platform/sensinact-security/mock-signature-validator/src/main/java/org/eclipse/sensinact/gateway/security/signature/internal/SignatureFileChecker.java - gerrit/sensinact/org.eclipse.sensinact.gateway - Git at Google

 /*
 * Copyright (c) 2020 Kentyou.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
  *
  * Contributors:
 *    Kentyou - initial API and implementation
  */
 package org.eclipse.sensinact.gateway.security.signature.internal;

 import org.eclipse.sensinact.gateway.common.bundle.Mediator;

 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 import java.util.jar.Attributes;

 public class SignatureFileChecker {
     // private static final Logger logger=
     // Logger.getLogger(LoggerConfig.JARVAL_LOGGER);
     private SignatureFileChecker() {
         // no action
     }

     private static boolean checkAbsenceOfModification(final SignedBundle signedJar, final SignatureFile pretendedSigFile) throws IOException {
         final Set sigEntries = pretendedSigFile.getEntries().keySet();
         final Set mfEntries = signedJar.getManifest().getEntries().keySet();
         // logger.log(Level.DEBUG, "sigEntries size: "+sigEntries.size());
         // logger.log(Level.DEBUG, "mfEntries size: "+mfEntries.size());
         boolean noAddition = false;
         boolean noRemoval = false;
         if (sigEntries.containsAll(mfEntries)) {
             noRemoval = true;
         }
         if (mfEntries.containsAll(sigEntries)) {
             noAddition = true;
         }
         // logger.log(Level.DEBUG, "no addition: "+noAddition);
         // logger.log(Level.DEBUG, "no removal: "+noRemoval);
         return noAddition && noRemoval;
     }

     private static boolean checkHashValuesValid(Mediator mediator, SignedBundle signedBundle, SignatureFile pretendedSigFile, CryptographicUtils cryptoUtils) throws FileNotFoundException, IOException, NoSuchAlgorithmException {
         boolean manifestEntriesValid = true;
         final Attributes pretendedMainAttributes = pretendedSigFile.getMainAttributes();

         final Map pretendedEntries = pretendedSigFile.getEntries();

         final Map<String, String> dataMap = ManifestChecker.extractEntryHashes(mediator, signedBundle.getEntry("/META-INF/MANIFEST.MF").openStream(), cryptoUtils, pretendedSigFile.getHashAlgo());
         // logger.log(Level.DEBUG, "number of entries: "+dataMap.size());
         String entryName, currentHash, pretendedHash;
         Map.Entry entry;
         boolean currentEntryValid;
         for (final Iterator iter = dataMap.entrySet().iterator(); iter.hasNext() && manifestEntriesValid; ) {
             entry = (Map.Entry) iter.next();
             entryName = (String) entry.getKey();
             // logger.log(Level.ALL, "entry name: "+entryName);
             currentHash = (String) entry.getValue();
             // logger.log(Level.ALL, entryName+", "+currentHash);
             if ("SHA1-Digest-Manifest-Main-Attributes".equals(entryName)) {
                 pretendedHash = (String) pretendedMainAttributes.getValue(entryName);
             } else if ("SHA-256-Digest-Manifest-Main-Attributes".equals(entryName)) {
                 pretendedHash = (String) pretendedMainAttributes.getValue(entryName);
             } else {
                 pretendedHash = ManifestChecker.getEntryHash((Attributes) pretendedEntries.get(entryName));
             }
             if (pretendedHash == null) {
                 // logger.log(Level.DEBUG,
                 // "No pretended Hash in Reference Signature File");
                 manifestEntriesValid = false;
             } else {
                 currentEntryValid = pretendedHash.equals(currentHash);
                 // if(!currentEntryValid){
                 // logger.log(Level.DEBUG, "entry "+entryName+" has an invalid
                 // hash");
                 // logger.log(Level.DEBUG,
                 // "pretended hash: "+pretendedHash
                 // +"; real hash: "+currentHash);
                 // }
                 manifestEntriesValid &= currentEntryValid;
             }
         }
         return manifestEntriesValid;
     }

     protected static boolean checkEntriesValidity(Mediator mediator, SignedBundle signedJar, SignatureFile pretendedSigFile, CryptographicUtils cryptoUtils) throws FileNotFoundException, IOException, NoSuchAlgorithmException {
         // logger.log(Level.DEBUG, "SignatureFileChecker.checkEntriesValidity");
         final boolean absenceOfModifications = SignatureFileChecker.checkAbsenceOfModification(signedJar, pretendedSigFile);
         // logger.log(Level.DEBUG,
         // "SignatureFileChecker: absence of modifications, "
         // +absenceOfModifications);
         // check that the hash values are valid
         final boolean hashesValid = SignatureFileChecker.checkHashValuesValid(mediator, signedJar, pretendedSigFile, cryptoUtils);
         // logger.log(Level.DEBUG,
         // "SignatureFileChecker: hashes valid, "+hashesValid);
         return absenceOfModifications && hashesValid;
     }
 }
	/*
	* Copyright (c) 2020 Kentyou.
	* All rights reserved. This program and the accompanying materials
	* are made available under the terms of the Eclipse Public License v1.0
	* which accompanies this distribution, and is available at
	* http://www.eclipse.org/legal/epl-v10.html
	*
	* Contributors:
	* Kentyou - initial API and implementation
	*/
	package org.eclipse.sensinact.gateway.security.signature.internal;

	import org.eclipse.sensinact.gateway.common.bundle.Mediator;

	import java.io.FileNotFoundException;
	import java.io.IOException;
	import java.security.NoSuchAlgorithmException;
	import java.util.Iterator;
	import java.util.Map;
	import java.util.Set;
	import java.util.jar.Attributes;

	public class SignatureFileChecker {
	// private static final Logger logger=
	// Logger.getLogger(LoggerConfig.JARVAL_LOGGER);
	private SignatureFileChecker() {
	// no action
	}

	private static boolean checkAbsenceOfModification(final SignedBundle signedJar, final SignatureFile pretendedSigFile) throws IOException {
	final Set sigEntries = pretendedSigFile.getEntries().keySet();
	final Set mfEntries = signedJar.getManifest().getEntries().keySet();
	// logger.log(Level.DEBUG, "sigEntries size: "+sigEntries.size());
	// logger.log(Level.DEBUG, "mfEntries size: "+mfEntries.size());
	boolean noAddition = false;
	boolean noRemoval = false;
	if (sigEntries.containsAll(mfEntries)) {
	noRemoval = true;
	}
	if (mfEntries.containsAll(sigEntries)) {
	noAddition = true;
	}
	// logger.log(Level.DEBUG, "no addition: "+noAddition);
	// logger.log(Level.DEBUG, "no removal: "+noRemoval);
	return noAddition && noRemoval;
	}

	private static boolean checkHashValuesValid(Mediator mediator, SignedBundle signedBundle, SignatureFile pretendedSigFile, CryptographicUtils cryptoUtils) throws FileNotFoundException, IOException, NoSuchAlgorithmException {
	boolean manifestEntriesValid = true;
	final Attributes pretendedMainAttributes = pretendedSigFile.getMainAttributes();

	final Map pretendedEntries = pretendedSigFile.getEntries();

	final Map<String, String> dataMap = ManifestChecker.extractEntryHashes(mediator, signedBundle.getEntry("/META-INF/MANIFEST.MF").openStream(), cryptoUtils, pretendedSigFile.getHashAlgo());
	// logger.log(Level.DEBUG, "number of entries: "+dataMap.size());
	String entryName, currentHash, pretendedHash;
	Map.Entry entry;
	boolean currentEntryValid;
	for (final Iterator iter = dataMap.entrySet().iterator(); iter.hasNext() && manifestEntriesValid; ) {
	entry = (Map.Entry) iter.next();
	entryName = (String) entry.getKey();
	// logger.log(Level.ALL, "entry name: "+entryName);
	currentHash = (String) entry.getValue();
	// logger.log(Level.ALL, entryName+", "+currentHash);
	if ("SHA1-Digest-Manifest-Main-Attributes".equals(entryName)) {
	pretendedHash = (String) pretendedMainAttributes.getValue(entryName);
	} else if ("SHA-256-Digest-Manifest-Main-Attributes".equals(entryName)) {
	pretendedHash = (String) pretendedMainAttributes.getValue(entryName);
	} else {
	pretendedHash = ManifestChecker.getEntryHash((Attributes) pretendedEntries.get(entryName));
	}
	if (pretendedHash == null) {
	// logger.log(Level.DEBUG,
	// "No pretended Hash in Reference Signature File");
	manifestEntriesValid = false;
	} else {
	currentEntryValid = pretendedHash.equals(currentHash);
	// if(!currentEntryValid){
	// logger.log(Level.DEBUG, "entry "+entryName+" has an invalid
	// hash");
	// logger.log(Level.DEBUG,
	// "pretended hash: "+pretendedHash
	// +"; real hash: "+currentHash);
	// }
	manifestEntriesValid &= currentEntryValid;
	}
	}
	return manifestEntriesValid;
	}

	protected static boolean checkEntriesValidity(Mediator mediator, SignedBundle signedJar, SignatureFile pretendedSigFile, CryptographicUtils cryptoUtils) throws FileNotFoundException, IOException, NoSuchAlgorithmException {
	// logger.log(Level.DEBUG, "SignatureFileChecker.checkEntriesValidity");
	final boolean absenceOfModifications = SignatureFileChecker.checkAbsenceOfModification(signedJar, pretendedSigFile);
	// logger.log(Level.DEBUG,
	// "SignatureFileChecker: absence of modifications, "
	// +absenceOfModifications);
	// check that the hash values are valid
	final boolean hashesValid = SignatureFileChecker.checkHashValuesValid(mediator, signedJar, pretendedSigFile, cryptoUtils);
	// logger.log(Level.DEBUG,
	// "SignatureFileChecker: hashes valid, "+hashesValid);
	return absenceOfModifications && hashesValid;
	}
	}