Skip to content

Commit

Permalink
Merge pull request #939 from hoangphamEclipse/master
Browse files Browse the repository at this point in the history
Update signature validation logic
  • Loading branch information
amvanbaren authored Jun 12, 2024
2 parents eb6cdd6 + ff54b6d commit 91ba91d
Showing 1 changed file with 29 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@
import java.time.LocalDate;
import java.util.*;
import java.util.stream.Collectors;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;

import static org.eclipse.openvsx.entities.FileResource.DOWNLOAD_SIG;
import static org.eclipse.openvsx.entities.FileResource.PUBLIC_KEY;
Expand Down Expand Up @@ -174,10 +176,11 @@ private void mirrorExtensionVersion(ExtensionJson json) throws RuntimeException
try (var extensionFile = downloadToFile(download, "extension_", ".vsix")) {
if(json.files.containsKey(DOWNLOAD_SIG)) {
try(
var signatureFile = downloadToFile(json.files.get(DOWNLOAD_SIG), "extension_", ".sigzip");
var publicKeyFile = downloadToFile(json.files.get(PUBLIC_KEY), "public_", ".pem")
var signatureZip = downloadToFile(json.files.get(DOWNLOAD_SIG), "extension_", ".sigzip");
var signature = extractSignature(signatureZip);
var publicKeyFile = downloadToFile(json.files.get(PUBLIC_KEY), "public_", ".pem");
) {
var verified = integrityService.verifyExtensionVersion(extensionFile, signatureFile, publicKeyFile);
var verified = integrityService.verifyExtensionVersion(extensionFile, signature, publicKeyFile);
if (!verified) {
throw new RuntimeException("Unverified vsix package");
}
Expand Down Expand Up @@ -214,4 +217,27 @@ private TempFile downloadToFile(String url, String prefix, String suffix) throws

return file;
}

private TempFile extractSignature(TempFile signatureZip) throws RuntimeException, IOException {
var signature = new TempFile("extension_",".signature.sig");
try(var zipInput = new ZipInputStream(Files.newInputStream(signatureZip.getPath()))) {
ZipEntry zipEntry = zipInput.getNextEntry();
while (zipEntry != null) {
if (zipEntry.getName().endsWith(".signature.sig")) {
try (var out = Files.newOutputStream(signature.getPath())) {
int len;
byte[] buffer = new byte[1024];
while ((len = zipInput.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
return signature;
}
}

zipEntry = zipInput.getNextEntry();
}
}

throw new RuntimeException("No extension signature found");
}
}

0 comments on commit 91ba91d

Please sign in to comment.