Mercurial > hg > release > icedtea7-forest-2.1 > jdk

changeset 4926:d5b0fafe5008

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8009235: Improve handling of TSA data Reviewed-by: ahgross, mullan
author vinnie
date Mon, 08 Apr 2013 21:17:57 +0100
parents 94aeaa544fd0
children 777c7be511a7
files src/share/classes/sun/security/timestamp/TimestampToken.java src/share/classes/sun/security/util/SignatureFileVerifier.java
diffstat 2 files changed, 33 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/timestamp/TimestampToken.java	Wed Jun 12 15:13:37 2013 +0100
+++ b/src/share/classes/sun/security/timestamp/TimestampToken.java	Mon Apr 08 21:17:57 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -115,6 +115,10 @@
         return nonce;
     }
 
+    public BigInteger getSerialNumber() {
+        return serialNumber;
+    }
+
     /*
      * Parses the timestamp token info.
      *
--- a/src/share/classes/sun/security/util/SignatureFileVerifier.java	Wed Jun 12 15:13:37 2013 +0100
+++ b/src/share/classes/sun/security/util/SignatureFileVerifier.java	Mon Apr 08 21:17:57 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -548,6 +548,8 @@
                 // Create a timestamp token info object
                 TimestampToken timestampTokenInfo =
                     new TimestampToken(encodedTimestampTokenInfo);
+                // Check that the signature timestamp applies to this signature
+                verifyTimestamp(timestampTokenInfo, info.getEncryptedDigest());
                 // Create a timestamp object
                 timestamp =
                     new Timestamp(timestampTokenInfo.getDate(), tsaChain);
@@ -556,6 +558,31 @@
         return timestamp;
     }
 
+    /*
+     * Check that the signature timestamp applies to this signature.
+     * Match the hash present in the signature timestamp token against the hash
+     * of this signature.
+     */
+    private void verifyTimestamp(TimestampToken token, byte[] signature)
+        throws NoSuchAlgorithmException, SignatureException {
+
+        MessageDigest md =
+            MessageDigest.getInstance(token.getHashAlgorithm().getName());
+
+        if (!Arrays.equals(token.getHashedMessage(), md.digest(signature))) {
+            throw new SignatureException("Signature timestamp (#" +
+                token.getSerialNumber() + ") generated on " + token.getDate() +
+                " is inapplicable");
+        }
+
+        if (debug != null) {
+            debug.println();
+            debug.println("Detected signature timestamp (#" +
+                token.getSerialNumber() + ") generated on " + token.getDate());
+            debug.println();
+        }
+    }
+
     // for the toHex function
     private static final char[] hexc =
             {'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'};