9:26 a.m.
WRT JBCL-67.
I have a jar which I signed with
keytool -genkeypair -alias mycert -keystore keystore -keypass ambam123
jarsigner -keystore keystore -storepass ambam123
..\DIFramework\dist\another.jar mycert
keytool -exportcert -keystore keystore -alias mycert -file mare_cert.cer
keytool -importcert -file mare_cert.cer -keystore ales_store -storepass
ambam5
java -Djavax.net.ssl.trustStore=ales_store
-Djavax.net.ssl.trustStorePassword=ambam5
This jar includes com/acme/X.class.
So, I would now expect when I access this class in jar via JarEntry
to be able to get its certificates: JarEntry::getCertificates.
But I get null.
I guess I'm missing a list of verified signers?
JarVerfier.class:
/**
* Return an array of java.security.cert.Certificate objects for
* the given file in the jar.
*/
public java.security.cert.Certificate[] getCerts(String name)
{
CodeSigner[] signers = getCodeSigners(name);
// Extract the certs in each code signer's cert chain
if (signers != null) { // <----- THIS is null in my case
How do I add this signers?
I already hacked out my security knowledge, w/o any success. ;-(
10:13 a.m.
Read the fine manual :-)
http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCe...
i.e. you have to read() the entire stream before asking
for the certs/signers.
The classloader will have already done that when it loaded the byte
code, see BaseClassLoader.loadClassLocally():
// Load the bytecode
byte[] byteCode = ClassLoaderUtils.loadByteCode(name, is);
// Let the policy do things before we define the class
BaseClassLoaderPolicy basePolicy = policy;
ProtectionDomain protectionDomain = basePolicy.getProtectionDomain(name,
resourcePath);
where the last line will expect the VFSClassLoaderPolicy to
get the certificates for the "resource path".
But the real reason for JBCL-67 - besides having a
mechanism to do a VirtualFile.getCertificates() - is how to do it for
non-jar files, e.g. unpacked deployments?
On Tue, 2009-09-15 at 16:26 +0200, Ales Justin wrote:
WRT JBCL-67.
I have a jar which I signed with
keytool -genkeypair -alias mycert -keystore keystore -keypass ambam123
jarsigner -keystore keystore -storepass ambam123
..\DIFramework\dist\another.jar mycert
keytool -exportcert -keystore keystore -alias mycert -file mare_cert.cer
keytool -importcert -file mare_cert.cer -keystore ales_store -storepass
ambam5
java -Djavax.net.ssl.trustStore=ales_store
-Djavax.net.ssl.trustStorePassword=ambam5
This jar includes com/acme/X.class.
So, I would now expect when I access this class in jar via JarEntry
to be able to get its certificates: JarEntry::getCertificates.
But I get null.
I guess I'm missing a list of verified signers?
JarVerfier.class:
/**
* Return an array of java.security.cert.Certificate objects for
* the given file in the jar.
*/
public java.security.cert.Certificate[] getCerts(String name)
{
CodeSigner[] signers = getCodeSigners(name);
// Extract the certs in each code signer's cert chain
if (signers != null) { // <----- THIS is null in my case
How do I add this signers?
I already hacked out my security knowledge, w/o any success. ;-(
_______________________________________________
jboss-development mailing list
jboss-development(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-development
--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Adrian Brock
Chief Scientist
JBoss by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
10:36 a.m.
Read the fine manual :-)
http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCe...
i.e. you have to read() the entire stream before asking
for the certs/signers.
Yeah, just found that out, while reading and weeping at that super ugly
code. :-)
But this still doesn't return any certs:
URL url = getResource("/vfs/test/cert_test.jar");
VirtualFile jar = VFS.getRoot(url);
VirtualFile clazz =
jar.findChild("examplets/plugins/impl/AnotherInjectedPlugin.class");
InputStream tmp = clazz.openStream(); // HERE -- reading stream
Certificate[] certs = clazz.getCertificates();
assertNotNull("No certificates: " + clazz, certs);
I now get "sigFileSigners" entry in JarVerifier class, but I don't know
how to move it to verifiedSigners Hashtable in
http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/secur...
yet.
But the real reason for JBCL-67 - besides having a
mechanism to do a VirtualFile.getCertificates() - is how to do it for
non-jar files, e.g. unpacked deployments?
Since this is now an impl detail of VirtualFile/VirtualFileHandler, it's
up to them do provide a mechanism.
Any ideas / suggestions?
e.g. X.class --> X.class.cert if it exists
2:25 p.m.
This is what I see when I turn on logging (-Djava.security.debug=jar)
0 DEBUG [VirtualFileUnitTestCase] ==== Starting testCertificates ====
0 INFO [VirtualFileUnitTestCase] Force copy: false
47 INFO [VFSCacheFactory] Using VFSCache [NoopVFSCache]
93 INFO [CopyMechanism] VFS temp dir: C:\DOCUME~1\Ales\LOCALS~1\Temp
jar: beginEntry META-INF/MANIFEST.MF
jar: beginEntry META-INF/MYCERT.SF
jar: processEntry: processing block
jar: beginEntry META-INF/MYCERT.DSA
jar: processEntry: processing block
jar: Signature Block Certificate: [
[
Version: V3
Subject: CN=AJ, OU=RHT, O=RHT d.o.o., L=Vrhnika, ST=Unknown, C=SI
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
Key: Sun DSA Public Key
Parameters:DSA
p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80
b6512669
455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5
g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b
3d078267
5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a
y:
5a7bcad6 d9db24a9 c0ec9655 320cc373 d0a9b443 a658230e c98117f2 0a90bf76
1d3715a8 20722735 b961472a 553cdfff 5349c8cc a32f3dfc c7eded9d 1b269ca6
12e6b47a 60d8fa6e dc702d50 c479df14 0992c0c7 7d8bc235 3e0a7e04 7196c327
8ee8ff8a 24c67133 64a50c19 b1f1abae 14046f48 ca1605a6 8c27b912 5d91c4c5
Validity: [From: Tue Sep 15 14:53:20 CEST 2009,
To: Mon Dec 14 13:53:20 CET 2009]
Issuer: CN=AJ, OU=RHT, O=RHT d.o.o., L=Vrhnika, ST=Unknown, C=SI
SerialNumber: [ 4aaf8e40]
]
Algorithm: [SHA1withDSA]
Signature:
0000: 30 2C 02 14 33 6E 95 35 B9 57 2C BB 38 0F A9 2D 0,..3n.5.W,.8..-
0010: A9 7F 60 C4 F3 95 A4 D0 02 14 3C 85 ED 36 4B 5D ..`.......<..6K]
0020: A2 F8 50 13 E8 61 96 B4 FD AF 95 17 33 73 ..P..a......3s
]
jar: Signature File: Manifest digest SHA1
jar: sigfile 51be07330c40c7588157efb848593c3e115bd157
jar: computed 51be07330c40c7588157efb848593c3e115bd157
jar:
jar: processSignature signed name =
examplets/plugins/impl/AnotherInjectedPlugin.class
jar: done with meta!
jar: beginEntry examplets/plugins/impl/AnotherInjectedPlugin.class
218 DEBUG [VirtualFileUnitTestCase] testCertificates took 218ms
218 DEBUG [VirtualFileUnitTestCase] ==== Stopping testCertificates ====
junit.framework.AssertionFailedError: No certificates:
ZipEntryHandler(a)28899428[path=examplets/plugins/impl/AnotherInjectedPlugin.class
context=file:/C:/projects/branches/mc/vfs/Branch_2_1/target/test-classes/vfs/test/cert_test.jar
real=file:/C:/projects/branches/mc/vfs/Branch_2_1/target/test-classes/vfs/test/cert_test.jar/examplets/plugins/impl/AnotherInjectedPlugin.class]
at
org.jboss.test.virtual.test.VirtualFileUnitTestCase.testCertificates(VirtualFileUnitTestCase.java:1368)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:40)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)
Ales Justin wrote:
> Read the fine manual :-)
> http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCe...
>
>
> i.e. you have to read() the entire stream before asking for the
> certs/signers.
Yeah, just found that out, while reading and weeping at that super ugly
code. :-)
But this still doesn't return any certs:
URL url = getResource("/vfs/test/cert_test.jar");
VirtualFile jar = VFS.getRoot(url);
VirtualFile clazz =
jar.findChild("examplets/plugins/impl/AnotherInjectedPlugin.class");
InputStream tmp = clazz.openStream(); // HERE -- reading stream
Certificate[] certs = clazz.getCertificates();
assertNotNull("No certificates: " + clazz, certs);
I now get "sigFileSigners" entry in JarVerifier class, but I don't know
how to move it to verifiedSigners Hashtable in
http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/secur...
yet.
> But the real reason for JBCL-67 - besides having a
> mechanism to do a VirtualFile.getCertificates() - is how to do it for
> non-jar files, e.g. unpacked deployments?
Since this is now an impl detail of VirtualFile/VirtualFileHandler, it's
up to them do provide a mechanism.
Any ideas / suggestions?
e.g. X.class --> X.class.cert if it exists
2:56 p.m.
OK, got it.
Like Adrian said, you really need to *read* the stream, not just open it.
> InputStream tmp = clazz.openStream(); // HERE -- reading
stream
Missing: VFSUtils.copyStreamAndClose(tmp, new ByteArrayOutputStream());
> Certificate[] certs = clazz.getCertificates();
> assertNotNull("No certificates: " + clazz, certs);
jar: processSignature signed name =
examplets/plugins/impl/AnotherInjectedPlugin.class
jar: done with meta!
jar: beginEntry examplets/plugins/impl/AnotherInjectedPlugin.class
jar: Manifest Entry: examplets/plugins/impl/AnotherInjectedPlugin.class
digest=SHA1
jar: manifest c1d0ef1715541c33b1b5e941abc840842bcb2db5
jar: computed c1d0ef1715541c33b1b5e941abc840842bcb2db5
:-)
5582
days inactive
5582
days old
jboss-development@lists.jboss.org
4 comments
2 participants
participants (2)
-
Adrian Brock -
Ales Justin