summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKenny Root <kroot@google.com>2014-11-14 17:10:13 +0000
committerAndroid Git Automerger <android-git-automerger@android.com>2014-11-14 17:10:13 +0000
commit8d4127b6f07ff8b01cef5e29932bd21cf14d9921 (patch)
tree3eef90b3e319ea6087dfcc6b80f109b30b82a41a
parent452a68e75473081b1aa8d709a12491ca07292f23 (diff)
parent657afa6cd8da378f30afe7b491e6d9de6c7c23fd (diff)
downloadlibcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.zip
libcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.tar.gz
libcore-8d4127b6f07ff8b01cef5e29932bd21cf14d9921.tar.bz2
am 657afa6c: Merge "JarUtils: stop trying to build chain past candidates length" into lmp-mr1-dev
* commit '657afa6cd8da378f30afe7b491e6d9de6c7c23fd': JarUtils: stop trying to build chain past candidates length
-rw-r--r--harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java88
-rw-r--r--luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java4
-rw-r--r--support/src/test/java/tests/resources/hyts_certLoop.jarbin0 -> 14389 bytes
3 files changed, 75 insertions, 17 deletions
diff --git a/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java b/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java
index f55829d..0bc8920 100644
--- a/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java
+++ b/harmony-tests/src/test/java/org/apache/harmony/tests/java/util/jar/JarFileTest.java
@@ -37,7 +37,14 @@ import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
+import java.util.List;
import java.util.Vector;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
import java.util.jar.Attributes;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
@@ -97,6 +104,27 @@ public class JarFileTest extends TestCase {
private final String emptyEntryJar = "EmptyEntries_signed.jar";
+ /*
+ * /usr/bin/openssl genrsa 2048 > root1.pem
+ * /usr/bin/openssl req -new -key root1.pem -out root1.csr -subj '/CN=root1'
+ * /usr/bin/openssl x509 -req -days 3650 -in root1.csr -signkey root1.pem -out root1.crt
+ * /usr/bin/openssl genrsa 2048 > root2.pem
+ * /usr/bin/openssl req -new -key root2.pem -out root2.csr -subj '/CN=root2'
+ * echo 4000 > root1.srl
+ * echo 8000 > root2.srl
+ * /usr/bin/openssl x509 -req -days 3650 -in root2.csr -CA root1.crt -CAkey root1.pem -out root2.crt
+ * /usr/bin/openssl x509 -req -days 3650 -in root1.csr -CA root2.crt -CAkey root2.pem -out root1.crt
+ * /usr/bin/openssl genrsa 2048 > signer.pem
+ * /usr/bin/openssl req -new -key signer.pem -out signer.csr -subj '/CN=signer'
+ * /usr/bin/openssl x509 -req -days 3650 -in signer.csr -CA root1.crt -CAkey root1.pem -out signer.crt
+ * /usr/bin/openssl pkcs12 -inkey signer.pem -in signer.crt -export -out signer.p12 -name signer -passout pass:certloop
+ * keytool -importkeystore -srckeystore signer.p12 -srcstoretype PKCS12 -destkeystore signer.jks -srcstorepass certloop -deststorepass certloop
+ * cat signer.crt root1.crt root2.crt > chain.crt
+ * zip -d hyts_certLoop.jar 'META-INF/*'
+ * jarsigner -keystore signer.jks -certchain chain.crt -storepass certloop hyts_certLoop.jar signer
+ */
+ private final String certLoopJar = "hyts_certLoop.jar";
+
private final String emptyEntry1 = "subfolder/internalSubset01.js";
private final String emptyEntry2 = "svgtest.js";
@@ -616,6 +644,9 @@ public class JarFileTest extends TestCase {
// JAR with a signature that has PKCS#7 Authenticated Attributes
checkSignedJar(authAttrsJar);
+
+ // JAR with certificates that loop
+ checkSignedJar(certLoopJar, 3);
}
/**
@@ -628,29 +659,52 @@ public class JarFileTest extends TestCase {
checkSignedJar(jarName9);
}
+ /**
+ * Checks that a JAR is signed correctly with a signature length of 1.
+ */
private void checkSignedJar(String jarName) throws Exception {
- Support_Resources.copyFile(resources, null, jarName);
+ checkSignedJar(jarName, 1);
+ }
- File file = new File(resources, jarName);
- boolean foundCerts = false;
+ /**
+ * Checks that a JAR is signed correctly with a signature length of sigLength.
+ */
+ private void checkSignedJar(String jarName, final int sigLength) throws Exception {
+ Support_Resources.copyFile(resources, null, jarName);
- JarFile jarFile = new JarFile(file, true);
- try {
+ final File file = new File(resources, jarName);
- Enumeration<JarEntry> e = jarFile.entries();
- while (e.hasMoreElements()) {
- JarEntry entry = e.nextElement();
- InputStream is = jarFile.getInputStream(entry);
- is.skip(100000);
- is.close();
- Certificate[] certs = entry.getCertificates();
- if (certs != null && certs.length > 0) {
- foundCerts = true;
- break;
+ ExecutorService executor = Executors.newSingleThreadExecutor();
+ Future<Boolean> future = executor.submit(new Callable<Boolean>() {
+ @Override
+ public Boolean call() throws Exception {
+ JarFile jarFile = new JarFile(file, true);
+ try {
+ Enumeration<JarEntry> e = jarFile.entries();
+ while (e.hasMoreElements()) {
+ JarEntry entry = e.nextElement();
+ InputStream is = jarFile.getInputStream(entry);
+ is.skip(100000);
+ is.close();
+ Certificate[] certs = entry.getCertificates();
+ if (certs != null && certs.length > 0) {
+ assertEquals(sigLength, certs.length);
+ return true;
+ }
+ }
+ return false;
+ } finally {
+ jarFile.close();
}
}
- } finally {
- jarFile.close();
+ });
+ executor.shutdown();
+ final boolean foundCerts;
+ try {
+ foundCerts = future.get(10, TimeUnit.SECONDS);
+ } catch (TimeoutException e) {
+ fail("Could not finish building chain; possibly confused by loops");
+ return; // Not actually reached.
}
assertTrue(
diff --git a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
index cfd4089..020663e 100644
--- a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
+++ b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
@@ -249,6 +249,10 @@ public class JarUtils {
}
chain.add(issuerCert);
count++;
+ /* Prevent growing infinitely if there is a loop */
+ if (count > candidates.length) {
+ break;
+ }
issuer = issuerCert.getIssuerDN();
if (issuerCert.getSubjectDN().equals(issuer)) {
break;
diff --git a/support/src/test/java/tests/resources/hyts_certLoop.jar b/support/src/test/java/tests/resources/hyts_certLoop.jar
new file mode 100644
index 0000000..cb4ebe1
--- /dev/null
+++ b/support/src/test/java/tests/resources/hyts_certLoop.jar
Binary files differ