Just An Application

August 11, 2014

And Another One: Part Eight – JarVerifier.readCertificates

File

    $(ANDROID_SRC)/libcore/luni/src/main/java/java/util/jar/JarVerifier.java

The metaEntries Instance Variable

    private HashMap<String, byte[]> metaEntries = new HashMap<String, byte[]>(5);

The instance variable metaEntries is a map from the names of entries representing the manifest, and signature files and signed signature files in a JAR to their contents.

It is populated by calls to the JarVerifier method addMetaEntry.

The addMetaEntry method is invoked by the method by the JarFile methods readMetaEntries and getManifest.

The method JarFile.readMetaEntries is invoked during the construction of a JarFile. It adds all the signature files and signed signature files found in the JAR’s META-INF directory.

The method JarFile.getManifest is invoked by the JarFile.getInputStream method. It adds the manifest.

The JarVerifier method removeMetaEntries sets the value of metaEntries to null.

As we have seen the JarFile method getInputStream invokes this after a successful call to the readCertificates method thereby ensuring that it effectively only executes once.

The readCertificates Method

Source

    ...
    
    synchronized boolean readCertificates() {
        if (metaEntries == null) {
            return false;
        }
        Iterator<String> it = metaEntries.keySet().iterator();
        while (it.hasNext()) {
            String key = it.next();
            if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
                verifyCertificate(key);
                // Check for recursive class load
                if (metaEntries == null) {
                    return false;
                }
                it.remove();
            }
        }
        return true;
    }
    
    ...

If the instance variable metaEntries is not null then the readCertificates method maps over the entry names looking for signed signature files.

If it finds one it invokes the method verifyCertificate passing it the entry name of the signed signature file.

It then calls remove on the iterator thereby removing the entry name/file contents mapping from metaEntries.


Copyright (c) 2014 By Simon Lewis. All Rights Reserved.

Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and owner Simon Lewis is strictly prohibited.

Excerpts and links may be used, provided that full and clear credit is given to Simon Lewis and justanapplication.wordpress.com with appropriate and specific direction to the original content.

Advertisements

1 Comment »

  1. […] the metaEntries instance variable is removed, which is possibly unwise because as we have seen the readCertificates method which invoked this method is iterating over the key set of […]

    Pingback by And Another One: Part Nine — JarVerifier.verifyCertificate | Just An Application — August 12, 2014 @ 7:05 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: