OpenJDK / aarch32-port / jdk9u / jdk
changeset 7433:6f75b365af19
8009235: Improve handling of TSA data
Reviewed-by: ahgross, mullan
author | vinnie |
---|---|
date | Mon, 08 Apr 2013 21:12:28 +0100 |
parents | e5969bf37f26 |
children | 5496abfc666a |
files | src/share/classes/sun/security/pkcs/SignerInfo.java src/share/classes/sun/security/timestamp/TimestampToken.java |
diffstat | 2 files changed, 36 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java Mon Apr 08 06:15:18 2013 +0100 +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java Mon Apr 08 21:12:28 2013 +0100 @@ -34,6 +34,7 @@ import java.security.cert.X509Certificate; import java.security.*; import java.util.ArrayList; +import java.util.Arrays; import sun.security.timestamp.TimestampToken; import sun.security.util.*; @@ -57,6 +58,7 @@ byte[] encryptedDigest; Timestamp timestamp; private boolean hasTimestamp = true; + private static final Debug debug = Debug.getInstance("jar"); PKCS9Attributes authenticatedAttributes; PKCS9Attributes unauthenticatedAttributes; @@ -499,11 +501,40 @@ CertPath tsaChain = cf.generateCertPath(chain); // Create a timestamp token info object TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); + // Check that the signature timestamp applies to this signature + verifyTimestamp(tsTokenInfo); // Create a timestamp object timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain); return timestamp; } + /* + * Check that the signature timestamp applies to this signature. + * Match the hash present in the signature timestamp token against the hash + * of this signature. + */ + private void verifyTimestamp(TimestampToken token) + throws NoSuchAlgorithmException, SignatureException { + + MessageDigest md = + MessageDigest.getInstance(token.getHashAlgorithm().getName()); + + if (!Arrays.equals(token.getHashedMessage(), + md.digest(encryptedDigest))) { + + throw new SignatureException("Signature timestamp (#" + + token.getSerialNumber() + ") generated on " + token.getDate() + + " is inapplicable"); + } + + if (debug != null) { + debug.println(); + debug.println("Detected signature timestamp (#" + + token.getSerialNumber() + ") generated on " + token.getDate()); + debug.println(); + } + } + public String toString() { HexDumpEncoder hexDump = new HexDumpEncoder();
--- a/src/share/classes/sun/security/timestamp/TimestampToken.java Mon Apr 08 06:15:18 2013 +0100 +++ b/src/share/classes/sun/security/timestamp/TimestampToken.java Mon Apr 08 21:12:28 2013 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -115,6 +115,10 @@ return nonce; } + public BigInteger getSerialNumber() { + return serialNumber; + } + /* * Parses the timestamp token info. *