You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by fs...@apache.org on 2020/02/09 11:00:41 UTC
[tomcat-jakartaee-migration] branch master updated: Drop
cryptographic signatures from converted JAR files
This is an automated email from the ASF dual-hosted git repository.
fschumacher pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-jakartaee-migration.git
The following commit(s) were added to refs/heads/master by this push:
new b379249 Drop cryptographic signatures from converted JAR files
b379249 is described below
commit b379249200d71272fa5a726181f9a979321dd73c
Author: Felix Schumacher <fe...@internetallee.de>
AuthorDate: Sun Feb 9 11:55:38 2020 +0100
Drop cryptographic signatures from converted JAR files
When we change the classes in the JAR files, the cryptographic
signatures will no longer be valid. Deployment of WAR files that
contain those JAR files will fail.
Therefore drop the signatures of any JAR file that is contained
in the WAR.
All dropped signatures and signature files will be logged at leve FINE.
Maybe we should log a warning at the end of the conversion, if signatures
where dropped, to raise more awareness for these kind of modification.
---
.../org/apache/tomcat/jakartaee/Migration.java | 42 ++++++++++++++++++++++
.../tomcat/jakartaee/LocalStrings.properties | 2 ++
2 files changed, 44 insertions(+)
diff --git a/src/main/java/org/apache/tomcat/jakartaee/Migration.java b/src/main/java/org/apache/tomcat/jakartaee/Migration.java
index 04e073a..f2eed3f 100644
--- a/src/main/java/org/apache/tomcat/jakartaee/Migration.java
+++ b/src/main/java/org/apache/tomcat/jakartaee/Migration.java
@@ -24,6 +24,8 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.util.ArrayList;
import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
import java.util.concurrent.TimeUnit;
import java.util.jar.Attributes;
import java.util.jar.JarEntry;
@@ -133,7 +135,11 @@ public class Migration {
JarOutputStream jarOs = new JarOutputStream(new NonClosingOutputStream(dest))) {
Manifest manifest = jarIs.getManifest();
if (manifest != null) {
+ // Make a safe copy to leave original manifest untouched.
+ // Otherwise messing with signatures will fail
+ manifest = new Manifest(manifest);
updateVersion(manifest);
+ removeSignatures(manifest);
JarEntry manifestEntry = new JarEntry(JarFile.MANIFEST_NAME);
jarOs.putNextEntry(manifestEntry);
manifest.write(jarOs);
@@ -142,6 +148,10 @@ public class Migration {
while ((jarEntry = jarIs.getNextJarEntry()) != null) {
String sourceName = jarEntry.getName();
logger.log(Level.FINE, sm.getString("migration.entry", sourceName));
+ if (isSignatureFile(sourceName)) {
+ logger.log(Level.FINE, sm.getString("migration.skipSignatureFile", sourceName));
+ continue;
+ }
String destName = Util.convert(sourceName);
JarEntry destEntry = new JarEntry(destName);
jarOs.putNextEntry(destEntry);
@@ -152,6 +162,12 @@ public class Migration {
}
+ private boolean isSignatureFile(String sourceName) {
+ return sourceName.startsWith("META-INF/")
+ && (sourceName.endsWith(".SF") || sourceName.endsWith(".RSA") || sourceName.endsWith(".DSA"));
+ }
+
+
private boolean migrateStream(String name, InputStream src, OutputStream dest) throws IOException {
if (isArchive(name)) {
logger.log(Level.INFO, sm.getString("migration.archive", name));
@@ -169,6 +185,32 @@ public class Migration {
}
+ private void removeSignatures(Manifest manifest) {
+ manifest.getMainAttributes().remove(Attributes.Name.SIGNATURE_VERSION);
+ List<String> signatureEntries = new ArrayList<>();
+ Map<String, Attributes> manifestAttributeEntries = manifest.getEntries();
+ for (Entry<String, Attributes> entry : manifestAttributeEntries.entrySet()) {
+ if (isCryptoSignatureEntry(entry.getValue())) {
+ String entryName = entry.getKey();
+ signatureEntries.add(entryName);
+ logger.log(Level.FINE, sm.getString("migration.removeSignature", entryName));
+ }
+ }
+ signatureEntries.stream()
+ .forEach(manifestAttributeEntries::remove);
+ }
+
+
+ private boolean isCryptoSignatureEntry(Attributes attributes) {
+ for (Object attributeKey : attributes.keySet()) {
+ if (attributeKey.toString().endsWith("-Digest")) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+
private void updateVersion(Manifest manifest) {
updateVersion(manifest.getMainAttributes());
for (Attributes attributes : manifest.getEntries().values()) {
diff --git a/src/main/resources/org/apache/tomcat/jakartaee/LocalStrings.properties b/src/main/resources/org/apache/tomcat/jakartaee/LocalStrings.properties
index fdfe379..2f9560d 100644
--- a/src/main/resources/org/apache/tomcat/jakartaee/LocalStrings.properties
+++ b/src/main/resources/org/apache/tomcat/jakartaee/LocalStrings.properties
@@ -20,5 +20,7 @@ migration.entry=Migrating Jar entry [{0}]
migration.error=Error performing migration
migration.execute=Performing migration from source [{0}] to destination [{1}]
migration.mkdirError=Error creating destination directory [{0}]
+migration.removeSignature=Remove cryptographic signature for [{0}]
+migration.skipSignatureFile=Drop cryptographic signature file [{0}]
migration.stream=Migrating stream [{0}]
migration.usage=Usage: Migration <source> <destination>
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-jakartaee-migration] branch master updated: Drop
cryptographic signatures from converted JAR files
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 09.02.20 um 12:49 schrieb Mark Thomas:
> On 09/02/2020 11:00, fschumacher@apache.org wrote:
>
> <snip/>
>
>> All dropped signatures and signature files will be logged at leve FINE.
>> Maybe we should log a warning at the end of the conversion, if signatures
>> where dropped, to raise more awareness for these kind of modification.
> +1 for a warning.
Implemented the warnings as log entries.
I think it would be nicer to show them at the end of the run, but that
would mean a lot of changes, as I don't want to use global variables to
convey those warnings and the current return values are booleans
(indicating success/error, only).
Felix
>
> Mark
>
> P.S. It is great to see this tool evolving as other start to use it.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-jakartaee-migration] branch master updated: Drop
cryptographic signatures from converted JAR files
Posted by Mark Thomas <ma...@apache.org>.
On 09/02/2020 11:00, fschumacher@apache.org wrote:
<snip/>
> All dropped signatures and signature files will be logged at leve FINE.
> Maybe we should log a warning at the end of the conversion, if signatures
> where dropped, to raise more awareness for these kind of modification.
+1 for a warning.
Mark
P.S. It is great to see this tool evolving as other start to use it.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org