def test_verify_mf_checksums_no_whole_digest(self):
     sf_file = "sf-no-whole-digest.sf"
     mf_file = "sf-no-whole-digest.mf"
     sf = SignatureManifest()
     sf.parse_file(get_data_fn(sf_file))
     mf = Manifest()
     mf.parse_file(get_data_fn(mf_file))
     error_message = sf.verify_manifest_checksums(mf)
     self.assertIsNone(error_message,
         "Verification of signature file %s against manifest %s failed: %s"
         % (sf_file, mf_file, error_message))
예제 #2
0
 def test_verify_mf_checksums_no_whole_digest(self):
     sf_file = "sf-no-whole-digest.sf"
     mf_file = "sf-no-whole-digest.mf"
     sf = SignatureManifest()
     sf.parse_file(get_data_fn(sf_file))
     mf = Manifest()
     mf.parse_file(get_data_fn(mf_file))
     error_message = sf.verify_manifest_checksums(mf)
     self.assertIsNone(
         error_message,
         "Verification of signature file %s against manifest %s failed: %s"
         % (sf_file, mf_file, error_message))
예제 #3
0
    def test_multi_digests(self):
        jar_file = "multi-digests.jar"

        mf_ok_file = "one-valid-digest-of-several.mf"
        mf = Manifest()
        mf.parse_file(get_data_fn(mf_ok_file))
        error_message = mf.verify_jar_checksums(get_data_fn(jar_file))
        self.assertIsNone(error_message,
            "Digest verification of %s against JAR %s failed: %s" \
            % (mf_ok_file, jar_file, error_message))

        sf_ok_file = "one-valid-digest-of-several.sf"
        sf = SignatureManifest()
        sf.parse_file(get_data_fn(sf_ok_file))
        error_message = sf.verify_manifest_checksums(mf)
        self.assertIsNone(error_message,
            "Signature file digest verification of %s against manifest %s failed: %s" \
            % (sf_ok_file, mf_ok_file, error_message))
    def test_multi_digests(self):
        jar_file = "multi-digests.jar"

        mf_ok_file = "one-valid-digest-of-several.mf"
        mf = Manifest()
        mf.parse_file(get_data_fn(mf_ok_file))
        error_message = mf.verify_jar_checksums(get_data_fn(jar_file))
        self.assertIsNone(error_message,
            "Digest verification of %s against JAR %s failed: %s" \
            % (mf_ok_file, jar_file, error_message))

        sf_ok_file = "one-valid-digest-of-several.sf"
        sf = SignatureManifest()
        sf.parse_file(get_data_fn(sf_ok_file))
        error_message = sf.verify_manifest_checksums(mf)
        self.assertIsNone(error_message,
            "Signature file digest verification of %s against manifest %s failed: %s" \
            % (sf_ok_file, mf_ok_file, error_message))
예제 #5
0
def verify(certificate, jar_file, key_alias):
    """
    Verifies signature of a JAR file.

    Limitations:
    - diagnostic is less verbose than of jarsigner
    :return: tuple (exit_status, result_message)

    Reference:
    http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Signature_Validation
    Note that the validation is done in three steps. Failure at any step is a
    failure of the whole validation.
    """

    from .crypto import verify_signature_block
    from tempfile import mkstemp

    zip_file = ZipFile(jar_file)
    sf_data = zip_file.read("META-INF/%s.SF" % key_alias)

    # Step 1: check the crypto part.
    sf_file = mkstemp()[1]
    with open(sf_file, "w") as tmp_buf:
        tmp_buf.write(sf_data)
        tmp_buf.flush()
        file_list = zip_file.namelist()
        sig_block_filename = None
        # JAR specification mentions only RSA and DSA; jarsigner also has EC
        signature_extensions = ("RSA", "DSA", "EC")
        for extension in signature_extensions:
            candidate_filename = "META-INF/%s.%s" % (key_alias, extension)
            if candidate_filename in file_list:
                sig_block_filename = candidate_filename
                break
        if sig_block_filename is None:
            return "None of %s found in JAR" % \
                   ", ".join(key_alias + "." + x for x in signature_extensions)

        sig_block_data = zip_file.read(sig_block_filename)
        error = verify_signature_block(certificate, sf_file, sig_block_data)
        os.unlink(sf_file)
        if error is not None:
            return error

    # KEYALIAS.SF is correctly signed.
    # Step 2: Check that it contains correct checksum of the manifest.
    signature_manifest = SignatureManifest()
    signature_manifest.parse(sf_data)

    jar_manifest = Manifest()
    jar_manifest.parse(zip_file.read("META-INF/MANIFEST.MF"))

    error = signature_manifest.verify_manifest_checksums(jar_manifest)
    if error is not None:
        return error

    # Checksums of MANIFEST.MF itself are correct.
    # Step 3: Check that it contains valid checksums for each file from the JAR.
    error = jar_manifest.verify_jar_checksums(jar_file)
    if error is not None:
        return error

    return None