java.security.MessageDigest
implementations.
p2 detects errors which may have been introduced during artifact transmission/storage by calculating artifact checksum using MD5 hash function. As a collision attack and a chosen-prefix collision attack against MD5 have been demonstrated in public, it can be used but only to detect unintentional corruption. Current implementation is not extensible and doesn't allow to use other, more collision-resistant, hash functions.
With this extension point, any java.security.MessageDigest
from Java Security API can be used to check integrity of artifacts. For more information on these APIs, see Java Cryptography Architecture (JCA) Reference Guide.
<!ELEMENT extension (artifactChecksum+)>
<!ATTLIST extension
point CDATA #REQUIRED
id CDATA #IMPLIED
name CDATA #IMPLIED>
<!ELEMENT artifactChecksum EMPTY>
<!ATTLIST artifactChecksum
id CDATA #REQUIRED
algorithm CDATA #REQUIRED
providerName CDATA #IMPLIED
warnInsecure (true | false)
priority CDATA "0"
publish (true | false) "true">
sha-512
.
As other tools will rely on this id, consider using some well-defined value (i.e. Hash Function Textual Names ).java.security.MessageDigest
's method getInstance(String)
. Also check the MessageDigest section in the Java Cryptography Architecture Standard Algorithm Name Documentation for information about standard algorithm names.java.security.Provider.getName()
.<extension point="org.eclipse.equinox.p2.artifact.repository.artifactChecksums"> <artifactChecksum algorithm="SHA3-512" id="sha3-512"> </artifactChecksum> </extension>If the MessageDigest implementation is provided by a custom security provider (from the contributing bundle itself or some other bundle), it should be registered first with the Framework service registry under interface
java.security.Provider
:
import java.security.Provider;
import java.util.Dictionary;
import java.util.Hashtable;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
...
Dictionary<String, Object> props = new Hashtable<>();
props.put("providerName", "BC");
ServiceRegistration<Provider> registration = context.registerService(Provider.class, new BouncyCastleProvider(), props);
and then register an extension using providerName
attribute:
<extension point="org.eclipse.equinox.p2.artifact.repository.artifactChecksums"> <artifactChecksum algorithm="Whirlpool" id="whirlpool" providerName="BC"> </artifactChecksum> </extension>
sha-256
and maps it to SHA-256
MessageDigest implementation.
Copyright (c) 2015, 2018 Mykola Nikishov. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-v20.html/ SPDX-License-Identifier: EPL-2.0