Java: introducing SHA512 sum validation for external JARs.

4 files changed, 76 insertions, 1 deletions

diff --git a/auto/modules/java b/auto/modules/java
index 7d87aed3..0ca6c732 100644
--- a/auto/modules/java
+++ b/auto/modules/java
@@ -22,6 +22,7 @@ for nxt_option; do
         --lib-path=*)   NXT_JAVA_LIB_PATH="$value"                            ;;
         --repo=*)       NXT_JAR_REPO="$value"                                 ;;
         --local-repo=*) NXT_JAR_LOCAL_REPO="$value"                           ;;
+        --sha512=*)     NXT_SHA512_TOOL="$value"                              ;;
         --jars=*)       NXT_JARS="$value"                                     ;;
 
         --help)
@@ -34,6 +35,7 @@ for nxt_option; do
                           default: "$NXT_JAR_REPO"
     --local-repo=DIR      set local repository directory
                           default: "$NXT_JAR_LOCAL_REPO"
+    --sha512=SHA512       set command for SHA512 check
     --jars=DIR            set jars install/search directory
 
 END
diff --git a/auto/modules/java_chk_sha512 b/auto/modules/java_chk_sha512
new file mode 100644
index 00000000..10891cee
--- /dev/null
+++ b/auto/modules/java_chk_sha512
@@ -0,0 +1,49 @@
+
+# Copyright (C) NGINX, Inc.
+
+# NXT_JAR_FILE=
+# NXT_JAR_CHK_FILE=
+
+NXT_SHA512_TOOL=${NXT_SHA512_TOOL=}
+
+if [ -z "$NXT_SHA512_TOOL" ]; then
+    $echo -n "looking for sha512 check tool ..."
+    $echo "looking for sha512 check tool ..." >> $NXT_AUTOCONF_ERR
+
+    if sha512sum --version >/dev/null 2>&1; then
+        NXT_SHA512_TOOL="sha512sum --check"
+    else
+        if shasum --version >/dev/null 2>&1; then
+            NXT_SHA512_TOOL="shasum -a 512 --check"
+        else
+            if openssl version >/dev/null 2>&1; then
+                NXT_SHA512_TOOL="openssl dgst -sha512"
+            fi
+        fi
+    fi
+
+    if [ -z "$NXT_SHA512_TOOL" ]; then
+        $echo " not found"
+        $echo
+        $echo $0: error: no sha512 tool found.
+        $echo
+        $echo "error: no sha512 tool found" >> $NXT_AUTOCONF_ERR
+        exit 1
+    fi
+
+    $echo " $NXT_SHA512_TOOL"
+    $echo "found $NXT_SHA512_TOOL" >> $NXT_AUTOCONF_ERR
+fi
+
+if [ -f "$NXT_JAR_CHK_FILE" ]; then
+    NXT_JAR_SHA512=`grep -F $NXT_JAR_FILE auto/modules/java_jar.sha512 | head -c 128`
+    NXT_JAR_CHK=${NXT_JAR_CHK_FILE}.sha512.$$
+    $echo "$NXT_JAR_SHA512  $NXT_JAR_CHK_FILE" > $NXT_JAR_CHK
+
+    if ! $NXT_SHA512_TOOL $NXT_JAR_CHK >/dev/null 2>&1; then
+        $echo "SHA512 not matched for $NXT_JAR_FILE, removing $NXT_JAR_CHK_FILE"
+        rm -f $NXT_JAR_CHK_FILE
+    fi
+
+    rm -f $NXT_JAR_CHK
+fi
diff --git a/auto/modules/java_get_jar b/auto/modules/java_get_jar
index 52cd146f..81b300f9 100644
--- a/auto/modules/java_get_jar
+++ b/auto/modules/java_get_jar
@@ -13,13 +13,23 @@ NXT_JAR_LOCAL="${NXT_JAR_LOCAL_DIR}/${NXT_JAR_FILE}"
 NXT_JAR_LOCAL_TMP="${NXT_JAR_LOCAL_DIR}/.${NXT_JAR_FILE}.$$"
 NXT_JAR_URL=${NXT_JAR_REPO}${NXT_JAR_NAMESPACE}${NXT_JAR_NAME}/${NXT_JAR_VERSION}/${NXT_JAR_FILE}
 
+NXT_JAR_CHK_FILE="$NXT_BUILD_DIR/$NXT_JAR_FILE"
+. auto/modules/java_chk_sha512
+
 if [ ! -f "$NXT_BUILD_DIR/$NXT_JAR_FILE" ]; then
-    if [ ! -f "$NXT_JAR_LOCAL" ]; then
+    NXT_JAR_CHK_FILE=$NXT_JAR_LOCAL
+    . auto/modules/java_chk_sha512
+
+    if [ ! -f "${NXT_JAR_LOCAL}" ]; then
         $echo "getting remote $NXT_JAR_FILE ... "
         $echo "getting remote $NXT_JAR_FILE ..." >> $NXT_AUTOCONF_ERR
 
         mkdir -p "${NXT_JAR_LOCAL_DIR}"
         curl --progress-bar "$NXT_JAR_URL" -o "$NXT_JAR_LOCAL_TMP"
+
+        NXT_JAR_CHK_FILE=$NXT_JAR_LOCAL_TMP
+        . auto/modules/java_chk_sha512
+
         mv "$NXT_JAR_LOCAL_TMP" "$NXT_JAR_LOCAL"
     else
         $echo "getting local $NXT_JAR_FILE"
diff --git a/auto/modules/java_jar.sha512 b/auto/modules/java_jar.sha512
new file mode 100644
index 00000000..0f6daa8e
--- /dev/null
+++ b/auto/modules/java_jar.sha512
@@ -0,0 +1,14 @@
+21cf5171c84fb12d0903d4f7d4f62e8b3dc60142ca1c717c46f7e09f6d40ea9a05a5bca34d468e00a00b427991de966fb060dcc282d532ee6a21567f802abfab  classgraph-4.4.11.jar
+7287b1ea3e18423d027a99ce40ae72e46e1700a65b474d2ec09af6a17b10653b7c2e69e9bb87efe14f4c593dc66b6370ea566fce90edb4b4190a903046817e6f  ecj-3.13.102.jar
+4626b970aa4d04422db93a4847eb9749768042255e0ba4d4944e1a8ca854de9e5eb093fbf5f0c05b122b65885324a9afdb1819acfb936514848c0726537cd403  jetty-http-9.4.12.v20180830.jar
+19c0ea335efd54f6758b64725b4938cd124e60856b8966e1c60d33a5ebe3c62eea5babe5974c3a1b2c5ea49013ba5fc99aaa1a27e5a9c85e46f693fc679e5309  jetty-server-9.4.12.v20180830.jar
+37ab6c29e925138d09a99bba9ead16b693318d8e098f1cf19fb56438c5d96479410628a84fa5a6c410850226acf1542aeab2a4894cebc9af8afa021c767d71f0  jetty-util-9.4.12.v20180830.jar
+bf57568311fceb52f6611a2284d395cf181b634e4b44179766201f27b5a8c6981339aa35b3a0cb270d81d2a026e3ee724912040e0df5cf5ffd6442588b5b1e49  tomcat-api-9.0.13.jar
+68238e5e00c7d0f0b159950a3c7ad6f666b343f7b31c5f0349a1e3184dea9c96ef50def82cc1025d6bcd4bc564d36306a169f96be7677185585ea2469b84a128  tomcat-el-api-9.0.13.jar
+51c40eca728a34a96b2af0891355733e5ab5fc3ac5eec62f57e1ea905426b573bf9d55637d3b831838694054fc4d9dd06e48eb98eca57584d2750651bd286e0b  tomcat-jasper-9.0.13.jar
+ec64d3796a7f7224b451659f7f2b4a48da8a63da46557934d82c07420fa237a23c077f94908caa557ef51776d9e0a98b75cf43e6639c07f26aedb1ed4be99a62  tomcat-jasper-el-9.0.13.jar
+2b5b92269c92e981268e346dc1484ebf4c7e481c2be26d90b02f650f94097bc8b9f9f1bc6579896e036a69747f41bf8493b3fa8d7626beaba95b28ae77f0f8ab  tomcat-jsp-api-9.0.13.jar
+f97891d80a6f96e9c10e5aa1d6a917961307f1a523266f4b0b857bb9a9bbe13ad09352a52e287d2dff84d18948ca25908ff13689eaea5bd806053c87822a892d  tomcat-juli-9.0.13.jar
+6579b30d95fa104663e2dced86115593868f18448f38235d88ccb003eeeeb61b49532300a30e7437e5c709891601f6b9909c33f1f7bcdf93ac118b67a742fdf1  tomcat-servlet-api-9.0.13.jar
+af5d2f0209b7977e3d2ff6bb87dfa72aaa6684e9cd1aab7e48b4f0d389549c052c4d42cf3bd4c08837d79738609a9dfd93c9fdcf740d7a0ae851d9f8523ff65d  tomcat-util-9.0.13.jar
+18fb1a0f7e4ceb3416fc005e14f2eff6c49422806df03dfdd2a16ecc1292d55d59645707d408853573294446c2f525572dc3c94d45d32856c5d040945cbe416d  tomcat-util-scan-9.0.13.jar