[jboss-dev] certs and verified signers

Ales Justin ales.justin at gmail.com
Tue Sep 15 15:25:29 EDT 2009 

This is what I see when I turn on logging (-Djava.security.debug=jar)

0 DEBUG [VirtualFileUnitTestCase] ==== Starting testCertificates ====
0 INFO  [VirtualFileUnitTestCase] Force copy: false
47 INFO  [VFSCacheFactory] Using VFSCache [NoopVFSCache]
93 INFO  [CopyMechanism] VFS temp dir: C:\DOCUME~1\Ales\LOCALS~1\Temp
jar: beginEntry META-INF/MANIFEST.MF
jar: beginEntry META-INF/MYCERT.SF
jar: processEntry: processing block
jar: beginEntry META-INF/MYCERT.DSA
jar: processEntry: processing block
jar: Signature Block Certificate: [
[
   Version: V3
   Subject: CN=AJ, OU=RHT, O=RHT d.o.o., L=Vrhnika, ST=Unknown, C=SI
   Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

   Key:  Sun DSA Public Key
     Parameters:DSA
	p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 
b6512669
     455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
     6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
     83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
	q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
	g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 
3d078267
     5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
     3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
     cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

   y:
     5a7bcad6 d9db24a9 c0ec9655 320cc373 d0a9b443 a658230e c98117f2 0a90bf76
     1d3715a8 20722735 b961472a 553cdfff 5349c8cc a32f3dfc c7eded9d 1b269ca6
     12e6b47a 60d8fa6e dc702d50 c479df14 0992c0c7 7d8bc235 3e0a7e04 7196c327
     8ee8ff8a 24c67133 64a50c19 b1f1abae 14046f48 ca1605a6 8c27b912 5d91c4c5

   Validity: [From: Tue Sep 15 14:53:20 CEST 2009,
                To: Mon Dec 14 13:53:20 CET 2009]
   Issuer: CN=AJ, OU=RHT, O=RHT d.o.o., L=Vrhnika, ST=Unknown, C=SI
   SerialNumber: [    4aaf8e40]

]
   Algorithm: [SHA1withDSA]
   Signature:
0000: 30 2C 02 14 33 6E 95 35   B9 57 2C BB 38 0F A9 2D  0,..3n.5.W,.8..-
0010: A9 7F 60 C4 F3 95 A4 D0   02 14 3C 85 ED 36 4B 5D  ..`.......<..6K]
0020: A2 F8 50 13 E8 61 96 B4   FD AF 95 17 33 73        ..P..a......3s

]
jar: Signature File: Manifest digest SHA1
jar:   sigfile  51be07330c40c7588157efb848593c3e115bd157
jar:   computed 51be07330c40c7588157efb848593c3e115bd157
jar:
jar: processSignature signed name = 
examplets/plugins/impl/AnotherInjectedPlugin.class
jar: done with meta!
jar: beginEntry examplets/plugins/impl/AnotherInjectedPlugin.class
218 DEBUG [VirtualFileUnitTestCase] testCertificates took 218ms
218 DEBUG [VirtualFileUnitTestCase] ==== Stopping testCertificates ====

junit.framework.AssertionFailedError: No certificates: 
ZipEntryHandler at 28899428[path=examplets/plugins/impl/AnotherInjectedPlugin.class 
context=file:/C:/projects/branches/mc/vfs/Branch_2_1/target/test-classes/vfs/test/cert_test.jar 
real=file:/C:/projects/branches/mc/vfs/Branch_2_1/target/test-classes/vfs/test/cert_test.jar/examplets/plugins/impl/AnotherInjectedPlugin.class]
	at 
org.jboss.test.virtual.test.VirtualFileUnitTestCase.testCertificates(VirtualFileUnitTestCase.java:1368)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:40)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)

Ales Justin wrote:
>> Read the fine manual :-)
>> http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCertificates() 
>>
>>
>> i.e. you have to read() the entire stream before asking for the 
>> certs/signers.
> 
> Yeah, just found that out, while reading and weeping at that super ugly 
> code. :-)
> 
> But this still doesn't return any certs:
> 
>       URL url = getResource("/vfs/test/cert_test.jar");
>       VirtualFile jar = VFS.getRoot(url);
>       VirtualFile clazz = 
> jar.findChild("examplets/plugins/impl/AnotherInjectedPlugin.class");
>       InputStream tmp = clazz.openStream(); // HERE -- reading stream
>       Certificate[] certs = clazz.getCertificates();
>       assertNotNull("No certificates: " + clazz, certs);
> 
> I now get "sigFileSigners" entry in JarVerifier class, but I don't know 
> how to move it to verifiedSigners Hashtable in 
> http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/util/ManifestEntryVerifier.java.htm 
> yet.
> 
>> But the real reason for JBCL-67 - besides having a
>> mechanism to do a VirtualFile.getCertificates() - is how to do it for
>> non-jar files, e.g. unpacked deployments?
> 
> Since this is now an impl detail of VirtualFile/VirtualFileHandler, it's 
> up to them do provide a mechanism.
> 
> Any ideas / suggestions?
> e.g. X.class --> X.class.cert if it exists
>

More information about the jboss-development mailing list