diff options
author | Kenny Root <kroot@google.com> | 2014-11-14 17:10:13 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-11-14 17:10:13 +0000 |
commit | 8d4127b6f07ff8b01cef5e29932bd21cf14d9921 (patch) | |
tree | 3eef90b3e319ea6087dfcc6b80f109b30b82a41a | |
parent | 452a68e75473081b1aa8d709a12491ca07292f23 (diff) | |
parent | 657afa6cd8da378f30afe7b491e6d9de6c7c23fd (diff) | |
download | libcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.zip libcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.tar.gz libcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.tar.bz2 |
am 657afa6c: Merge "JarUtils: stop trying to build chain past candidates length" into lmp-mr1-dev
* commit '657afa6cd8da378f30afe7b491e6d9de6c7c23fd':
JarUtils: stop trying to build chain past candidates length
-rw-r--r-- | harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java | 88 | ||||
-rw-r--r-- | luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java | 4 | ||||
-rw-r--r-- | support/src/test/java/tests/resources/hyts_certLoop.jar | bin | 0 -> 14389 bytes |
3 files changed, 75 insertions, 17 deletions
diff --git a/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java b/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java index f55829d..0bc8920 100644 --- a/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java +++ b/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java @@ -37,7 +37,14 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Enumeration; +import java.util.List; import java.util.Vector; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; import java.util.jar.Attributes; import java.util.jar.JarEntry; import java.util.jar.JarFile; @@ -97,6 +104,27 @@ public class JarFileTest extends TestCase { private final String emptyEntryJar = "EmptyEntries_signed.jar"; + /* + * /usr/bin/openssl genrsa 2048 > root1.pem + * /usr/bin/openssl req -new -key root1.pem -out root1.csr -subj '/CN=root1' + * /usr/bin/openssl x509 -req -days 3650 -in root1.csr -signkey root1.pem -out root1.crt + * /usr/bin/openssl genrsa 2048 > root2.pem + * /usr/bin/openssl req -new -key root2.pem -out root2.csr -subj '/CN=root2' + * echo 4000 > root1.srl + * echo 8000 > root2.srl + * /usr/bin/openssl x509 -req -days 3650 -in root2.csr -CA root1.crt -CAkey root1.pem -out root2.crt + * /usr/bin/openssl x509 -req -days 3650 -in root1.csr -CA root2.crt -CAkey root2.pem -out root1.crt + * /usr/bin/openssl genrsa 2048 > signer.pem + * /usr/bin/openssl req -new -key signer.pem -out signer.csr -subj '/CN=signer' + * /usr/bin/openssl x509 -req -days 3650 -in signer.csr -CA root1.crt -CAkey root1.pem -out signer.crt + * /usr/bin/openssl pkcs12 -inkey signer.pem -in signer.crt -export -out signer.p12 -name signer -passout pass:certloop + * keytool -importkeystore -srckeystore signer.p12 -srcstoretype PKCS12 -destkeystore signer.jks -srcstorepass certloop -deststorepass certloop + * cat signer.crt root1.crt root2.crt > chain.crt + * zip -d hyts_certLoop.jar 'META-INF/*' + * jarsigner -keystore signer.jks -certchain chain.crt -storepass certloop hyts_certLoop.jar signer + */ + private final String certLoopJar = "hyts_certLoop.jar"; + private final String emptyEntry1 = "subfolder/internalSubset01.js"; private final String emptyEntry2 = "svgtest.js"; @@ -616,6 +644,9 @@ public class JarFileTest extends TestCase { // JAR with a signature that has PKCS#7 Authenticated Attributes checkSignedJar(authAttrsJar); + + // JAR with certificates that loop + checkSignedJar(certLoopJar, 3); } /** @@ -628,29 +659,52 @@ public class JarFileTest extends TestCase { checkSignedJar(jarName9); } + /** + * Checks that a JAR is signed correctly with a signature length of 1. + */ private void checkSignedJar(String jarName) throws Exception { - Support_Resources.copyFile(resources, null, jarName); + checkSignedJar(jarName, 1); + } - File file = new File(resources, jarName); - boolean foundCerts = false; + /** + * Checks that a JAR is signed correctly with a signature length of sigLength. + */ + private void checkSignedJar(String jarName, final int sigLength) throws Exception { + Support_Resources.copyFile(resources, null, jarName); - JarFile jarFile = new JarFile(file, true); - try { + final File file = new File(resources, jarName); - Enumeration<JarEntry> e = jarFile.entries(); - while (e.hasMoreElements()) { - JarEntry entry = e.nextElement(); - InputStream is = jarFile.getInputStream(entry); - is.skip(100000); - is.close(); - Certificate[] certs = entry.getCertificates(); - if (certs != null && certs.length > 0) { - foundCerts = true; - break; + ExecutorService executor = Executors.newSingleThreadExecutor(); + Future<Boolean> future = executor.submit(new Callable<Boolean>() { + @Override + public Boolean call() throws Exception { + JarFile jarFile = new JarFile(file, true); + try { + Enumeration<JarEntry> e = jarFile.entries(); + while (e.hasMoreElements()) { + JarEntry entry = e.nextElement(); + InputStream is = jarFile.getInputStream(entry); + is.skip(100000); + is.close(); + Certificate[] certs = entry.getCertificates(); + if (certs != null && certs.length > 0) { + assertEquals(sigLength, certs.length); + return true; + } + } + return false; + } finally { + jarFile.close(); } } - } finally { - jarFile.close(); + }); + executor.shutdown(); + final boolean foundCerts; + try { + foundCerts = future.get(10, TimeUnit.SECONDS); + } catch (TimeoutException e) { + fail("Could not finish building chain; possibly confused by loops"); + return; // Not actually reached. } assertTrue( diff --git a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java index cfd4089..020663e 100644 --- a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java +++ b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java @@ -249,6 +249,10 @@ public class JarUtils { } chain.add(issuerCert); count++; + /* Prevent growing infinitely if there is a loop */ + if (count > candidates.length) { + break; + } issuer = issuerCert.getIssuerDN(); if (issuerCert.getSubjectDN().equals(issuer)) { break; diff --git a/support/src/test/java/tests/resources/hyts_certLoop.jar b/support/src/test/java/tests/resources/hyts_certLoop.jar Binary files differnew file mode 100644 index 0000000..cb4ebe1 --- /dev/null +++ b/support/src/test/java/tests/resources/hyts_certLoop.jar |