From ff54b6d59b38b786b05dff4f8bad687d1b5121c9 Mon Sep 17 00:00:00 2001 From: EHOAPHA Date: Fri, 7 Jun 2024 18:30:53 -0400 Subject: [PATCH] Update signature validation logic Since the signature format has been updated in PR #928, the mirror needs to update its logic for signature validation when mirroring extensions from upstream. With this commit, now the mirror will extract the signature zip file and look for the signature, then use this signature to validate the vsix. Signed-off-by: Hoang Thuan Pham --- .../mirror/MirrorExtensionService.java | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/org/eclipse/openvsx/mirror/MirrorExtensionService.java b/server/src/main/java/org/eclipse/openvsx/mirror/MirrorExtensionService.java index 1a38b03a2..a9654cb9d 100644 --- a/server/src/main/java/org/eclipse/openvsx/mirror/MirrorExtensionService.java +++ b/server/src/main/java/org/eclipse/openvsx/mirror/MirrorExtensionService.java @@ -31,6 +31,8 @@ import java.time.LocalDate; import java.util.*; import java.util.stream.Collectors; +import java.util.zip.ZipEntry; +import java.util.zip.ZipInputStream; import static org.eclipse.openvsx.entities.FileResource.DOWNLOAD_SIG; import static org.eclipse.openvsx.entities.FileResource.PUBLIC_KEY; @@ -174,10 +176,11 @@ private void mirrorExtensionVersion(ExtensionJson json) throws RuntimeException try (var extensionFile = downloadToFile(download, "extension_", ".vsix")) { if(json.files.containsKey(DOWNLOAD_SIG)) { try( - var signatureFile = downloadToFile(json.files.get(DOWNLOAD_SIG), "extension_", ".sigzip"); - var publicKeyFile = downloadToFile(json.files.get(PUBLIC_KEY), "public_", ".pem") + var signatureZip = downloadToFile(json.files.get(DOWNLOAD_SIG), "extension_", ".sigzip"); + var signature = extractSignature(signatureZip); + var publicKeyFile = downloadToFile(json.files.get(PUBLIC_KEY), "public_", ".pem"); ) { - var verified = integrityService.verifyExtensionVersion(extensionFile, signatureFile, publicKeyFile); + var verified = integrityService.verifyExtensionVersion(extensionFile, signature, publicKeyFile); if (!verified) { throw new RuntimeException("Unverified vsix package"); } @@ -214,4 +217,27 @@ private TempFile downloadToFile(String url, String prefix, String suffix) throws return file; } + + private TempFile extractSignature(TempFile signatureZip) throws RuntimeException, IOException { + var signature = new TempFile("extension_",".signature.sig"); + try(var zipInput = new ZipInputStream(Files.newInputStream(signatureZip.getPath()))) { + ZipEntry zipEntry = zipInput.getNextEntry(); + while (zipEntry != null) { + if (zipEntry.getName().endsWith(".signature.sig")) { + try (var out = Files.newOutputStream(signature.getPath())) { + int len; + byte[] buffer = new byte[1024]; + while ((len = zipInput.read(buffer)) > 0) { + out.write(buffer, 0, len); + } + return signature; + } + } + + zipEntry = zipInput.getNextEntry(); + } + } + + throw new RuntimeException("No extension signature found"); + } }