signing time, jarsigner -directsign, and digest algorithm check

openjdk · Oct 14, 2020 · 734fd03 · 734fd03
1 parent ffaae53
commit 734fd03
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 11 deletions.
diff --git a/src/java.base/share/classes/sun/security/pkcs/PKCS7.java b/src/java.base/share/classes/sun/security/pkcs/PKCS7.java
@@ -820,6 +820,8 @@ public static byte[] generateNewSignedData(
             authAttrs = new PKCS9Attributes(new PKCS9Attribute[]{
                     new PKCS9Attribute(PKCS9Attribute.CONTENT_TYPE_OID,
                             ContentInfo.DATA_OID),
+                    new PKCS9Attribute(PKCS9Attribute.SIGNING_TIME_OID,
+                            new Date()),
                     new PKCS9Attribute(PKCS9Attribute.CMS_ALGORITHM_PROTECTION_OID,
                             derAp.toByteArray()),
                     new PKCS9Attribute(PKCS9Attribute.MESSAGE_DIGEST_OID,

diff --git a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
@@ -34,6 +34,7 @@
 import java.security.cert.CertPath;
 import java.security.cert.X509Certificate;
 import java.security.*;
+import java.security.spec.PSSParameterSpec;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -417,7 +418,8 @@ SignerInfo verify(PKCS7 block, byte[] data)
             // to form signing algorithm. See makeSigAlg for details.
             String algname = makeSigAlg(
                     digestAlgorithmId,
-                    digestEncryptionAlgorithmId);
+                    digestEncryptionAlgorithmId,
+                    authenticatedAttributes == null);
 
             // check that jar signature algorithm is not restricted
             try {
@@ -502,19 +504,46 @@ SignerInfo verify(PKCS7 block, byte[] data)
     /**
      * Derives the signature algorithm name from the digest algorithm
      * name and the encryption algorithm name inside a PKCS7 SignerInfo.
-     * This is useful for old style PKCS7 files where we use RSA, DSA, EC
-     * as SingerInfo.digestEncryptionAlgorithmId. Now we use the
-     * signature algorithms directly.
+     *
+     * For old style PKCS7 files where we use RSA, DSA, EC asencAlgId
+     * a DIGESTwithENC algorithm is returned. For new style RSASSA-PSS
+     * and EdDSA encryption, this method ensures digAlgId is compatible
+     * with the algorithm.
+     *
+     * @param digAlgId the digest algorithm
+     * @param encAlgId the encryption or signature algorithm
+     * @param directSign whether the signature is calculated on the content
+     *                   directly. This makes difference for Ed448.
      */
-    public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId) {
+    public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId,
+            boolean directSign) throws NoSuchAlgorithmException {
         String encAlg = encAlgId.getName();
         if (encAlg.contains("with")) {
             return encAlg;
         }
         switch (encAlg) {
             case "RSASSA-PSS":
+                PSSParameterSpec spec = (PSSParameterSpec)
+                        SignatureUtil.getParamSpec(encAlg, encAlgId.getParameters());
+                if (!AlgorithmId.get(spec.getDigestAlgorithm()).equals(digAlgId)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                }
+                return encAlg;
             case "Ed25519":
+                if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.sha512)) {
+                    throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                }
+                return encAlg;
             case "Ed448":
+                if (directSign) {
+                    if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256)) {
+                        throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                    }
+                } else {
+                    if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256$512)) {
+                        throw new NoSuchAlgorithmException("Incompatible digest algorithm");
+                    }
+                }
                 return encAlg;
             default:
                 String digAlg = digAlgId.getName().replace("-", "");

diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
@@ -194,10 +194,10 @@ public static void initSignWithParam(Signature s, PrivateKey key,
         SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr);
     }
 
-    private static class EdDSADigestAlgHolder {
-        final static AlgorithmId sha512;
-        final static AlgorithmId shake256;
-        final static AlgorithmId shake256$512;
+    public static class EdDSADigestAlgHolder {
+        public final static AlgorithmId sha512;
+        public final static AlgorithmId shake256;
+        public final static AlgorithmId shake256$512;
 
         static {
             try {

diff --git a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
@@ -163,6 +163,7 @@ public static void main(String args[]) throws Exception {
     boolean debug = false; // debug
     boolean signManifest = true; // "sign" the whole manifest
     boolean externalSF = true; // leave the .SF out of the PKCS7 block
+    boolean directSign = false; // sign SF directly or thru signedAttrs
     boolean strict = false;  // treat warnings as error
     boolean revocationCheck = false; // Revocation check flag
 
@@ -472,6 +473,8 @@ String[] parseArgs(String args[]) throws Exception {
                 signManifest = false;
             } else if (collator.compare(flags, "-internalsf") ==0) {
                 externalSF = false;
+            } else if (collator.compare(flags, "-directsign") ==0) {
+                directSign = true;
             } else if (collator.compare(flags, "-verify") ==0) {
                 verify = true;
             } else if (collator.compare(flags, "-verbose") ==0) {
@@ -660,6 +663,9 @@ static void fullusage() {
         System.out.println(rb.getString
                 (".internalsf.include.the.SF.file.inside.the.signature.block"));
         System.out.println();
+        System.out.println(rb.getString
+                (".directsign.sign.the.SF.file.directly.no.signed.attributes"));
+        System.out.println();
         System.out.println(rb.getString
                 (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
         System.out.println();
@@ -957,7 +963,8 @@ void verifyJar(String jarName)
                             String digestAlg = digestMap.get(s);
                             String sigAlg = SignerInfo.makeSigAlg(
                                     si.getDigestAlgorithmId(),
-                                    si.getDigestEncryptionAlgorithmId());
+                                    si.getDigestEncryptionAlgorithmId(),
+                                    si.getAuthenticatedAttributes() == null);
                             PublicKey key = signer.getPublicKey();
                             PKCS7 tsToken = si.getTsToken();
                             if (tsToken != null) {
@@ -970,7 +977,8 @@ void verifyJar(String jarName)
                                 String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
                                 String tsSigAlg = SignerInfo.makeSigAlg(
                                         tsSi.getDigestAlgorithmId(),
-                                        tsSi.getDigestEncryptionAlgorithmId());
+                                        tsSi.getDigestEncryptionAlgorithmId(),
+                                        tsSi.getAuthenticatedAttributes() == null);
                                 Calendar c = Calendar.getInstance(
                                         TimeZone.getTimeZone("UTC"),
                                         Locale.getDefault(Locale.Category.FORMAT));
@@ -1765,6 +1773,7 @@ void signJar(String jarName, String alias)
 
         builder.setProperty("sectionsOnly", Boolean.toString(!signManifest));
         builder.setProperty("internalSF", Boolean.toString(!externalSF));
+        builder.setProperty("directsign", Boolean.toString(directSign));
 
         FileOutputStream fos = null;
         try {

diff --git a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -101,6 +101,8 @@ public class Resources extends java.util.ListResourceBundle {
                 "                            (This option is deprecated and will be removed in a future release.)"},
         {".internalsf.include.the.SF.file.inside.the.signature.block",
                 "[-internalsf]               include the .SF file inside the signature block"},
+        {".directsign.sign.the.SF.file.directly.no.signed.attributes",
+                "[-directsign]               sign the .SF file directly (no signed attributes)"},
         {".sectionsonly.don.t.compute.hash.of.entire.manifest",
                 "[-sectionsonly]             don't compute hash of entire manifest"},
         {".protected.keystore.has.protected.authentication.path",