Artifact Checksum support

Identifier:
org.eclipse.equinox.p2.artifact.repository.artifactChecksums

Since:
2.4.0

Description:
Provides a mapping from checksum algorithm id and java.security.MessageDigest implementations.

p2 detects errors which may have been introduced during artifact transmission/storage by calculating artifact checksum using MD5 hash function. As a collision attack and a chosen-prefix collision attack against MD5 have been demonstrated in public, it can be used but only to detect unintentional corruption. Current implementation is not extensible and doesn't allow to use other, more collision-resistant, hash functions.

With this extension point, any java.security.MessageDigest from Java Security API can be used to check integrity of artifacts. For more information on these APIs, see Java Cryptography Architecture (JCA) Reference Guide.

Configuration Markup:

<!ELEMENT extension (artifactChecksum+)>

<!ATTLIST extension

point CDATA #REQUIRED

id    CDATA #IMPLIED

name  CDATA #IMPLIED>


<!ELEMENT artifactChecksum EMPTY>

<!ATTLIST artifactChecksum

id           CDATA #REQUIRED

algorithm    CDATA #REQUIRED

providerName CDATA #IMPLIED

warnInsecure (true | false)

priority     CDATA "0"

publish      (true | false) "true">


Examples:
To enable support for MessageDigest implementation which is provided by a statically registered Provider, contributing bundle should only register an extension:

<extension point="org.eclipse.equinox.p2.artifact.repository.artifactChecksums">
  <artifactChecksum
   algorithm="SHA3-512"
   id="sha3-512">
  </artifactChecksum>
</extension>
If the MessageDigest implementation is provided by a custom security provider (from the contributing bundle itself or some other bundle), it should be registered first with the Framework service registry under interface java.security.Provider:

import java.security.Provider;
import java.util.Dictionary;
import java.util.Hashtable;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;

...

Dictionary<String, Object> props = new Hashtable<>();
props.put("providerName", "BC");
ServiceRegistration<Provider> registration = context.registerService(Provider.class, new BouncyCastleProvider(), props);
and then register an extension using providerName attribute:

<extension point="org.eclipse.equinox.p2.artifact.repository.artifactChecksums">
  <artifactChecksum
   algorithm="Whirlpool"
   id="whirlpool"
   providerName="BC">
  </artifactChecksum>
</extension>

Supplied Implementation:
Contributes a checksum algorithm with id sha-256 and maps it to SHA-256 MessageDigest implementation.


Copyright (c) 2015, 2018 Mykola Nikishov. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-v20.html/ SPDX-License-Identifier: EPL-2.0