changeset 7433:6f75b365af19

8009235: Improve handling of TSA data Reviewed-by: ahgross, mullan
author vinnie
date Mon, 08 Apr 2013 21:12:28 +0100
parents e5969bf37f26
children 5496abfc666a
files src/share/classes/sun/security/pkcs/SignerInfo.java src/share/classes/sun/security/timestamp/TimestampToken.java
diffstat 2 files changed, 36 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java	Mon Apr 08 06:15:18 2013 +0100
+++ b/src/share/classes/sun/security/pkcs/SignerInfo.java	Mon Apr 08 21:12:28 2013 +0100
@@ -34,6 +34,7 @@
 import java.security.cert.X509Certificate;
 import java.security.*;
 import java.util.ArrayList;
+import java.util.Arrays;
 
 import sun.security.timestamp.TimestampToken;
 import sun.security.util.*;
@@ -57,6 +58,7 @@
     byte[] encryptedDigest;
     Timestamp timestamp;
     private boolean hasTimestamp = true;
+    private static final Debug debug = Debug.getInstance("jar");
 
     PKCS9Attributes authenticatedAttributes;
     PKCS9Attributes unauthenticatedAttributes;
@@ -499,11 +501,40 @@
         CertPath tsaChain = cf.generateCertPath(chain);
         // Create a timestamp token info object
         TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
+        // Check that the signature timestamp applies to this signature
+        verifyTimestamp(tsTokenInfo);
         // Create a timestamp object
         timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain);
         return timestamp;
     }
 
+    /*
+     * Check that the signature timestamp applies to this signature.
+     * Match the hash present in the signature timestamp token against the hash
+     * of this signature.
+     */
+    private void verifyTimestamp(TimestampToken token)
+        throws NoSuchAlgorithmException, SignatureException {
+
+        MessageDigest md =
+            MessageDigest.getInstance(token.getHashAlgorithm().getName());
+
+        if (!Arrays.equals(token.getHashedMessage(),
+            md.digest(encryptedDigest))) {
+
+            throw new SignatureException("Signature timestamp (#" +
+                token.getSerialNumber() + ") generated on " + token.getDate() +
+                " is inapplicable");
+        }
+
+        if (debug != null) {
+            debug.println();
+            debug.println("Detected signature timestamp (#" +
+                token.getSerialNumber() + ") generated on " + token.getDate());
+            debug.println();
+        }
+    }
+
     public String toString() {
         HexDumpEncoder hexDump = new HexDumpEncoder();
 
--- a/src/share/classes/sun/security/timestamp/TimestampToken.java	Mon Apr 08 06:15:18 2013 +0100
+++ b/src/share/classes/sun/security/timestamp/TimestampToken.java	Mon Apr 08 21:12:28 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -115,6 +115,10 @@
         return nonce;
     }
 
+    public BigInteger getSerialNumber() {
+        return serialNumber;
+    }
+
     /*
      * Parses the timestamp token info.
      *