JAR_Signer *
jar_get_signer(JAR *jar, char *basename)
{
JAR_Item *it;
JAR_Context *ctx = JAR_find(jar, NULL, jarTypeOwner);
JAR_Signer *candidate;
JAR_Signer *signer = NULL;
if (ctx == NULL)
return NULL;
while (JAR_find_next(ctx, &it) >= 0) {
candidate = (JAR_Signer *)it->data;
if (*basename == '*' || !PORT_Strcmp(candidate->owner, basename)) {
signer = candidate;
break;
}
}
JAR_find_end(ctx);
return signer;
}
/************************************************************************
*
* J a r W h o
*/
int
JarWho(char *filename)
{
FILE *fp;
JAR *jar;
JAR_Context *ctx;
int status;
int retval = 0;
JAR_Item *it;
JAR_Cert *fing;
CERTCertificate *cert, *prev = NULL;
jar = JAR_new();
if ((fp = fopen(filename, "r")) == NULL) {
perror(filename);
exit(ERRX);
}
fclose(fp);
status = JAR_pass_archive(jar, jarArchGuess, filename, "some-url");
if (status < 0 || jar->valid < 0) {
PR_fprintf(outputFD,
"NOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
filename);
retval = -1;
if (jar->valid < 0 || status != -1) {
const char *errtext;
if (status >= JAR_BASE && status <= JAR_BASE_END) {
errtext = JAR_get_error(status);
} else {
errtext = SECU_Strerror(PORT_GetError());
}
PR_fprintf(outputFD, " (reported reason: %s)\n\n", errtext);
}
}
PR_fprintf(outputFD, "\nSigner information:\n\n");
ctx = JAR_find(jar, NULL, jarTypeSign);
while (JAR_find_next(ctx, &it) >= 0) {
fing = (JAR_Cert *)it->data;
cert = fing->cert;
if (cert) {
if (prev == cert)
break;
if (cert->nickname)
PR_fprintf(outputFD, "nickname: %s\n", cert->nickname);
if (cert->subjectName)
PR_fprintf(outputFD, "subject name: %s\n",
cert->subjectName);
if (cert->issuerName)
PR_fprintf(outputFD, "issuer name: %s\n", cert->issuerName);
} else {
PR_fprintf(outputFD, "no certificate could be found\n");
retval = -1;
}
prev = cert;
}
JAR_find_end(ctx);
JAR_destroy(jar);
return retval;
}
/*************************************************************************
*
* V e r i f y J a r
*/
int
VerifyJar(char *filename)
{
FILE *fp;
int ret;
int status;
int failed = 0;
char *err;
JAR *jar;
JAR_Context *ctx;
JAR_Item *it;
jar = JAR_new();
if ((fp = fopen(filename, "r")) == NULL) {
perror(filename);
exit(ERRX);
} else
fclose(fp);
JAR_set_callback(JAR_CB_SIGNAL, jar, jar_cb);
status = JAR_pass_archive(jar, jarArchGuess, filename, "some-url");
if (status < 0 || jar->valid < 0) {
failed = 1;
PR_fprintf(outputFD,
"\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
filename);
if (status < 0) {
const char *errtext;
if (status >= JAR_BASE && status <= JAR_BASE_END) {
errtext = JAR_get_error(status);
} else {
errtext = SECU_Strerror(PORT_GetError());
}
PR_fprintf(outputFD, " (reported reason: %s)\n\n",
errtext);
/* corrupt files should not have their contents listed */
if (status == JAR_ERR_CORRUPT)
return -1;
}
PR_fprintf(outputFD,
"entries shown below will have their digests checked only.\n");
jar->valid = 0;
} else
PR_fprintf(outputFD,
"archive \"%s\" has passed crypto verification.\n", filename);
if (verify_global(jar))
failed = 1;
PR_fprintf(outputFD, "\n");
PR_fprintf(outputFD, "%16s %s\n", "status", "path");
PR_fprintf(outputFD, "%16s %s\n", "------------", "-------------------");
ctx = JAR_find(jar, NULL, jarTypeMF);
while (JAR_find_next(ctx, &it) >= 0) {
if (it && it->pathname) {
rm_dash_r(TMP_OUTPUT);
ret = JAR_verified_extract(jar, it->pathname, TMP_OUTPUT);
/* if (ret < 0) printf ("error %d on %s\n", ret, it->pathname); */
if (ret < 0)
failed = 1;
if (ret == JAR_ERR_PNF)
err = "NOT PRESENT";
else if (ret == JAR_ERR_HASH)
err = "HASH FAILED";
else
err = "NOT VERIFIED";
PR_fprintf(outputFD, "%16s %s\n",
ret >= 0 ? "verified" : err, it->pathname);
if (ret != 0 && ret != JAR_ERR_PNF && ret != JAR_ERR_HASH)
PR_fprintf(outputFD, " (reason: %s)\n",
JAR_get_error(ret));
}
}
JAR_find_end(ctx);
if (status < 0 || jar->valid < 0) {
failed = 1;
PR_fprintf(outputFD,
"\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
filename);
give_help(status);
}
JAR_destroy(jar);
if (failed)
return -1;
return 0;
}
/***************************************************************************
*
* v e r i f y _ g l o b a l
*/
static int
verify_global(JAR *jar)
{
FILE *fp;
JAR_Context *ctx;
JAR_Item *it;
JAR_Digest *globaldig;
char *ext;
unsigned char *md5_digest, *sha1_digest;
unsigned int sha1_length, md5_length;
int retval = 0;
char buf[BUFSIZ];
ctx = JAR_find(jar, "*", jarTypePhy);
while (JAR_find_next(ctx, &it) >= 0) {
if (!PORT_Strncmp(it->pathname, "META-INF", 8)) {
for (ext = it->pathname; *ext; ext++)
;
while (ext > it->pathname && *ext != '.')
ext--;
if (verbosity >= 0) {
if (!PORT_Strcasecmp(ext, ".rsa")) {
PR_fprintf(outputFD, "found a RSA signature file: %s\n",
it->pathname);
}
if (!PORT_Strcasecmp(ext, ".dsa")) {
PR_fprintf(outputFD, "found a DSA signature file: %s\n",
it->pathname);
}
if (!PORT_Strcasecmp(ext, ".mf")) {
PR_fprintf(outputFD,
"found a MF master manifest file: %s\n",
it->pathname);
}
}
if (!PORT_Strcasecmp(ext, ".sf")) {
if (verbosity >= 0) {
PR_fprintf(outputFD,
"found a SF signature manifest file: %s\n",
it->pathname);
}
rm_dash_r(TMP_OUTPUT);
if (JAR_extract(jar, it->pathname, TMP_OUTPUT) < 0) {
PR_fprintf(errorFD, "%s: error extracting %s\n",
PROGRAM_NAME, it->pathname);
errorCount++;
retval = -1;
continue;
}
md5_digest = NULL;
sha1_digest = NULL;
if ((fp = fopen(TMP_OUTPUT, "rb")) != NULL) {
while (fgets(buf, BUFSIZ, fp)) {
char *s;
if (*buf == 0 || *buf == '\n' || *buf == '\r')
break;
for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
;
*s = 0;
if (!PORT_Strncmp(buf, "MD5-Digest: ", 12)) {
md5_digest =
ATOB_AsciiToData(buf + 12, &md5_length);
}
if (!PORT_Strncmp(buf, "SHA1-Digest: ", 13)) {
sha1_digest =
ATOB_AsciiToData(buf + 13, &sha1_length);
}
if (!PORT_Strncmp(buf, "SHA-Digest: ", 12)) {
sha1_digest =
ATOB_AsciiToData(buf + 12, &sha1_length);
}
}
globaldig = jar->globalmeta;
if (globaldig && md5_digest && verbosity >= 0) {
PR_fprintf(outputFD,
" md5 digest on global metainfo: %s\n",
PORT_Memcmp(md5_digest, globaldig->md5, MD5_LENGTH)
? "no match"
: "match");
}
if (globaldig && sha1_digest && verbosity >= 0) {
PR_fprintf(outputFD,
" sha digest on global metainfo: %s\n",
PORT_Memcmp(sha1_digest, globaldig->sha1, SHA1_LENGTH)
? "no match"
: "match");
}
if (globaldig == NULL && verbosity >= 0) {
PR_fprintf(outputFD,
"global metadigest is not available, strange.\n");
}
PORT_Free(md5_digest);
PORT_Free(sha1_digest);
fclose(fp);
}
}
}
}
JAR_find_end(ctx);
return retval;
}
/*************************************************************************
*
* P k 1 1 I n s t a l l _ U s e r V e r i f y J a r
*
* Gives the user feedback on the signatures of a JAR files, asks them
* whether they actually want to continue.
* Assumes the jar structure has already been created and is valid.
* Returns 0 if the user wants to continue the installation, nonzero
* if the user wishes to abort.
*/
short
Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out, PRBool query)
{
JAR_Context *ctx;
JAR_Cert *fing;
JAR_Item *item;
char stdinbuf[80];
int count=0;
CERTCertificate *cert, *prev=NULL;
PR_fprintf(out, "\nThis installation JAR file was signed by:\n");
ctx = JAR_find(jar, NULL, jarTypeSign);
while(JAR_find_next(ctx, &item) >= 0 ) {
fing = (JAR_Cert*) item->data;
cert = fing->cert;
if(cert==prev) {
continue;
}
count++;
PR_fprintf(out, "----------------------------------------------\n");
if(cert) {
if(cert->nickname) {
PR_fprintf(out, "**NICKNAME**\n%s\n", cert->nickname);
}
if(cert->subjectName) {
PR_fprintf(out, "**SUBJECT NAME**\n%s\n", cert->subjectName); }
if(cert->issuerName) {
PR_fprintf(out, "**ISSUER NAME**\n%s\n", cert->issuerName);
}
} else {
PR_fprintf(out, "No matching certificate could be found.\n");
}
PR_fprintf(out, "----------------------------------------------\n\n");
prev=cert;
}
JAR_find_end(ctx);
if(count==0) {
PR_fprintf(out, "No signatures found: JAR FILE IS UNSIGNED.\n");
}
if(query) {
PR_fprintf(out,
"Do you wish to continue this installation? (y/n) ");
if(PR_fgets(stdinbuf, 80, PR_STDIN) != NULL) {
char *response;
if( (response=strtok(stdinbuf, " \t\n\r")) ) {
if( !PL_strcasecmp(response, "y") ||
!PL_strcasecmp(response, "yes") ) {
return 0;
}
}
}
}
return 1;
}
