Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / b2331e9c34c5c687a5438762b9ebf4b30c8167de / . / core / java / android / util / jar / StrictJarVerifier.java
blob: debc170fa5372123989146c96ee9d4ccbd7c5e9a [file] [log] [blame]
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]1/*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18package android.util.jar;
19
Tobias Thierer9f00d712016-12-01 23:04:36 +0000[diff] [blame]20import android.util.apk.ApkSignatureSchemeV2Verifier;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]21import java.io.IOException;
22import java.io.OutputStream;
23import java.nio.charset.StandardCharsets;
24import java.security.GeneralSecurityException;
25import java.security.MessageDigest;
26import java.security.NoSuchAlgorithmException;
27import java.security.cert.Certificate;
28import java.security.cert.X509Certificate;
29import java.util.ArrayList;
30import java.util.HashMap;
31import java.util.Hashtable;
32import java.util.Iterator;
Alex Klyubin29045202016-05-31 16:04:49 -0700[diff] [blame]33import java.util.List;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]34import java.util.Locale;
35import java.util.Map;
Alex Klyubine4157182016-01-05 13:27:05 -0800[diff] [blame]36import java.util.StringTokenizer;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]37import java.util.jar.Attributes;
38import java.util.jar.JarFile;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]39import sun.security.jca.Providers;
40import sun.security.pkcs.PKCS7;
Alex Klyubin29045202016-05-31 16:04:49 -0700[diff] [blame]41import sun.security.pkcs.SignerInfo;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]42
43/**
44 * Non-public class used by {@link JarFile} and {@link JarInputStream} to manage
45 * the verification of signed JARs. {@code JarFile} and {@code JarInputStream}
46 * objects are expected to have a {@code JarVerifier} instance member which
47 * can be used to carry out the tasks associated with verifying a signed JAR.
48 * These tasks would typically include:
49 * <ul>
50 * <li>verification of all signed signature files
51 * <li>confirmation that all signed data was signed only by the party or parties
52 * specified in the signature block data
53 * <li>verification that the contents of all signature files (i.e. {@code .SF}
54 * files) agree with the JAR entries information found in the JAR manifest.
55 * </ul>
56 */
57class StrictJarVerifier {
58 /**
59 * List of accepted digest algorithms. This list is in order from most
60 * preferred to least preferred.
61 */
62 private static final String[] DIGEST_ALGORITHMS = new String[] {
63 "SHA-512",
64 "SHA-384",
65 "SHA-256",
66 "SHA1",
67 };
68
69 private final String jarName;
70 private final StrictJarManifest manifest;
71 private final HashMap<String, byte[]> metaEntries;
72 private final int mainAttributesEnd;
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]73 private final boolean signatureSchemeRollbackProtectionsEnforced;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]74
75 private final Hashtable<String, HashMap<String, Attributes>> signatures =
76 new Hashtable<String, HashMap<String, Attributes>>(5);
77
78 private final Hashtable<String, Certificate[]> certificates =
79 new Hashtable<String, Certificate[]>(5);
80
81 private final Hashtable<String, Certificate[][]> verifiedEntries =
82 new Hashtable<String, Certificate[][]>();
83
84 /**
85 * Stores and a hash and a message digest and verifies that massage digest
86 * matches the hash.
87 */
88 static class VerifierEntry extends OutputStream {
89
90 private final String name;
91
92 private final MessageDigest digest;
93
94 private final byte[] hash;
95
96 private final Certificate[][] certChains;
97
98 private final Hashtable<String, Certificate[][]> verifiedEntries;
99
100 VerifierEntry(String name, MessageDigest digest, byte[] hash,
101 Certificate[][] certChains, Hashtable<String, Certificate[][]> verifedEntries) {
102 this.name = name;
103 this.digest = digest;
104 this.hash = hash;
105 this.certChains = certChains;
106 this.verifiedEntries = verifedEntries;
107 }
108
109 /**
110 * Updates a digest with one byte.
111 */
112 @Override
113 public void write(int value) {
114 digest.update((byte) value);
115 }
116
117 /**
118 * Updates a digest with byte array.
119 */
120 @Override
121 public void write(byte[] buf, int off, int nbytes) {
122 digest.update(buf, off, nbytes);
123 }
124
125 /**
126 * Verifies that the digests stored in the manifest match the decrypted
127 * digests from the .SF file. This indicates the validity of the
128 * signing, not the integrity of the file, as its digest must be
129 * calculated and verified when its contents are read.
130 *
131 * @throws SecurityException
132 * if the digest value stored in the manifest does <i>not</i>
133 * agree with the decrypted digest as recovered from the
134 * <code>.SF</code> file.
135 */
136 void verify() {
137 byte[] d = digest.digest();
Tobias Thierer9f00d712016-12-01 23:04:36 +0000[diff] [blame]138 if (!verifyMessageDigest(d, hash)) {
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]139 throw invalidDigest(JarFile.MANIFEST_NAME, name, name);
140 }
141 verifiedEntries.put(name, certChains);
142 }
143 }
144
145 private static SecurityException invalidDigest(String signatureFile, String name,
146 String jarName) {
147 throw new SecurityException(signatureFile + " has invalid digest for " + name +
148 " in " + jarName);
149 }
150
151 private static SecurityException failedVerification(String jarName, String signatureFile) {
152 throw new SecurityException(jarName + " failed verification of " + signatureFile);
153 }
154
155 private static SecurityException failedVerification(String jarName, String signatureFile,
156 Throwable e) {
157 throw new SecurityException(jarName + " failed verification of " + signatureFile, e);
158 }
159
160
161 /**
162 * Constructs and returns a new instance of {@code JarVerifier}.
163 *
164 * @param name
165 * the name of the JAR file being verified.
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]166 *
167 * @param signatureSchemeRollbackProtectionsEnforced {@code true} to enforce protections against
168 * stripping newer signature schemes (e.g., APK Signature Scheme v2) from the file, or
169 * {@code false} to ignore any such protections.
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]170 */
171 StrictJarVerifier(String name, StrictJarManifest manifest,
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]172 HashMap<String, byte[]> metaEntries, boolean signatureSchemeRollbackProtectionsEnforced) {
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]173 jarName = name;
174 this.manifest = manifest;
175 this.metaEntries = metaEntries;
176 this.mainAttributesEnd = manifest.getMainAttributesEnd();
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]177 this.signatureSchemeRollbackProtectionsEnforced =
178 signatureSchemeRollbackProtectionsEnforced;
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]179 }
180
181 /**
182 * Invoked for each new JAR entry read operation from the input
183 * stream. This method constructs and returns a new {@link VerifierEntry}
184 * which contains the certificates used to sign the entry and its hash value
185 * as specified in the JAR MANIFEST format.
186 *
187 * @param name
188 * the name of an entry in a JAR file which is <b>not</b> in the
189 * {@code META-INF} directory.
190 * @return a new instance of {@link VerifierEntry} which can be used by
191 * callers as an {@link OutputStream}.
192 */
193 VerifierEntry initEntry(String name) {
194 // If no manifest is present by the time an entry is found,
195 // verification cannot occur. If no signature files have
196 // been found, do not verify.
197 if (manifest == null || signatures.isEmpty()) {
198 return null;
199 }
200
201 Attributes attributes = manifest.getAttributes(name);
202 // entry has no digest
203 if (attributes == null) {
204 return null;
205 }
206
207 ArrayList<Certificate[]> certChains = new ArrayList<Certificate[]>();
208 Iterator<Map.Entry<String, HashMap<String, Attributes>>> it = signatures.entrySet().iterator();
209 while (it.hasNext()) {
210 Map.Entry<String, HashMap<String, Attributes>> entry = it.next();
211 HashMap<String, Attributes> hm = entry.getValue();
212 if (hm.get(name) != null) {
213 // Found an entry for entry name in .SF file
214 String signatureFile = entry.getKey();
215 Certificate[] certChain = certificates.get(signatureFile);
216 if (certChain != null) {
217 certChains.add(certChain);
218 }
219 }
220 }
221
222 // entry is not signed
223 if (certChains.isEmpty()) {
224 return null;
225 }
226 Certificate[][] certChainsArray = certChains.toArray(new Certificate[certChains.size()][]);
227
228 for (int i = 0; i < DIGEST_ALGORITHMS.length; i++) {
229 final String algorithm = DIGEST_ALGORITHMS[i];
230 final String hash = attributes.getValue(algorithm + "-Digest");
231 if (hash == null) {
232 continue;
233 }
234 byte[] hashBytes = hash.getBytes(StandardCharsets.ISO_8859_1);
235
236 try {
237 return new VerifierEntry(name, MessageDigest.getInstance(algorithm), hashBytes,
238 certChainsArray, verifiedEntries);
239 } catch (NoSuchAlgorithmException ignored) {
240 }
241 }
242 return null;
243 }
244
245 /**
246 * Add a new meta entry to the internal collection of data held on each JAR
247 * entry in the {@code META-INF} directory including the manifest
248 * file itself. Files associated with the signing of a JAR would also be
249 * added to this collection.
250 *
251 * @param name
252 * the name of the file located in the {@code META-INF}
253 * directory.
254 * @param buf
255 * the file bytes for the file called {@code name}.
256 * @see #removeMetaEntries()
257 */
258 void addMetaEntry(String name, byte[] buf) {
259 metaEntries.put(name.toUpperCase(Locale.US), buf);
260 }
261
262 /**
263 * If the associated JAR file is signed, check on the validity of all of the
264 * known signatures.
265 *
266 * @return {@code true} if the associated JAR is signed and an internal
267 * check verifies the validity of the signature(s). {@code false} if
268 * the associated JAR file has no entries at all in its {@code
269 * META-INF} directory. This situation is indicative of an invalid
270 * JAR file.
271 * <p>
272 * Will also return {@code true} if the JAR file is <i>not</i>
273 * signed.
274 * @throws SecurityException
275 * if the JAR file is signed and it is determined that a
276 * signature block file contains an invalid signature for the
277 * corresponding signature file.
278 */
279 synchronized boolean readCertificates() {
280 if (metaEntries.isEmpty()) {
281 return false;
282 }
283
284 Iterator<String> it = metaEntries.keySet().iterator();
285 while (it.hasNext()) {
286 String key = it.next();
287 if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
288 verifyCertificate(key);
289 it.remove();
290 }
291 }
292 return true;
293 }
294
295 /**
296 * Verifies that the signature computed from {@code sfBytes} matches
297 * that specified in {@code blockBytes} (which is a PKCS7 block). Returns
298 * certificates listed in the PKCS7 block. Throws a {@code GeneralSecurityException}
299 * if something goes wrong during verification.
300 */
301 static Certificate[] verifyBytes(byte[] blockBytes, byte[] sfBytes)
302 throws GeneralSecurityException {
303
304 Object obj = null;
305 try {
306
307 obj = Providers.startJarVerification();
308 PKCS7 block = new PKCS7(blockBytes);
Alex Klyubin29045202016-05-31 16:04:49 -0700[diff] [blame]309 SignerInfo[] verifiedSignerInfos = block.verify(sfBytes);
310 if ((verifiedSignerInfos == null) || (verifiedSignerInfos.length == 0)) {
311 throw new GeneralSecurityException(
312 "Failed to verify signature: no verified SignerInfos");
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]313 }
Alex Klyubin29045202016-05-31 16:04:49 -0700[diff] [blame]314 // Ignore any SignerInfo other than the first one, to be compatible with older Android
315 // platforms which have been doing this for years. See
316 // libcore/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
317 // verifySignature method of older platforms.
318 SignerInfo verifiedSignerInfo = verifiedSignerInfos[0];
319 List<X509Certificate> verifiedSignerCertChain =
320 verifiedSignerInfo.getCertificateChain(block);
321 if (verifiedSignerCertChain == null) {
322 // Should never happen
323 throw new GeneralSecurityException(
324 "Failed to find verified SignerInfo certificate chain");
325 } else if (verifiedSignerCertChain.isEmpty()) {
326 // Should never happen
327 throw new GeneralSecurityException(
328 "Verified SignerInfo certificate chain is emtpy");
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]329 }
Alex Klyubin29045202016-05-31 16:04:49 -0700[diff] [blame]330 return verifiedSignerCertChain.toArray(
331 new X509Certificate[verifiedSignerCertChain.size()]);
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]332 } catch (IOException e) {
333 throw new GeneralSecurityException("IO exception verifying jar cert", e);
334 } finally {
335 Providers.stopJarVerification(obj);
336 }
337 }
338
339 /**
340 * @param certFile
341 */
342 private void verifyCertificate(String certFile) {
343 // Found Digital Sig, .SF should already have been read
344 String signatureFile = certFile.substring(0, certFile.lastIndexOf('.')) + ".SF";
345 byte[] sfBytes = metaEntries.get(signatureFile);
346 if (sfBytes == null) {
347 return;
348 }
349
350 byte[] manifestBytes = metaEntries.get(JarFile.MANIFEST_NAME);
351 // Manifest entry is required for any verifications.
352 if (manifestBytes == null) {
353 return;
354 }
355
356 byte[] sBlockBytes = metaEntries.get(certFile);
357 try {
358 Certificate[] signerCertChain = verifyBytes(sBlockBytes, sfBytes);
359 if (signerCertChain != null) {
360 certificates.put(signatureFile, signerCertChain);
361 }
362 } catch (GeneralSecurityException e) {
363 throw failedVerification(jarName, signatureFile, e);
364 }
365
366 // Verify manifest hash in .sf file
367 Attributes attributes = new Attributes();
368 HashMap<String, Attributes> entries = new HashMap<String, Attributes>();
369 try {
370 StrictJarManifestReader im = new StrictJarManifestReader(sfBytes, attributes);
371 im.readEntries(entries, null);
372 } catch (IOException e) {
373 return;
374 }
375
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]376 // If requested, check whether APK Signature Scheme v2 signature was stripped.
377 if (signatureSchemeRollbackProtectionsEnforced) {
378 String apkSignatureSchemeIdList =
379 attributes.getValue(
380 ApkSignatureSchemeV2Verifier.SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME);
381 if (apkSignatureSchemeIdList != null) {
382 // This field contains a comma-separated list of APK signature scheme IDs which
383 // were used to sign this APK. If an ID is known to us, it means signatures of that
384 // scheme were stripped from the APK because otherwise we wouldn't have fallen back
385 // to verifying the APK using the JAR signature scheme.
386 boolean v2SignatureGenerated = false;
387 StringTokenizer tokenizer = new StringTokenizer(apkSignatureSchemeIdList, ",");
388 while (tokenizer.hasMoreTokens()) {
389 String idText = tokenizer.nextToken().trim();
390 if (idText.isEmpty()) {
391 continue;
392 }
393 int id;
394 try {
395 id = Integer.parseInt(idText);
396 } catch (Exception ignored) {
397 continue;
398 }
399 if (id == ApkSignatureSchemeV2Verifier.SF_ATTRIBUTE_ANDROID_APK_SIGNED_ID) {
400 // This APK was supposed to be signed with APK Signature Scheme v2 but no
401 // such signature was found.
402 v2SignatureGenerated = true;
403 break;
404 }
Alex Klyubine4157182016-01-05 13:27:05 -0800[diff] [blame]405 }
Alex Klyubine4157182016-01-05 13:27:05 -0800[diff] [blame]406
Alex Klyubin9b59bc42016-03-24 12:02:20 -0700[diff] [blame]407 if (v2SignatureGenerated) {
408 throw new SecurityException(signatureFile + " indicates " + jarName
409 + " is signed using APK Signature Scheme v2, but no such signature was"
410 + " found. Signature stripped?");
411 }
Alex Klyubine4157182016-01-05 13:27:05 -0800[diff] [blame]412 }
413 }
414
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]415 // Do we actually have any signatures to look at?
416 if (attributes.get(Attributes.Name.SIGNATURE_VERSION) == null) {
417 return;
418 }
419
420 boolean createdBySigntool = false;
421 String createdBy = attributes.getValue("Created-By");
422 if (createdBy != null) {
423 createdBySigntool = createdBy.indexOf("signtool") != -1;
424 }
425
426 // Use .SF to verify the mainAttributes of the manifest
427 // If there is no -Digest-Manifest-Main-Attributes entry in .SF
428 // file, such as those created before java 1.5, then we ignore
429 // such verification.
430 if (mainAttributesEnd > 0 && !createdBySigntool) {
431 String digestAttribute = "-Digest-Manifest-Main-Attributes";
432 if (!verify(attributes, digestAttribute, manifestBytes, 0, mainAttributesEnd, false, true)) {
433 throw failedVerification(jarName, signatureFile);
434 }
435 }
436
437 // Use .SF to verify the whole manifest.
438 String digestAttribute = createdBySigntool ? "-Digest" : "-Digest-Manifest";
439 if (!verify(attributes, digestAttribute, manifestBytes, 0, manifestBytes.length, false, false)) {
440 Iterator<Map.Entry<String, Attributes>> it = entries.entrySet().iterator();
441 while (it.hasNext()) {
442 Map.Entry<String, Attributes> entry = it.next();
443 StrictJarManifest.Chunk chunk = manifest.getChunk(entry.getKey());
444 if (chunk == null) {
445 return;
446 }
447 if (!verify(entry.getValue(), "-Digest", manifestBytes,
448 chunk.start, chunk.end, createdBySigntool, false)) {
449 throw invalidDigest(signatureFile, entry.getKey(), jarName);
450 }
451 }
452 }
453 metaEntries.put(signatureFile, null);
454 signatures.put(signatureFile, entries);
455 }
456
457 /**
458 * Returns a <code>boolean</code> indication of whether or not the
459 * associated jar file is signed.
460 *
461 * @return {@code true} if the JAR is signed, {@code false}
462 * otherwise.
463 */
464 boolean isSignedJar() {
465 return certificates.size() > 0;
466 }
467
468 private boolean verify(Attributes attributes, String entry, byte[] data,
469 int start, int end, boolean ignoreSecondEndline, boolean ignorable) {
470 for (int i = 0; i < DIGEST_ALGORITHMS.length; i++) {
471 String algorithm = DIGEST_ALGORITHMS[i];
472 String hash = attributes.getValue(algorithm + entry);
473 if (hash == null) {
474 continue;
475 }
476
477 MessageDigest md;
478 try {
479 md = MessageDigest.getInstance(algorithm);
480 } catch (NoSuchAlgorithmException e) {
481 continue;
482 }
483 if (ignoreSecondEndline && data[end - 1] == '\n' && data[end - 2] == '\n') {
484 md.update(data, start, end - 1 - start);
485 } else {
486 md.update(data, start, end - start);
487 }
488 byte[] b = md.digest();
Tobias Thierer9f00d712016-12-01 23:04:36 +0000[diff] [blame]489 byte[] encodedHashBytes = hash.getBytes(StandardCharsets.ISO_8859_1);
490 return verifyMessageDigest(b, encodedHashBytes);
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]491 }
492 return ignorable;
493 }
494
Tobias Thierer9f00d712016-12-01 23:04:36 +0000[diff] [blame]495 private static boolean verifyMessageDigest(byte[] expected, byte[] encodedActual) {
496 byte[] actual;
497 try {
498 actual = java.util.Base64.getDecoder().decode(encodedActual);
499 } catch (IllegalArgumentException e) {
500 return false;
501 }
502 return MessageDigest.isEqual(expected, actual);
503 }
504
Przemyslaw Szczepaniak8a7c1602015-11-03 09:47:56 +0000[diff] [blame]505 /**
506 * Returns all of the {@link java.security.cert.Certificate} chains that
507 * were used to verify the signature on the JAR entry called
508 * {@code name}. Callers must not modify the returned arrays.
509 *
510 * @param name
511 * the name of a JAR entry.
512 * @return an array of {@link java.security.cert.Certificate} chains.
513 */
514 Certificate[][] getCertificateChains(String name) {
515 return verifiedEntries.get(name);
516 }
517
518 /**
519 * Remove all entries from the internal collection of data held about each
520 * JAR entry in the {@code META-INF} directory.
521 */
522 void removeMetaEntries() {
523 metaEntries.clear();
524 }
525}