jpkg enhancements to create signed modules
Sean Mullan
sean.mullan at oracle.com
Wed May 12 10:26:00 PDT 2010
On 5/12/10 6:19 AM, Vincent Ryan wrote:
>> [545] Having to shift the whole file here seems unfortunate. Is there
>> no way to predict the size of the signature in advance? Does it depend
>> upon anything other than the number of section hashes?
>
> The default format for the module signature is PKCS #7 SignedData type [1],
> which is an ASN.1 BER encoding of nested tag-length-value data structures.
> Unfortunately it is difficult to predict its exact size in advance without
> performing the actual encoding.
>
> The design choices are:
>
> 1) write the signature twice - first with a dummy signature to determine
> the exact size and then later with the true signature. No shift.
> -or-
> 2) write the signature once, at the end of the process. Shift required.
>
> The current implementation involves 1) _plus_ the shift. I can certainly
> improve on that.
>
>
>
> [1] http://tools.ietf.org/html/rfc2315#section-9.1
I think another option would be to process the data in two passes. The first
pass generates all the hash values, and the second pass writes out the file.
--Sean
More information about the jigsaw-dev
mailing list