diff --git a/README.md b/README.md index 2777d9f..ed153e9 100644 --- a/README.md +++ b/README.md @@ -5,19 +5,16 @@ This plugin adds naturally spawning Giants with AI to your Minecraft server. ### Signing Public key goes into `resources/verifies_downloaded_jars.pem` -A test (and default) keystore is provided: -- keystore: `testkeystore` -- storepass: `123456` -- alias: `testkey` - -When using `mvn`, override with `-Djarsigner.` -``` -mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey -``` +A default keystore is not provided. To create a keystore and export public key: ``` keytool -keystore testkeystore2.jks -genkeypair -keyalg RSA -alias testkey -validity 999999 keytool -exportcert -alias testkey -keystore testkeystore2.jks -file cert.cer -rfc openssl x509 -inform pem -in cert.cer -pubkey -noout > public_key.pem +``` + +When using `mvn`, override with `-Djarsigner.` +``` +mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey ``` \ No newline at end of file diff --git a/pom.xml b/pom.xml index 636cdca..91bfd75 100644 --- a/pom.xml +++ b/pom.xml @@ -6,8 +6,8 @@ 11 - ${project.basedir}/testkeystore.jks - testkey + ${project.basedir}/keystore.jks + mykey 123456 UTF-8 UTF-8 diff --git a/src/main/java/eu/m724/giants/updater/JarVerifier.java b/src/main/java/eu/m724/giants/updater/JarVerifier.java index e4a0133..21086f3 100644 --- a/src/main/java/eu/m724/giants/updater/JarVerifier.java +++ b/src/main/java/eu/m724/giants/updater/JarVerifier.java @@ -7,10 +7,13 @@ import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.PublicKey; import java.security.cert.Certificate; +import java.security.cert.X509Certificate; import java.security.interfaces.RSAPublicKey; import java.security.spec.X509EncodedKeySpec; +import java.util.ArrayList; import java.util.Base64; import java.util.Enumeration; +import java.util.List; import java.util.jar.JarEntry; import java.util.jar.JarFile; import java.util.jar.Manifest; @@ -96,11 +99,14 @@ public class JarVerifier { // Check if any signer's public key matches our RSA key boolean keyMatch = false; + List signerPublicKeys = new ArrayList<>(); + for (CodeSigner signer : signers) { for (Certificate cert : signer.getSignerCertPath().getCertificates()) { PublicKey certPublicKey = cert.getPublicKey(); if (certPublicKey instanceof RSAPublicKey) { RSAPublicKey rsaKey = (RSAPublicKey) certPublicKey; + signerPublicKeys.add(Base64.getEncoder().encodeToString(rsaKey.getEncoded())); if (rsaKey.getModulus().equals(publicKey.getModulus()) && rsaKey.getPublicExponent().equals(publicKey.getPublicExponent())) { keyMatch = true; @@ -112,7 +118,7 @@ public class JarVerifier { } if (!keyMatch) { - throw new VerificationException("Entry not signed with matching RSA key: " + entry.getName()); + throw new VerificationException("Entry " + entry.getName() + " signed with " + String.join(", ", signerPublicKeys) + ", none of which match " + Base64.getEncoder().encodeToString(publicKey.getEncoded())); } } } diff --git a/testkeystore.jks b/testkeystore.jks deleted file mode 100644 index 6c10b16..0000000 Binary files a/testkeystore.jks and /dev/null differ