am dafee327: am e09807c8: am c935abb8: am c79a75f3: am 928d0707: am 6640b107: am f8986a98: Add API to check certificate chain signatures

* commit 'dafee327892728c3632f2fa959c2790f7ea3049f': Add API to check certificate chain signatures
author: Kenny Root <kroot@google.com> 2014-04-18 23:00:16 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2014-04-18 23:00:16 +0000
commit: 80eedbe289fa735193d2eeea58da7f9d1fcf2b2f (patch)
tree: 83b705c14477c780e17d3b49d6ed28ebd7c9621d /luni/src/main/java/org
parent: 09cb7f462e447d570c0f35624b378540b825aea7 (diff)
parent: dafee327892728c3632f2fa959c2790f7ea3049f (diff)
download: libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.zip
libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.tar.gz
libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.tar.bz2
1 files changed, 28 insertions, 7 deletions
diff --git a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
index 9fc574d..3fdd621 100644
--- a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
+++ b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
@@ -53,18 +53,27 @@ public class JarUtils {
         new int[] {1, 2, 840, 113549, 1, 9, 4};
 
     /**
+     * @see #verifySignature(InputStream, InputStream, boolean)
+     */
+    public static Certificate[] verifySignature(InputStream signature, InputStream signatureBlock)
+            throws IOException, GeneralSecurityException {
+        return verifySignature(signature, signatureBlock, false);
+    }
+
+    /**
      * This method handle all the work with  PKCS7, ASN1 encoding, signature verifying,
      * and certification path building.
      * See also PKCS #7: Cryptographic Message Syntax Standard:
      * http://www.ietf.org/rfc/rfc2315.txt
      * @param signature - the input stream of signature file to be verified
      * @param signatureBlock - the input stream of corresponding signature block file
+     * @param chainCheck - whether to validate certificate chain signatures
      * @return array of certificates used to verify the signature file
      * @throws IOException - if some errors occurs during reading from the stream
      * @throws GeneralSecurityException - if signature verification process fails
      */
     public static Certificate[] verifySignature(InputStream signature, InputStream
-            signatureBlock) throws IOException, GeneralSecurityException {
+            signatureBlock, boolean chainCheck) throws IOException, GeneralSecurityException {
 
         BerInputStream bis = new BerInputStream(signatureBlock);
         ContentInfo info = (ContentInfo)ContentInfo.ASN1.decode(bis);
@@ -223,10 +232,11 @@ public class JarUtils {
             throw new SecurityException("Incorrect signature");
         }
 
-        return createChain(certs[issuerSertIndex], certs);
+        return createChain(certs[issuerSertIndex], certs, chainCheck);
     }
 
-    private static X509Certificate[] createChain(X509Certificate  signer, X509Certificate[] candidates) {
+    private static X509Certificate[] createChain(X509Certificate  signer,
+            X509Certificate[] candidates, boolean chainCheck) {
         LinkedList chain = new LinkedList();
         chain.add(0, signer);
 
@@ -236,13 +246,16 @@ public class JarUtils {
         }
 
         Principal issuer = signer.getIssuerDN();
-        X509Certificate issuerCert;
+        X509Certificate issuerCert = null;
+        X509Certificate subjectCert = signer;
         int count = 1;
         while (true) {
-            issuerCert = findCert(issuer, candidates);
-            if( issuerCert == null) {
+            X509Certificate newIssuerCert = findCert(issuer, candidates, subjectCert, chainCheck);
+            if (newIssuerCert == null) {
                 break;
             }
+            subjectCert = issuerCert;
+            issuerCert = newIssuerCert;
             chain.add(issuerCert);
             count++;
             if (issuerCert.getSubjectDN().equals(issuerCert.getIssuerDN())) {
@@ -253,9 +266,17 @@ public class JarUtils {
         return (X509Certificate[])chain.toArray(new X509Certificate[count]);
     }
 
-    private static X509Certificate findCert(Principal issuer, X509Certificate[] candidates) {
+    private static X509Certificate findCert(Principal issuer, X509Certificate[] candidates,
+            X509Certificate subjectCert, boolean chainCheck) {
         for (int i = 0; i < candidates.length; i++) {
             if (issuer.equals(candidates[i].getSubjectDN())) {
+                if (chainCheck) {
+                    try {
+                        subjectCert.verify(candidates[i].getPublicKey());
+                    } catch (Exception e) {
+                        continue;
+                    }
+                }
                 return candidates[i];
             }
         }
author	Kenny Root <kroot@google.com>	2014-04-18 23:00:16 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2014-04-18 23:00:16 +0000
commit	80eedbe289fa735193d2eeea58da7f9d1fcf2b2f (patch)
tree	83b705c14477c780e17d3b49d6ed28ebd7c9621d /luni/src/main/java/org
parent	09cb7f462e447d570c0f35624b378540b825aea7 (diff)
parent	dafee327892728c3632f2fa959c2790f7ea3049f (diff)
download	libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.zip libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.tar.gz libcore-80eedbe289fa735193d2eeea58da7f9d1fcf2b2f.tar.bz2