Karl/BobStore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tolerate multiple signatures on index

Browse Source
This commit is contained in:
Henrik Tunedal 2011-03-18 18:03:02 +01:00
parent 6950085b56
commit fabea142da
1 changed files with 52 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/org/fdroid/fdroid/RepoXMLHandler.java
View File

@ -30,6 +30,7 @@ import java.io.InputStreamReader;
import java.io.OutputStream; import java.io.OutputStream;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.security.cert.Certificate;
import java.util.Vector; import java.util.Vector;
import java.util.jar.JarEntry; import java.util.jar.JarEntry;
import java.util.jar.JarFile; import java.util.jar.JarFile;
@ -267,9 +268,13 @@ public class RepoXMLHandler extends DefaultHandler {
+ repo.address); + repo.address);
getRemoteFile(ctx, repo.address + "/index.jar", getRemoteFile(ctx, repo.address + "/index.jar",
"tempindex.jar"); "tempindex.jar");
String jarpath = ctx.getFilesDir() + "/tempindex.jar"; String jarpath = ctx.getFilesDir()
JarFile jar = new JarFile(jarpath); + "/tempindex.jar";
JarEntry je = (JarEntry) jar.getEntry("index.xml"); JarFile jar;
JarEntry je;
try {
jar = new JarFile(jarpath, true);
je = (JarEntry) jar.getEntry("index.xml");
File efile = new File(ctx.getFilesDir(), File efile = new File(ctx.getFilesDir(),
"/tempindex.xml"); "/tempindex.xml");
InputStream in = new BufferedInputStream(jar InputStream in = new BufferedInputStream(jar
@ -286,33 +291,41 @@ public class RepoXMLHandler extends DefaultHandler {
out.flush(); out.flush();
out.close(); out.close();
in.close(); in.close();
java.security.cert.Certificate[] certs = je } catch (SecurityException e) {
.getCertificates(); Log.e("FDroid", "Invalid hash for index file");
return false;
}
Certificate[] certs = je.getCertificates();
jar.close(); jar.close();
if (certs == null) { if (certs == null) {
Log.d("FDroid", "No signature found in index"); Log.d("FDroid", "No signature found in index");
return false; return false;
} }
if (certs.length != 1) { Log.d("FDroid", "Index has "
Log.d("FDroid", "Expected one signature - found " + certs.length + " signature"
+ certs.length); + (certs.length > 1 ? "s." : "."));
return false;
}
byte[] sig = certs[0].getEncoded(); boolean match = false;
for (Certificate cert : certs) {
byte[] sig = cert.getEncoded();
byte[] csig = new byte[sig.length * 2]; byte[] csig = new byte[sig.length * 2];
for (int j = 0; j < sig.length; j++) { for (int j = 0; j < sig.length; j++) {
byte v = sig[j]; byte v = sig[j];
int d = (v >> 4) & 0xf; int d = (v >> 4) & 0xf;
csig[j * 2] = (byte) (d >= 10 ? ('a' + d - 10) csig[j * 2] = (byte) (d >= 10
? ('a' + d - 10)
: ('0' + d)); : ('0' + d));
d = v & 0xf; d = v & 0xf;
csig[j * 2 + 1] = (byte) (d >= 10 ? ('a' + d - 10) csig[j * 2 + 1] = (byte) (d >= 10
? ('a' + d - 10)
: ('0' + d)); : ('0' + d));
} }
String ssig = new String(csig); if (repo.pubkey.equals(new String(csig))) {
match = true;
if (!ssig.equals(repo.pubkey)) { break;
}
}
if (!match) {
Log.d("FDroid", "Index signature mismatch"); Log.d("FDroid", "Index signature mismatch");
return false; return false;
} }