Module file parse API

Sean Mullan sean.mullan at oracle.com
Thu Jun 21 06:00:55 PDT 2012 

On 6/21/12 8:10 AM, Paul Sandoz wrote:
>
> On Jun 21, 2012, at 1:59 PM, Sean Mullan wrote:
>
>> On 6/21/12 6:36 AM, Paul Sandoz wrote:
>>
>>>>> Having said that, I've been somewhat dubious on the overall
>>>>> value/purpose of the hashes inside the module file. They don't
>>>>> provide any security without something additional such as a
>>>>> signature, but when generating the signature, it has to
>>>>> recalculate all of the hashes again to be sure they are still
>>>>> correct since the module file was created. So their only value is
>>>>> as a checksum, but my experience with checksums is that they are
>>>>> usually stored separately from what they are computed over.
>>>>
>>>> I view the hashes in an unsigned module file as a checksum also,
>>>> but I think they are very useful. For example, if a tool is only
>>>> interested in the classes of a module file, it can skip to the
>>>> classes section, extract/process it, validate the hash, and exit
>>>> without having to finish reading the remainder of the module file.
>>>> This is nice, especially if the module file is being read from a
>>>> remote stream, and only possible with per section hashes.
>>>>
>>>
>>> Also one does not have to upload/download separate data to/from a
>>> repository for the content and the hash of the content. This also has
>>> the advantage that the repository can verify the hashes before
>>> accepting deployment of a module (instead of say uploading using
>>> multipart MIME).
>>
>> Ok, but I want to be sure I understand what you think the value of the hashes provides. Hashes without a signature don't provide any security since an attacker can change both the data and the hash without detection.
>
> Yes.
>
>
>> How are they providing value as a checksum? Do you think it will be common for someone to change the internal sections of the module file without updating the corresponding section hash?
>>
>
>
> No. Not someone but something by non-nefarious means :-) Bit rot on network transmission or on disk.

I don't know it still seems like unnecessary overhead for an extremely 
small likelihood. And wouldn't the entire file including the hashes be 
suspect then?

The hashes aren't even useful for signatures. This is because the signer 
*must* generate the hashes itself, and then generate a signature over 
them inside a PKCS#7 SignedData blob. It doesn't even use the existing 
hashes, so they are just extra duplication.

--Sean

More information about the jigsaw-dev mailing list