Skip to main content
aboutsummaryrefslogtreecommitdiffstats
blob: 017af5b24e3895d622cd22dd90b0376b097376f4 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
<?xml version='1.0' encoding='UTF-8'?>
<!-- Schema file written by PDE -->
<schema targetNamespace="org.eclipse.equinox.p2.artifact.repository" xmlns="http://www.w3.org/2001/XMLSchema">
<annotation>
      <appInfo>
         <meta.schema plugin="org.eclipse.equinox.p2.artifact.repository" id="artifactChecksums" name="Artifact Checksum support"/>
      </appInfo>
      <documentation>
         Provides a mapping from checksum algorithm id and &lt;code&gt;java.security.MessageDigest&lt;/code&gt; implementations.

&lt;p&gt;p2 detects errors which may have been introduced during artifact transmission/storage by calculating artifact checksum using MD5 hash function. As a &lt;a href=&quot;https://en.wikipedia.org/wiki/Collision_attack&quot;&gt;collision attack&lt;/a&gt; and a &lt;a href=&quot;https://en.wikipedia.org/wiki/Chosen-prefix_collision_attack&quot;&gt;chosen-prefix collision attack&lt;/a&gt; against MD5 have been demonstrated in public, it can be used but only to detect unintentional corruption. Current implementation is not extensible and doesn&apos;t allow to use other, more collision-resistant, hash functions.&lt;/p&gt;

&lt;p&gt;With this extension point, any &lt;code&gt;java.security.MessageDigest&lt;/code&gt; from Java Security API can be used to check integrity of artifacts. For more information on these APIs, see &lt;a href=&quot;https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html&quot;&gt;Java Cryptography Architecture (JCA) Reference Guide&lt;/a&gt;.&lt;/p&gt;
      </documentation>
   </annotation>

   <element name="extension">
      <annotation>
         <appInfo>
            <meta.element />
         </appInfo>
      </annotation>
      <complexType>
         <sequence>
            <element ref="artifactChecksum" minOccurs="1" maxOccurs="unbounded"/>
         </sequence>
         <attribute name="point" type="string" use="required">
            <annotation>
               <documentation>
                  
               </documentation>
            </annotation>
         </attribute>
         <attribute name="id" type="string">
            <annotation>
               <documentation>
                  
               </documentation>
            </annotation>
         </attribute>
         <attribute name="name" type="string">
            <annotation>
               <documentation>
                  
               </documentation>
               <appInfo>
                  <meta.attribute translatable="true"/>
               </appInfo>
            </annotation>
         </attribute>
      </complexType>
   </element>

   <element name="artifactChecksum">
      <complexType>
         <attribute name="id" type="string" use="required">
            <annotation>
               <documentation>
                  id of the checksum algorithm, i.e. &lt;code&gt;sha-512&lt;/code&gt;.

As other tools will rely on this id, consider using some well-defined value (i.e. &lt;a href=&quot;https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml&quot;&gt;Hash Function Textual Names&lt;/a&gt; ).
               </documentation>
            </annotation>
         </attribute>
         <attribute name="algorithm" type="string" use="required">
            <annotation>
               <documentation>
                  Name of the message digest algorithm as expected by &lt;code&gt;java.security.MessageDigest&lt;/code&gt;&apos;s method &lt;code&gt;getInstance(String)&lt;/code&gt;. Also check the MessageDigest section in the Java Cryptography Architecture Standard Algorithm Name Documentation for information about standard algorithm names.
               </documentation>
            </annotation>
         </attribute>
         <attribute name="providerName" type="string">
            <annotation>
               <documentation>
                  For custom security provider, name of the security provider that provides this message digest implementation, the value returned by &lt;code&gt;java.security.Provider.getName()&lt;/code&gt;.
               </documentation>
            </annotation>
         </attribute>
         <attribute name="warnInsecure" type="boolean">
            <annotation>
               <documentation>
                  Since 1.4.300
Set to true if this algorithm is now considered as insecure. A warning will be logged when this algorithm is used. An artifact that has no checksums or checksums only for insecure algorithms will emit a warning to user.
               </documentation>
            </annotation>
         </attribute>
      </complexType>
   </element>

   <annotation>
      <appInfo>
         <meta.section type="since"/>
      </appInfo>
      <documentation>
         2.4.0
      </documentation>
   </annotation>

   <annotation>
      <appInfo>
         <meta.section type="examples"/>
      </appInfo>
      <documentation>
         To enable support for MessageDigest implementation which is provided by a statically registered Provider, contributing bundle should only register an extension:

&lt;pre&gt;
&lt;extension point=&quot;org.eclipse.equinox.p2.artifact.repository.artifactChecksums&quot;&gt;
  &lt;artifactChecksum
   algorithm=&quot;SHA3-512&quot;
   id=&quot;sha3-512&quot;&gt;
  &lt;/artifactChecksum&gt;
&lt;/extension&gt;
&lt;/pre&gt;

If the MessageDigest implementation is provided by a custom security provider (from the contributing bundle itself or some other bundle), it should be registered first with the Framework service registry under interface &lt;code&gt;java.security.Provider&lt;/code&gt;:

&lt;pre&gt;
import java.security.Provider;
import java.util.Dictionary;
import java.util.Hashtable;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;

...

Dictionary&lt;String, Object&gt; props = new Hashtable&lt;&gt;();
props.put(&quot;providerName&quot;, &quot;BC&quot;);
ServiceRegistration&lt;Provider&gt; registration = context.registerService(Provider.class, new BouncyCastleProvider(), props);
&lt;/pre&gt;

and then register an extension using &lt;code&gt;providerName&lt;/code&gt; attribute:

&lt;pre&gt;
&lt;extension point=&quot;org.eclipse.equinox.p2.artifact.repository.artifactChecksums&quot;&gt;
  &lt;artifactChecksum
   algorithm=&quot;Whirlpool&quot;
   id=&quot;whirlpool&quot;
   providerName=&quot;BC&quot;&gt;
  &lt;/artifactChecksum&gt;
&lt;/extension&gt;
&lt;/pre&gt;
      </documentation>
   </annotation>


   <annotation>
      <appInfo>
         <meta.section type="implementation"/>
      </appInfo>
      <documentation>
         Contributes a checksum algorithm with id &lt;code&gt;sha-256&lt;/code&gt; and maps it to &lt;code&gt;SHA-256&lt;/code&gt; MessageDigest implementation.
      </documentation>
   </annotation>

   <annotation>
      <appInfo>
         <meta.section type="copyright"/>
      </appInfo>
      <documentation>
         Copyright (c) 2015, 2018 Mykola Nikishov.

This program and the accompanying materials are made 
available under the terms of the Eclipse Public License 2.0 which 
accompanies this distribution, and is available at 
&lt;a href=&quot;https://www.eclipse.org/legal/epl-2.0&quot;&gt;https://www.eclipse.org/legal/epl-v20.html&lt;/a&gt;/

SPDX-License-Identifier: EPL-2.0
      </documentation>
   </annotation>

</schema>

Back to the top