SignerInfo other than the first one, to be compatible with older Android signerCertChain = new Certificate[blockCerts.length]; // platforms which have been doing this for years. See for (int i = 0; i < blockCerts.length; ++i) { // libcore/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java signerCertChain[i] = blockCerts[i]; // verifySignature method of older platforms. } SignerInfo verifiedSignerInfo = verifiedSignerInfos[0]; } List<X509Certificate> verifiedSignerCertChain = return signerCertChain; verifiedSignerInfo.getCertificateChain(block); if (verifiedSignerCertChain == null) { // Should never happen throw new GeneralSecurityException( "Failed to find verified SignerInfo certificate chain"); } else if (verifiedSignerCertChain.isEmpty()) { // Should never happen throw new GeneralSecurityException( "Verified SignerInfo certificate chain is emtpy"); } return verifiedSignerCertChain.toArray( new X509Certificate[verifiedSignerCertChain.size()]); } catch (IOException e) { } catch (IOException e) { throw new GeneralSecurityException("IO exception verifying jar cert", e); throw new GeneralSecurityException("IO exception verifying jar cert", e); } finally { } finally { Loading
