1 /*
2  * Copyright (C) 2013 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 
18 package android.util.jar;
19 
20 import android.system.ErrnoException;
21 import android.system.Os;
22 import android.system.OsConstants;
23 
24 import dalvik.system.CloseGuard;
25 import java.io.FileDescriptor;
26 import java.io.FilterInputStream;
27 import java.io.IOException;
28 import java.io.InputStream;
29 import java.security.cert.Certificate;
30 import java.util.HashMap;
31 import java.util.Iterator;
32 import java.util.Set;
33 import java.util.jar.JarFile;
34 import java.util.zip.Inflater;
35 import java.util.zip.InflaterInputStream;
36 import java.util.zip.ZipEntry;
37 import libcore.io.IoBridge;
38 import libcore.io.IoUtils;
39 import libcore.io.Streams;
40 
41 /**
42  * A subset of the JarFile API implemented as a thin wrapper over
43  * system/core/libziparchive.
44  *
45  * @hide for internal use only. Not API compatible (or as forgiving) as
46  *        {@link java.util.jar.JarFile}
47  */
48 public final class StrictJarFile {
49 
50     private final long nativeHandle;
51 
52     // NOTE: It's possible to share a file descriptor with the native
53     // code, at the cost of some additional complexity.
54     private final FileDescriptor fd;
55 
56     private final StrictJarManifest manifest;
57     private final StrictJarVerifier verifier;
58 
59     private final boolean isSigned;
60 
61     private final CloseGuard guard = CloseGuard.get();
62     private boolean closed;
63 
StrictJarFile(String fileName)64     public StrictJarFile(String fileName)
65             throws IOException, SecurityException {
66         this(fileName, true, true);
67     }
68 
StrictJarFile(FileDescriptor fd)69     public StrictJarFile(FileDescriptor fd)
70             throws IOException, SecurityException {
71         this(fd, true, true);
72     }
73 
StrictJarFile(FileDescriptor fd, boolean verify, boolean signatureSchemeRollbackProtectionsEnforced)74     public StrictJarFile(FileDescriptor fd,
75             boolean verify,
76             boolean signatureSchemeRollbackProtectionsEnforced)
77                     throws IOException, SecurityException {
78         this("[fd:" + fd.getInt$() + "]", fd, verify,
79                 signatureSchemeRollbackProtectionsEnforced);
80     }
81 
StrictJarFile(String fileName, boolean verify, boolean signatureSchemeRollbackProtectionsEnforced)82     public StrictJarFile(String fileName,
83             boolean verify,
84             boolean signatureSchemeRollbackProtectionsEnforced)
85                     throws IOException, SecurityException {
86         this(fileName, IoBridge.open(fileName, OsConstants.O_RDONLY),
87                 verify, signatureSchemeRollbackProtectionsEnforced);
88     }
89 
90     /**
91      * @param name of the archive (not necessarily a path).
92      * @param fd seekable file descriptor for the JAR file.
93      * @param verify whether to verify the file's JAR signatures and collect the corresponding
94      *        signer certificates.
95      * @param signatureSchemeRollbackProtectionsEnforced {@code true} to enforce protections against
96      *        stripping newer signature schemes (e.g., APK Signature Scheme v2) from the file, or
97      *        {@code false} to ignore any such protections. This parameter is ignored when
98      *        {@code verify} is {@code false}.
99      */
StrictJarFile(String name, FileDescriptor fd, boolean verify, boolean signatureSchemeRollbackProtectionsEnforced)100     private StrictJarFile(String name,
101             FileDescriptor fd,
102             boolean verify,
103             boolean signatureSchemeRollbackProtectionsEnforced)
104                     throws IOException, SecurityException {
105         this.nativeHandle = nativeOpenJarFile(name, fd.getInt$());
106         this.fd = fd;
107 
108         try {
109             // Read the MANIFEST and signature files up front and try to
110             // parse them. We never want to accept a JAR File with broken signatures
111             // or manifests, so it's best to throw as early as possible.
112             if (verify) {
113                 HashMap<String, byte[]> metaEntries = getMetaEntries();
114                 this.manifest = new StrictJarManifest(metaEntries.get(JarFile.MANIFEST_NAME), true);
115                 this.verifier =
116                         new StrictJarVerifier(
117                                 name,
118                                 manifest,
119                                 metaEntries,
120                                 signatureSchemeRollbackProtectionsEnforced);
121                 Set<String> files = manifest.getEntries().keySet();
122                 for (String file : files) {
123                     if (findEntry(file) == null) {
124                         throw new SecurityException("File " + file + " in manifest does not exist");
125                     }
126                 }
127 
128                 isSigned = verifier.readCertificates() && verifier.isSignedJar();
129             } else {
130                 isSigned = false;
131                 this.manifest = null;
132                 this.verifier = null;
133             }
134         } catch (IOException | SecurityException e) {
135             nativeClose(this.nativeHandle);
136             IoUtils.closeQuietly(fd);
137             closed = true;
138             throw e;
139         }
140 
141         guard.open("close");
142     }
143 
getManifest()144     public StrictJarManifest getManifest() {
145         return manifest;
146     }
147 
iterator()148     public Iterator<ZipEntry> iterator() throws IOException {
149         return new EntryIterator(nativeHandle, "");
150     }
151 
findEntry(String name)152     public ZipEntry findEntry(String name) {
153         return nativeFindEntry(nativeHandle, name);
154     }
155 
156     /**
157      * Return all certificate chains for a given {@link ZipEntry} belonging to this jar.
158      * This method MUST be called only after fully exhausting the InputStream belonging
159      * to this entry.
160      *
161      * Returns {@code null} if this jar file isn't signed or if this method is
162      * called before the stream is processed.
163      */
getCertificateChains(ZipEntry ze)164     public Certificate[][] getCertificateChains(ZipEntry ze) {
165         if (isSigned) {
166             return verifier.getCertificateChains(ze.getName());
167         }
168 
169         return null;
170     }
171 
172     /**
173      * Return all certificates for a given {@link ZipEntry} belonging to this jar.
174      * This method MUST be called only after fully exhausting the InputStream belonging
175      * to this entry.
176      *
177      * Returns {@code null} if this jar file isn't signed or if this method is
178      * called before the stream is processed.
179      *
180      * @deprecated Switch callers to use getCertificateChains instead
181      */
182     @Deprecated
getCertificates(ZipEntry ze)183     public Certificate[] getCertificates(ZipEntry ze) {
184         if (isSigned) {
185             Certificate[][] certChains = verifier.getCertificateChains(ze.getName());
186 
187             // Measure number of certs.
188             int count = 0;
189             for (Certificate[] chain : certChains) {
190                 count += chain.length;
191             }
192 
193             // Create new array and copy all the certs into it.
194             Certificate[] certs = new Certificate[count];
195             int i = 0;
196             for (Certificate[] chain : certChains) {
197                 System.arraycopy(chain, 0, certs, i, chain.length);
198                 i += chain.length;
199             }
200 
201             return certs;
202         }
203 
204         return null;
205     }
206 
getInputStream(ZipEntry ze)207     public InputStream getInputStream(ZipEntry ze) {
208         final InputStream is = getZipInputStream(ze);
209 
210         if (isSigned) {
211             StrictJarVerifier.VerifierEntry entry = verifier.initEntry(ze.getName());
212             if (entry == null) {
213                 return is;
214             }
215 
216             return new JarFileInputStream(is, ze.getSize(), entry);
217         }
218 
219         return is;
220     }
221 
close()222     public void close() throws IOException {
223         if (!closed) {
224             if (guard != null) {
225                 guard.close();
226             }
227 
228             nativeClose(nativeHandle);
229             IoUtils.closeQuietly(fd);
230             closed = true;
231         }
232     }
233 
234     @Override
finalize()235     protected void finalize() throws Throwable {
236         try {
237             if (guard != null) {
238                 guard.warnIfOpen();
239             }
240             close();
241         } finally {
242             super.finalize();
243         }
244     }
245 
getZipInputStream(ZipEntry ze)246     private InputStream getZipInputStream(ZipEntry ze) {
247         if (ze.getMethod() == ZipEntry.STORED) {
248             return new FDStream(fd, ze.getDataOffset(),
249                     ze.getDataOffset() + ze.getSize());
250         } else {
251             final FDStream wrapped = new FDStream(
252                     fd, ze.getDataOffset(), ze.getDataOffset() + ze.getCompressedSize());
253 
254             int bufSize = Math.max(1024, (int) Math.min(ze.getSize(), 65535L));
255             return new ZipInflaterInputStream(wrapped, new Inflater(true), bufSize, ze);
256         }
257     }
258 
259     static final class EntryIterator implements Iterator<ZipEntry> {
260         private final long iterationHandle;
261         private ZipEntry nextEntry;
262 
EntryIterator(long nativeHandle, String prefix)263         EntryIterator(long nativeHandle, String prefix) throws IOException {
264             iterationHandle = nativeStartIteration(nativeHandle, prefix);
265         }
266 
next()267         public ZipEntry next() {
268             if (nextEntry != null) {
269                 final ZipEntry ze = nextEntry;
270                 nextEntry = null;
271                 return ze;
272             }
273 
274             return nativeNextEntry(iterationHandle);
275         }
276 
hasNext()277         public boolean hasNext() {
278             if (nextEntry != null) {
279                 return true;
280             }
281 
282             final ZipEntry ze = nativeNextEntry(iterationHandle);
283             if (ze == null) {
284                 return false;
285             }
286 
287             nextEntry = ze;
288             return true;
289         }
290 
remove()291         public void remove() {
292             throw new UnsupportedOperationException();
293         }
294     }
295 
getMetaEntries()296     private HashMap<String, byte[]> getMetaEntries() throws IOException {
297         HashMap<String, byte[]> metaEntries = new HashMap<String, byte[]>();
298 
299         Iterator<ZipEntry> entryIterator = new EntryIterator(nativeHandle, "META-INF/");
300         while (entryIterator.hasNext()) {
301             final ZipEntry entry = entryIterator.next();
302             metaEntries.put(entry.getName(), Streams.readFully(getInputStream(entry)));
303         }
304 
305         return metaEntries;
306     }
307 
308     static final class JarFileInputStream extends FilterInputStream {
309         private final StrictJarVerifier.VerifierEntry entry;
310 
311         private long count;
312         private boolean done = false;
313 
JarFileInputStream(InputStream is, long size, StrictJarVerifier.VerifierEntry e)314         JarFileInputStream(InputStream is, long size, StrictJarVerifier.VerifierEntry e) {
315             super(is);
316             entry = e;
317 
318             count = size;
319         }
320 
321         @Override
read()322         public int read() throws IOException {
323             if (done) {
324                 return -1;
325             }
326             if (count > 0) {
327                 int r = super.read();
328                 if (r != -1) {
329                     entry.write(r);
330                     count--;
331                 } else {
332                     count = 0;
333                 }
334                 if (count == 0) {
335                     done = true;
336                     entry.verify();
337                 }
338                 return r;
339             } else {
340                 done = true;
341                 entry.verify();
342                 return -1;
343             }
344         }
345 
346         @Override
read(byte[] buffer, int byteOffset, int byteCount)347         public int read(byte[] buffer, int byteOffset, int byteCount) throws IOException {
348             if (done) {
349                 return -1;
350             }
351             if (count > 0) {
352                 int r = super.read(buffer, byteOffset, byteCount);
353                 if (r != -1) {
354                     int size = r;
355                     if (count < size) {
356                         size = (int) count;
357                     }
358                     entry.write(buffer, byteOffset, size);
359                     count -= size;
360                 } else {
361                     count = 0;
362                 }
363                 if (count == 0) {
364                     done = true;
365                     entry.verify();
366                 }
367                 return r;
368             } else {
369                 done = true;
370                 entry.verify();
371                 return -1;
372             }
373         }
374 
375         @Override
available()376         public int available() throws IOException {
377             if (done) {
378                 return 0;
379             }
380             return super.available();
381         }
382 
383         @Override
skip(long byteCount)384         public long skip(long byteCount) throws IOException {
385             return Streams.skipByReading(this, byteCount);
386         }
387     }
388 
389     /** @hide */
390     public static class ZipInflaterInputStream extends InflaterInputStream {
391         private final ZipEntry entry;
392         private long bytesRead = 0;
393 
ZipInflaterInputStream(InputStream is, Inflater inf, int bsize, ZipEntry entry)394         public ZipInflaterInputStream(InputStream is, Inflater inf, int bsize, ZipEntry entry) {
395             super(is, inf, bsize);
396             this.entry = entry;
397         }
398 
read(byte[] buffer, int byteOffset, int byteCount)399         @Override public int read(byte[] buffer, int byteOffset, int byteCount) throws IOException {
400             final int i;
401             try {
402                 i = super.read(buffer, byteOffset, byteCount);
403             } catch (IOException e) {
404                 throw new IOException("Error reading data for " + entry.getName() + " near offset "
405                         + bytesRead, e);
406             }
407             if (i == -1) {
408                 if (entry.getSize() != bytesRead) {
409                     throw new IOException("Size mismatch on inflated file: " + bytesRead + " vs "
410                             + entry.getSize());
411                 }
412             } else {
413                 bytesRead += i;
414             }
415             return i;
416         }
417 
available()418         @Override public int available() throws IOException {
419             if (closed) {
420                 // Our superclass will throw an exception, but there's a jtreg test that
421                 // explicitly checks that the InputStream returned from ZipFile.getInputStream
422                 // returns 0 even when closed.
423                 return 0;
424             }
425             return super.available() == 0 ? 0 : (int) (entry.getSize() - bytesRead);
426         }
427     }
428 
429     /**
430      * Wrap a stream around a FileDescriptor.  The file descriptor is shared
431      * among all streams returned by getInputStream(), so we have to synchronize
432      * access to it.  (We can optimize this by adding buffering here to reduce
433      * collisions.)
434      *
435      * <p>We could support mark/reset, but we don't currently need them.
436      *
437      * @hide
438      */
439     public static class FDStream extends InputStream {
440         private final FileDescriptor fd;
441         private long endOffset;
442         private long offset;
443 
FDStream(FileDescriptor fd, long initialOffset, long endOffset)444         public FDStream(FileDescriptor fd, long initialOffset, long endOffset) {
445             this.fd = fd;
446             offset = initialOffset;
447             this.endOffset = endOffset;
448         }
449 
available()450         @Override public int available() throws IOException {
451             return (offset < endOffset ? 1 : 0);
452         }
453 
read()454         @Override public int read() throws IOException {
455             return Streams.readSingleByte(this);
456         }
457 
read(byte[] buffer, int byteOffset, int byteCount)458         @Override public int read(byte[] buffer, int byteOffset, int byteCount) throws IOException {
459             synchronized (this.fd) {
460                 final long length = endOffset - offset;
461                 if (byteCount > length) {
462                     byteCount = (int) length;
463                 }
464                 try {
465                     Os.lseek(fd, offset, OsConstants.SEEK_SET);
466                 } catch (ErrnoException e) {
467                     throw new IOException(e);
468                 }
469                 int count = IoBridge.read(fd, buffer, byteOffset, byteCount);
470                 if (count > 0) {
471                     offset += count;
472                     return count;
473                 } else {
474                     return -1;
475                 }
476             }
477         }
478 
skip(long byteCount)479         @Override public long skip(long byteCount) throws IOException {
480             if (byteCount > endOffset - offset) {
481                 byteCount = endOffset - offset;
482             }
483             offset += byteCount;
484             return byteCount;
485         }
486     }
487 
nativeOpenJarFile(String name, int fd)488     private static native long nativeOpenJarFile(String name, int fd)
489             throws IOException;
nativeStartIteration(long nativeHandle, String prefix)490     private static native long nativeStartIteration(long nativeHandle, String prefix);
nativeNextEntry(long iterationHandle)491     private static native ZipEntry nativeNextEntry(long iterationHandle);
nativeFindEntry(long nativeHandle, String entryName)492     private static native ZipEntry nativeFindEntry(long nativeHandle, String entryName);
nativeClose(long nativeHandle)493     private static native void nativeClose(long nativeHandle);
494 }
495