def test_verify_mf_checksums_no_whole_digest(self):
sf_file = "sf-no-whole-digest.sf"
mf_file = "sf-no-whole-digest.mf"
sf = SignatureManifest()
sf.parse_file(get_data_fn(sf_file))
mf = Manifest()
mf.parse_file(get_data_fn(mf_file))
error_message = sf.verify_manifest_checksums(mf)
self.assertIsNone(error_message,
"Verification of signature file %s against manifest %s failed: %s"
% (sf_file, mf_file, error_message))
def test_verify_mf_checksums_no_whole_digest(self):
sf_file = "sf-no-whole-digest.sf"
mf_file = "sf-no-whole-digest.mf"
sf = SignatureManifest()
sf.parse_file(get_data_fn(sf_file))
mf = Manifest()
mf.parse_file(get_data_fn(mf_file))
error_message = sf.verify_manifest_checksums(mf)
self.assertIsNone(
error_message,
"Verification of signature file %s against manifest %s failed: %s"
% (sf_file, mf_file, error_message))
def test_multi_digests(self):
jar_file = "multi-digests.jar"
mf_ok_file = "one-valid-digest-of-several.mf"
mf = Manifest()
mf.parse_file(get_data_fn(mf_ok_file))
error_message = mf.verify_jar_checksums(get_data_fn(jar_file))
self.assertIsNone(error_message,
"Digest verification of %s against JAR %s failed: %s" \
% (mf_ok_file, jar_file, error_message))
sf_ok_file = "one-valid-digest-of-several.sf"
sf = SignatureManifest()
sf.parse_file(get_data_fn(sf_ok_file))
error_message = sf.verify_manifest_checksums(mf)
self.assertIsNone(error_message,
"Signature file digest verification of %s against manifest %s failed: %s" \
% (sf_ok_file, mf_ok_file, error_message))
def test_multi_digests(self):
jar_file = "multi-digests.jar"
mf_ok_file = "one-valid-digest-of-several.mf"
mf = Manifest()
mf.parse_file(get_data_fn(mf_ok_file))
error_message = mf.verify_jar_checksums(get_data_fn(jar_file))
self.assertIsNone(error_message,
"Digest verification of %s against JAR %s failed: %s" \
% (mf_ok_file, jar_file, error_message))
sf_ok_file = "one-valid-digest-of-several.sf"
sf = SignatureManifest()
sf.parse_file(get_data_fn(sf_ok_file))
error_message = sf.verify_manifest_checksums(mf)
self.assertIsNone(error_message,
"Signature file digest verification of %s against manifest %s failed: %s" \
% (sf_ok_file, mf_ok_file, error_message))
def verify(certificate, jar_file, key_alias):
"""
Verifies signature of a JAR file.
Limitations:
- diagnostic is less verbose than of jarsigner
:return: tuple (exit_status, result_message)
Reference:
http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Signature_Validation
Note that the validation is done in three steps. Failure at any step is a
failure of the whole validation.
"""
from .crypto import verify_signature_block
from tempfile import mkstemp
zip_file = ZipFile(jar_file)
sf_data = zip_file.read("META-INF/%s.SF" % key_alias)
# Step 1: check the crypto part.
sf_file = mkstemp()[1]
with open(sf_file, "w") as tmp_buf:
tmp_buf.write(sf_data)
tmp_buf.flush()
file_list = zip_file.namelist()
sig_block_filename = None
# JAR specification mentions only RSA and DSA; jarsigner also has EC
signature_extensions = ("RSA", "DSA", "EC")
for extension in signature_extensions:
candidate_filename = "META-INF/%s.%s" % (key_alias, extension)
if candidate_filename in file_list:
sig_block_filename = candidate_filename
break
if sig_block_filename is None:
return "None of %s found in JAR" % \
", ".join(key_alias + "." + x for x in signature_extensions)
sig_block_data = zip_file.read(sig_block_filename)
error = verify_signature_block(certificate, sf_file, sig_block_data)
os.unlink(sf_file)
if error is not None:
return error
# KEYALIAS.SF is correctly signed.
# Step 2: Check that it contains correct checksum of the manifest.
signature_manifest = SignatureManifest()
signature_manifest.parse(sf_data)
jar_manifest = Manifest()
jar_manifest.parse(zip_file.read("META-INF/MANIFEST.MF"))
error = signature_manifest.verify_manifest_checksums(jar_manifest)
if error is not None:
return error
# Checksums of MANIFEST.MF itself are correct.
# Step 3: Check that it contains valid checksums for each file from the JAR.
error = jar_manifest.verify_jar_checksums(jar_file)
if error is not None:
return error
return None