From 00ad70b3bd7f8859c710039857aa7da17a29b3d7 Mon Sep 17 00:00:00 2001 From: Sven Gothel Date: Wed, 3 Apr 2019 06:04:52 +0200 Subject: Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation This change implements a strong SHA256 signature over: 1) source tree inclusive make recipe (SHA256-Source) 2) all class files (SHA256-Classes) 3) all native libraries (SHA256-Natives) 4) the class files as deployed in the jar (SHA256-Classes-this) 5) the native libraries as deployed in the jar (SHA256-Natives-this) and drops all of these in the deployed Jar file. This allows SHA256 validation of (4) + (5) at runtime and further complete validation (1), (2) and (3) offline. Full SCC would now required (1) - (3) to be placed on a server for further validation. Optionally we may use GPG or PGP to validate the build entity to implement the chain of trust The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo --- src/java/com/jogamp/common/GlueGenVersion.java | 43 ++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) (limited to 'src/java/com/jogamp/common/GlueGenVersion.java') diff --git a/src/java/com/jogamp/common/GlueGenVersion.java b/src/java/com/jogamp/common/GlueGenVersion.java index f97aba6..6ed7783 100644 --- a/src/java/com/jogamp/common/GlueGenVersion.java +++ b/src/java/com/jogamp/common/GlueGenVersion.java @@ -29,8 +29,17 @@ package com.jogamp.common; import com.jogamp.common.util.JogampVersion; +import com.jogamp.common.util.SHASum; import com.jogamp.common.util.VersionUtil; + +import java.io.IOException; +import java.net.URISyntaxException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.List; import java.util.jar.Manifest; +import java.util.regex.Pattern; public class GlueGenVersion extends JogampVersion { @@ -59,6 +68,40 @@ public class GlueGenVersion extends JogampVersion { return jogampCommonVersionInfo; } + /** + * {@code gluegen-rt.jar} definition of {@link SHASum.TempJarSHASum}'s specialization of {@link SHASum}. + *

+ * Implementation uses {@link com.jogamp.common.util.cache.TempJarCache}. + *

+ *

+ * Constructor defines the includes and excludes as used for {@code gluegen-rt.jar} {@link SHASum} computation. + *

+ */ + public static class GluGenRTJarSHASum extends SHASum.TempJarSHASum { + /** + * See {@link GluGenRTJarSHASum} + * @throws SecurityException + * @throws IllegalArgumentException + * @throws NoSuchAlgorithmException + * @throws IOException + * @throws URISyntaxException + */ + public GluGenRTJarSHASum() + throws SecurityException, IllegalArgumentException, NoSuchAlgorithmException, IOException, URISyntaxException + { + super(MessageDigest.getInstance("SHA-256"), GlueGenVersion.class, new ArrayList(), new ArrayList()); + final List excludes = getExcludes(); + final List includes = getIncludes(); + final String origin = getOrigin(); + excludes.add(Pattern.compile(origin+"/jogamp/android/launcher")); + excludes.add(Pattern.compile(origin+"/jogamp/common/os/android")); + excludes.add(Pattern.compile(origin+"/com/jogamp/gluegen/jcpp")); + includes.add(Pattern.compile(origin+"/com/jogamp/gluegen/runtime/.*\\.class")); + includes.add(Pattern.compile(origin+"/com/jogamp/common/.*")); + includes.add(Pattern.compile(origin+"/jogamp/common/.*")); + } + } + public static void main(final String args[]) { System.err.println(VersionUtil.getPlatformInfo()); System.err.println(GlueGenVersion.getInstance()); -- cgit v1.2.3