From 750c6910d8e536576b716351f7c0868fcd493493 Mon Sep 17 00:00:00 2001 From: Konstantin Shemyak Date: Sat, 1 Apr 2017 18:03:39 +0300 Subject: [PATCH] Added tests for execution paths in verify(). - some "x-Digest-Manifest" entries in .SF file have mismatching checksum, but there exist one with matching - "x-Digest-Manifest" does not have a valid checksum; but "x-Digest-Manifest-Main-Attributes" does, and all file-specific entries do. --- tests/data/several-manifest-attributes.jar | Bin 0 -> 3784 bytes tests/data/tampered-entry.jar | Bin 0 -> 1954 bytes tests/data/wrong-digest-manifest.jar | Bin 0 -> 3742 bytes tests/jarutil.py | 22 ++++++++++++++++++++- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tests/data/several-manifest-attributes.jar create mode 100644 tests/data/tampered-entry.jar create mode 100644 tests/data/wrong-digest-manifest.jar diff --git a/tests/data/several-manifest-attributes.jar b/tests/data/several-manifest-attributes.jar new file mode 100644 index 0000000000000000000000000000000000000000..afa07ccc8d69da1b2ebf10bad4214b08dd54e880 GIT binary patch literal 3784 zcmcJRcT`jP630W8sz_0KebN(1C@z9aN9i3wq+}rpfzazpkuE4jkSbCI1l%A^5Jf^S zA&4k0D7^>@ODA;k-N4(GU3LF^_nf)8Il1R^CNuN<&euqnf|3qIx-!T`H4h*DccTSy zgY-4cRKeN?T2kg_v>=LH2&36^AbbPpL1dIfG7yN86?oYQK(KN}^NRv*vqM?2-qNT!GbzQ!AG^Q0dgu)39opy^Bbc^3UUAWEcm9c!d*UDcqJB zb)RbTS_-17qRvroRruB1uyD7L-%NC2sNZG8&1DIsXZIopPC24(!l&{?mIWaXym?Pj zMhN_xZc;22B=DfeIJJx#7PHBoochGOg?ppCBnx}OM3#EA_G4XuVxd9)+MwF$-x6Xt zuZr1O?fKJ@-*@gjEonn+9eR!4qz<;@rouP5t}VHW*2I7?U=JBpBRnqHYsW8RHv*JEDdWRoKtMNg`ysvV=Ah z1Rg)UVQa4xS1LA2I1N^ghRpNYD>d)OOTLbvpFWZ5P}m(pkO?od90<((O#ZcraG;5{ z=Y{xzj)KZ5jyF-}SQF)c(8MG=cV=Uz_CCbfGigz;)m&V#RZj#ZJA`*dcMFKI^AyFg ziS(m)us#A6av_rY!&)rCn5mnvocht%X@2MH{b$D%WN?{#TjPD>pqz=Mc%?FhArHj6 z8V}{$U@l?ap$(TRrIaGKe0Z~|^w#I0E0)fD+kBrF!}y4G<9?^YZTIyA6jwx6C4zI& zQO4{zBkB40i)FSaw z#CF05=0Ydb#!g>eMfqN>1$orvQQle*e8IV#I&!_!C}%fe0Chb`AA1=+97$%F#~j~d zBa2>^h}-eFJ!uuqlG_-m{P0>M{w(`L(f#n95V7Dm0^hD_yy$#E0$xacg!zT_215z6 z1v=wiOZ)q{<~P~2{&xwzES6{aQKk6HG8Zl}UFpbZs!0y%89QHSAf~LEM%$K!vO-9? z)C~4n-AcD)^)45Y1TP78U01%7wIu)WS$OyEY-*%=&QpwssR%)3(ei04+?8PKpe~_c z<%_7w{7-(1O>e-mGHHzHNRtB^hM&_k-8V*&o=HIuXaOSNPz)eG0X~OH5Hd;oJtctB zeZ@Ftp3}VZI7shLj0J!}qA>_JxGMte?}T=60;9db7fM7kYllrO#+FF{XW)OX?!+$v4#Arr}Bgy;-94AWB&G(hQ zd$w@W&7p=!R?a7402$wFk8yz1N86}76$3RZvBQQhBje(Omr95EgYaKBpI z9{}b0&EW2>$m_;X-wzVwN?%w}Ut-?9ojhm`l3Nme@yRuiE>jtcX~pp&i2|dY>{Oy) zhfc+xHI#yqSbkoyvn^>zb;{f8!VzQP*dlvl(MSAGokNgrbqQm_+exT>;XTX6 zWz|~0ScXAZOX8}rjzq~g;?A3(vJ0qD219M!9Y%NVE!rblB9%QjK1|2i>fj(1D7h0b z4a~>OZf;<1s;L1nJt}&6!?5YMnmdvs2xBh)tme-2v1>(@{FkJ%~PV0Fg8GiI!$95PJ%Znbs3RUBKS7hBJsFm`HRw{1~GfeE|aS^cb6r{eZPP3NU~ zB}LPje2u#;lJXfhvQ*wHj!^WNMRS%C<25#K)0TBP_u#D3$ z?>ah4-_G`LW~V1*qg7dYyds3t+V$e%q8q43F!yO)dE-h6l6rCcC-pd{!-bJl5yD80 z2;t)2sR(*;dV2R680*{=XL>N#9Gd8_bamnJ_OG4}+!+qN8?TTOrJo@tJ7hGX!rC@D zF}dC&CEoqY*FX~A*G2l0OuUD5cW%bJN}$ zA%=`U7J?~6D^r{?IPLf_d^^N{-#UXWjC^ zmucw!uEgA8EIIDXO>hdcTL^8W)RCyZ%pN0Wf2E1SgrCsj+(hWw<^%UbDS|JQ7CQ3wY92W(d^hq}8dBXJ{SEl`_$#i;vyt#~3_j12P{~&J1Zr>lxqF za`9b%(f|buNKi;oc3>6nduZ%slHI`G=%~`+t>3@^4xEgfm*Ph@o*h_Qq>Bl(s7m@g zX6mVqO#RU@I%eoexF1>iKXD*XVVF9A`-i~?kR*fuFUW5V=5ZtqaQu&uf7wj{NwS;Y zMgGWa93g>S0jdcz1k~hj)&l^NtjE6qzqK7-frVjd0Pz21LV(;zCgi)h{m6hE&rOu- zScm^+M*#A7tjN*q9Ff1>v0ur+X{J6#KDKcIE@|T)W&D@LInMo7+K;%TX{-qgrTLb7 cDD(iBB=p~asenXCmVgGd2n7i*XJx(Dnea2y&qL zI{JCKxdw;m`9gwCtV%3oB{1mFg6*^KnbSVrx_TFRy>+$DojJcb$l!|cgQrD$UcNe> zz86bZv2f0KEqP?Nlvc(MaaFbFOSCMWi;F%HSDnT%HTzT1$D*IA&z41Ls(dP9t+tSQ zwJT*A^V!WoC(dYlpE>En*!@as=B$INK4)TMn7KFU*vx4X-ul(qrugty-@S8!y_tiX zHx>K-t>NBtXz`t1<0kLBPPvM^e0h5fdY?XJVnFy5l)@Y~EnfPAiGg7k3j>2NvQI-H z$s;J(5uVntqz~haq?^Z%t-Si|;lvROAD=lqyxa4vpPbH#Nj|_Ge&WQbQwbM#T$ymY zVREnKlvdvvnkF{_?l_1XdHCSr=hOOHCoh!x>6|)$@{G5Mh`|G9&kdh9u&X{>lC~^e z!b_^7*=0us3zwF+(WlQPn}tpbd4Kv`+{N33{(5C2%QkyvF+ahS3l$=>6-`So z-d;PmtEbaX=e3w*-JjspZ3pf>UF!c~Ui_=V?eDMre{A^Ym-h3wolN`1+C#mW{PU`$ zbC+iAo6|XSVq;-pL*x8LoeS-oYIKrxl%maKgabAk7MQM@p($XzGkMvm7SY!Y`&hiR zH+x8Qm?nfDU=C6^b13V;nG-+cbuSt+*IKPyk|K9{UT))6L9_e)WqFoM%N7*BU1%Fx zce-fxbC+we??h&QI`#kNa$BY6`OD_osF^>_4J*$5dTie6YVP;t{HM%kTYsy6DsO*;RLE#mC>clKraXdYk^~tPry|MxiG;ji*nk zSett~DYZCl-K4{8)rZxNNi?e+<46cI%D7__BE(!6F&szW9t6+Ab?a~u> zV^6<)cU6D;(rIVI2DPC)W-mG5^d55Hra)UDwq?lf^qtVMVij$iYSX6*8BQO&s zg0swL_6HG491kMU%7&1{+=A4i)D*4&Z$>6LW?Y561kfxH5MX%g2%?dSepX1)k7h2! zI9vrk#5iCbz|hd>jA9(38UUILss`|wi&-`z%w5u00W==&Oq7xmXfmjz#A7mMSp*9J z28Jb#Nx%{cZZdMogfA#?#SgNRm$Nc}Vhd;tD7G-%$I1o@dR8D@2=v=)pkf9F0IIsm AFaQ7m literal 0 HcmV?d00001 diff --git a/tests/data/wrong-digest-manifest.jar b/tests/data/wrong-digest-manifest.jar new file mode 100644 index 0000000000000000000000000000000000000000..f3803a23108b56366cfd35ea7655037c7db83455 GIT binary patch literal 3742 zcmcJRc|4T+7stmo*%L!!4<#})%vefvEk$MQV{O62U@|k7v0dA>XRXMVon(z%L|PEC z%uI_S%3hYzrNR)2-!r-Q=H7Jw`#rDMdFGkdJg@ib%=eu0IUiFr3o9pxab+;e>3w_n z^Tq)Z0~zUA=)g}J>nmDXaDZ6y5Ih!lf$;I?0x_}DnLr>`2=KBgfPjFQLF}N@0OI!p zPYgnUpS+ntARYjL!4f?PI3&W6fF+Z^VGsZ!_(u%U3~kb?&9^Re$^b2>r)|~)RkRUE zw9^x~=C5nWN_S1W^B}VZ3R_3yNqrjI`SG~0OFH*C;YBnD5u! zb>m`;$SHYy+b@2c%-QEVcfrom+XkNDm%zdHVr-Na;`|&@u3jw#{K%)v{pNKKWEfsh z_N-so?k0eKrp`)Deqi%st?*S z??s4dmk~diTX=ML=&Pn{9M6&1^wpW-F`lHw0R?XNvr+MMmyFRx=@mJXh?>f;vPt`y zR#j;2<~RyvaM8{|Goeg=n6?Y96^)pYaL|0PmI!+m!S!ZGs$)@i2u(S>+@?41>R0CP zMZ^L{v^yxX2dF5hie+mNmA4d8?I%S{vUle<<9ql7w_7MJ>Y1*aTV>5HX;_Ess@!TJ zJ$8nrIQA0P@a0NxscO{_*xI1JKrrF;1ypY1@Ut}EgN=SuBkIb{SHCQeJ{bk&jwK~( zma7kV;9k~wXvM=tWhDj{-D)&bu9FI|4=_s0Uk9vh&P#rl{5l&ZNpBeS-5GATW+Yk8MN6{X(sVVxgGB^OH`CEl+FDj@7)KVb4JBK?$zRWy<~XnOmnW)#LD_) zslk0u3|)8sQlO;oSF_|-BP+dJ`ksdpWI2W2XO~s3H(K5;dqtOd99elQAfia-uCk`c za(I6M#Pjg_xGSG#FbuVWOHSRx)Wh_cPC-x-0em#v)h1Qm!2h|9u;31=ji-mG!aXC@ zfs`q;DR6IWC$@JwbWC?-*NIOqKBwwI9u4`daqp$?i+o5O3g|S=UA@@r5)fomc>+He z$z+nxpGZBcg8!h9u;LLvZW}F-*A%H$a;Ay08(Jc_7QPZ9ADlpwT*V~H%@kgw$Q&Kw zzkhm>yOiGwpOM-6@KwTt=Q$jHS7?s}Y-n}}N8flq(o8W=jPt%^Yx!r~( z((D|MDyZA~;A*b!EoeRa$p3>Dqm4KjodX)g?$g7pnYl2Y8Nmf;0nY!M7$Cg;y}v0z z$T-J#N`U12j&ZuWPw(>0Aj7{fRshBsPr#9|L>%1D74PT@$CKd%cajUv3-0ZTCBY9V z!5v+(URXzOoEI66B{{*J+;L<$$=w_7jQ57)N$~SnUo4!6CE=ZMWN$bDPs0735%*Ef z?J`1r%ZMR%?4ZmsmU^)MC)BmHmx@J$Pk1tT^k^DQt= ztc;t_QzQ3qZ7A!QMsv8vuY%R=nTsI2pj2p#DZT!oVA`c9gu?4)MZEcy;#neM!3iZ% zI1#SF%i%1Je`{_bTeIhLX$Kmq>vI~5OSUR~AK9g*(>L`|x90b1h@Z|d`bF*y>ZPI~ zvwnZ~Q^h_0NYNX{SK=ZA%#c2l3Zt4E5SNXZmwn^w4}w(Z@y$i z6?8Wwc8iMIwl&U{6L6Q6iy?1~W|9!)qw~CS2B;Ekf2=I6}7g1slyU!O$?9o2P-K zF+nAqactqT?&_jY9G>3py*wCtB~d*k$|yr#Wx#Yu8`3^LHoibrJkb5r#~4O=(oI9F zK$ONL4;PdF&vn zrdml!85PONEu5$F`1nN@eJk)(2e1UZQL1VvF_Y0d?=#+uuej{*U!|ok<=t|hGI1WS zZ&FPD&3N9^usojKHrXF@z%Q6^yEls0x?mt0SH_0+C7oOzqKAy$ltHOSYq1C!?{a$T z56O~J_30U`%!x~gHHN(x5)N6z;ObjOCa;@(%(b8KZ1~W-@dmlJsxUnp%iJtM#>>Nz`w3?WJX)V%2wLC+fPr1>tm=Y=YKD3F| zK%w>oG)C3Ix`oAj53Til3$5$3B)kX75`4I<$Vq~lOAPDVr8auWm!y8(H=jIPaKti% z>Qym)?8VtRNY*@M<7LSa>1p@k98KASlSC^rk=~J85yUj&bKTww49Lnh_{*^@PIUL!! zD!C0D*e2TnjgakNcd$aa4ryBO@AT5w?_MvJkGuXmHqW6$YDA!UJ>5XuQk7Kog14!x z6&|?yE|vd5@f=aKUMW>dMmwx1!N9yFj_5Vo-+ z&Edgh!DA`O-b{tkw*(*7&yZSrgrmlhZ57Q;^+s8X<8y?$bTXMa!0AK^TeQm=k4zNC zN+S+(TWE2S>Cj?KW9W|dx8usD;50rq9&}ivyvZqKmsb)`gIY-UF`Fo(#+%10dQ{AF z_rAn*zTx4xQ-42e`SY-9e~NsCso`?+Vhlfl!emebt;mtn&)&F$!l6a=)qBVn*eIM| z23@NTt=v$Boq1Jg=k%(s(J#4A|Fo!|mfma}bkKHvCQzi&`c&UO{mQ`T*X>T-{k7J2 zt4lcdy(k(StXye`$=X>XBl4-UcChoRL&3C~$#nY>;g{OX$`Aon#gE-d#u6msGIExu(akzfbUbE5D(hN{$=79PJ_z&QZX5u@rC@c*C{=cjRkQ>8VY@6H9 zY{k~xL&s`ycIUpE>{l literal 0 HcmV?d00001 diff --git a/tests/jarutil.py b/tests/jarutil.py index 9165f3fb..6f8e39cb 100644 --- a/tests/jarutil.py +++ b/tests/jarutil.py @@ -27,7 +27,8 @@ from javatools.jarutil import cli_create_jar, cli_sign_jar, \ cli_verify_jar_signature, verify, VerificationError, \ - JarSignatureMissingError, SignatureBlockFileVerificationError + JarSignatureMissingError, SignatureBlockFileVerificationError, \ + JarChecksumError class JarutilTest(TestCase): @@ -82,6 +83,25 @@ def test_tampered_signature_block(self): with self.assertRaises(SignatureBlockFileVerificationError): verify(cert, jar_data) + def test_tampered_jar_entry(self): + jar_data = get_data_fn("tampered-entry.jar") + cert = get_data_fn("javatools-cert.pem") + with self.assertRaises(JarChecksumError): + verify(cert, jar_data) + + def test_several_mf_attributes(self): + # First "x-Digest-Manifest" checksum is invalid, second is OK. + # .SF is edited by hand, .RSA created with: + # openssl cms -sign -binary -noattr -in META-INF/UNUSED.SF -outform der -out META-INF/UNUSED.RSA -signer tests/data/javatools-cert.pem -inkey tests/data/javatools.pem -md sha256 + self.cli_verify_wrap("several-manifest-attributes.jar", + "javatools-cert.pem") + + def test_main_mf_section_fails(self): + # x-Digest-Manifest checksum is wrong, + # but "x-Digest-Manifest-Main-Attributes is OK + # .SF and .RSA created similarly as in test_several_mf_attributes() + self.cli_verify_wrap("wrong-digest-manifest.jar", + "javatools-cert.pem") def test_cli_sign_and_verify(self): src = get_data_fn("cli-sign-and-verify.jar")