/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.felix.deploymentadmin.itest.util;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.jar.Attributes;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
/**
* Signs a deployment package using a given keypair.
*/
public class DPSigner {
private static final String META_INF = "META-INF/";
public static String getSignatureAlgorithm(Key key) {
if (key instanceof RSAKey) {
return "SHA256withRSA";
}
else if (key instanceof DSAKey) {
return "SHA1withDSA";
}
else if (key instanceof ECKey) {
return "SHA256withECDSA";
}
else {
throw new IllegalArgumentException("Invalid/unsupported key: " + key.getClass().getName());
}
}
private static String getBlockFileExtension(Key key) {
if (key instanceof RSAKey) {
return ".RSA";
}
else if (key instanceof DSAKey) {
return ".DSA";
}
else if (key instanceof ECKey) {
return ".EC";
}
else {
throw new IllegalArgumentException("Invalid/unsupported key: " + key.getClass().getName());
}
}
private final MessageDigest m_digest;
private final String m_digestAlg;
private final String m_baseName;
public DPSigner() {
this("DP");
}
public DPSigner(String baseName) {
try {
m_baseName = META_INF.concat(baseName);
m_digest = MessageDigest.getInstance("SHA-256");
m_digestAlg = m_digest.getAlgorithm();
}
catch (NoSuchAlgorithmException e) {
throw new RuntimeException("SHA-256 not supported by default?!");
}
}
public void addDigestAttribute(Attributes attrs, ArtifactData file) throws IOException {
attrs.putValue(m_digestAlg.concat("-Digest"), calculateDigest(file));
}
public void sign(DeploymentPackageBuilder builder, PrivateKey privKey, X509Certificate cert, OutputStream os) throws Exception {
Manifest manifest = builder.createManifest();
List<ArtifactData> artifacts = builder.getArtifactList();
sign(manifest, artifacts, privKey, cert, os);
}
public void sign(Manifest manifest, List<ArtifactData> files, PrivateKey privKey, X509Certificate cert, OutputStream os) throws Exception {
// For each file, add its signature to the manifest
for (ArtifactData file : files) {
String filename = file.getFilename();
Attributes attrs = manifest.getAttributes(filename);
addDigestAttribute(attrs, file);
}
try (ZipOutputStream zos = new ZipOutputStream(os)) {
writeSignedManifest(manifest, zos, privKey, cert);
for (ArtifactData file : files) {
ZipEntry entry = new ZipEntry(file.getFilename());
zos.putNextEntry(entry);
try (InputStream is = file.createInputStream()) {
byte[] buf = new byte[1024];
int read;
while ((read = is.read(buf)) > 0) {
zos.write(buf, 0, read);
}
}
}
}
}
public void writeSignedManifest(Manifest manifest, ZipOutputStream zos, PrivateKey privKey, X509Certificate cert) throws Exception {
zos.putNextEntry(new ZipEntry(JarFile.MANIFEST_NAME));
manifest.write(zos);
zos.closeEntry();
long now = System.currentTimeMillis();
// Determine the signature-file manifest...
Manifest sf = createSignatureFile(manifest);
byte[] sfRawBytes;
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
sf.write(baos);
sfRawBytes = baos.toByteArray();
}
ZipEntry sigFileEntry = new ZipEntry(m_baseName.concat(".SF"));
sigFileEntry.setTime(now);
zos.putNextEntry(sigFileEntry);
// Write the actual entry data...
zos.write(sfRawBytes, 0, sfRawBytes.length);
zos.closeEntry();
// Create a PKCS#7 signature...
byte[] encoded = calculateSignatureBlock(privKey, cert, sfRawBytes);
ZipEntry blockFileEntry = new ZipEntry(m_baseName.concat(getBlockFileExtension(privKey)));
blockFileEntry.setTime(now);
zos.putNextEntry(blockFileEntry);
zos.write(encoded);
zos.closeEntry();
}
private String calculateDigest(ArtifactData file) throws IOException {
m_digest.reset();
try (InputStream is = file.createInputStream()) {
byte[] buffer = new byte[1024];
int read;
while ((read = is.read(buffer)) > 0) {
m_digest.update(buffer, 0, read);
}
}
return Base64.encodeBase64String(m_digest.digest());
}
private String calculateDigest(byte[] rawData) throws IOException {
m_digest.reset();
m_digest.update(rawData, 0, rawData.length);
return Base64.encodeBase64String(m_digest.digest());
}
private byte[] calculateSignatureBlock(PrivateKey privKey, X509Certificate cert, byte[] sfRawBytes) throws Exception {
String signatureAlgorithm = getSignatureAlgorithm(privKey);
DigestCalculatorProvider digestCalculatorProvider = new JcaDigestCalculatorProviderBuilder().build();
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(privKey);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digestCalculatorProvider).build(signer, cert));
gen.addCertificates(new JcaCertStore(Arrays.asList(cert)));
CMSSignedData sigData = gen.generate(new CMSProcessableByteArray(sfRawBytes));
return sigData.getEncoded();
}
private Manifest createSignatureFile(Manifest manifest) throws IOException {
byte[] mfRawBytes;
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
manifest.write(baos);
mfRawBytes = baos.toByteArray();
}
Manifest sf = new Manifest();
Attributes sfMain = sf.getMainAttributes();
Map<String, Attributes> sfEntries = sf.getEntries();
sfMain.put(Attributes.Name.SIGNATURE_VERSION, "1.0");
sfMain.putValue("Created-By", "Apache Felix DeploymentPackageBuilder");
sfMain.putValue(m_digestAlg + "-Digest-Manifest", calculateDigest(mfRawBytes));
sfMain.putValue(m_digestAlg + "-Digest-Manifest-Main-Attribute", calculateDigest(getRawBytesMainAttributes(manifest)));
for (Entry<String, Attributes> entry : manifest.getEntries().entrySet()) {
String name = entry.getKey();
byte[] entryData = getRawBytesAttributes(entry.getValue());
sfEntries.put(name, getDigestAttributes(entryData));
}
return sf;
}
private Attributes getDigestAttributes(byte[] rawData) throws IOException {
Attributes attrs = new Attributes();
attrs.putValue(m_digestAlg + "-Digest", calculateDigest(rawData));
return attrs;
}
private byte[] getRawBytesAttributes(Attributes attrs) throws IOException {
try (ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos)) {
Method m = Attributes.class.getDeclaredMethod("write", DataOutputStream.class);
m.setAccessible(true);
m.invoke(attrs, dos);
return baos.toByteArray();
}
catch (NoSuchMethodException | SecurityException | InvocationTargetException | IllegalAccessException e) {
throw new RuntimeException("Failed to get raw bytes of main attributes!", e);
}
}
private byte[] getRawBytesMainAttributes(Manifest manifest) throws IOException {
try (ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos)) {
Attributes attrs = manifest.getMainAttributes();
Method m = Attributes.class.getDeclaredMethod("writeMain", DataOutputStream.class);
m.setAccessible(true);
m.invoke(attrs, dos);
return baos.toByteArray();
}
catch (NoSuchMethodException | SecurityException | InvocationTargetException | IllegalAccessException e) {
throw new RuntimeException("Failed to get raw bytes of main attributes!", e);
}
}
}