-
Notifications
You must be signed in to change notification settings - Fork 3
/
NOTES.txt
55 lines (40 loc) · 2.62 KB
/
NOTES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
.DSA and .RSA are PKCS#7 signature files
https://docs.oracle.com/javase/tutorial/deployment/jar/intro.html
> the signature file contains digest entries for the archive's files that look similar to the
> digest-value entries in the manifest. However, while the digest values in the manifest are
> computed from the files themselves, the digest values in the signature file are computed from
> the corresponding entries in the manifest. Signature files also contain a
> digest value for the entire manifest (see the SHA1-Digest-Manifest header in
> the above example).
> When a signed JAR file is being verified, the digests of each of its files
> are re-computed and compared with the digests recorded in the manifest to
> ensure that the contents of the JAR file haven't changed since it was
> signed. As an additional check, digest values for the manifest file itself
> are re-computed and compared against the values recorded in the signature
> file.
- Implication that a JAR with additional unsigned files can still pass validation (probably ignore
even if non-standard?)
https://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html
https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/security/tools/JarSigner.java#L2143
SignatureFile(MessageDigest digests[],
Manifest mf,
ManifestDigester md,
String baseName,
boolean signManifest)
> encoder.encode(mde.digest(digests[i])
BASE64Encoder encoder = new JarBASE64Encoder();
where digest[i] is MessageDigest
base64()
ManifestDigester manDig = new ManifestDigester(mfRawBytes); <-- actual manifest bytes
SignatureFile sf = new SignatureFile(digests, manifest, manDig,
sigfile, signManifest);
> For each entry in the manifest, verify the digest value in the manifest file
> against a digest calculated over the actual data referenced in the "Name:"
> attribute, which specifies either a relative file path or URL. If any of the
> digest values don't match, then JAR file verification fails.
> In the .SF file, the digest value for a specified source file is the hash of the three lines in the manifest file for the source file. <----
https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html
* Newlines significant per entry
* The hash of the manifest in the signature file will be MINUS the attributes at the top
https://justanapplication.wordpress.com/tag/pkcs7/
It is the SHA-1 digest of the CERT.SF file which has been encrypted using the private key corresponding to the public key contained in the accompanying certificate.