Skip to content

Commit

Permalink
Verify checksum of downloaded OpenJDK distributions (#680)
Browse files Browse the repository at this point in the history
  • Loading branch information
Malax authored May 24, 2024
1 parent 13c3f24 commit 022828c
Show file tree
Hide file tree
Showing 8 changed files with 62 additions and 7 deletions.
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions buildpacks/jvm/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added

- Checksum validation of downloaded OpenJDK distribution files. ([#680](https://github.com/heroku/buildpacks-jvm/pull/680))

### Changed

- Some error messages have changed so they longer suggest to open a Heroku support ticket. Instead, users are now provided with a link to create an issue on GitHub. ([#674](https://github.com/heroku/buildpacks-jvm/pull/674))
Expand Down
1 change: 1 addition & 0 deletions buildpacks/jvm/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ nom = "7"
inventory = { git = "https://github.com/Malax/inventory", features = ["sha2"] }
thiserror = "1"
sha2 = "0.10"
hex = "0.4"

[dev-dependencies]
buildpacks-jvm-shared-test.workspace = true
Expand Down
4 changes: 2 additions & 2 deletions buildpacks/jvm/openjdk_inventory.toml
Original file line number Diff line number Diff line change
Expand Up @@ -291,15 +291,15 @@ version = "11.0.23"
os = "linux"
arch = "arm64"
url = "https://heroku-buildpacks-jvm.s3.us-east-1.amazonaws.com/openjdk/zulu/arm64/11.0.23.tar.gz"
checksum = "sha256:7ab8f4ff3f1c675d8ca9a904f5d3657afcb59b6d852c4c1b2c5988a2854896cd"
checksum = "sha256:5b8b551785c4f23417c10feba5e0342af300f491cb7f4c62c7ed84fd37857960"
metadata.distribution = "zulu"

[[artifacts]]
version = "11.0.23"
os = "linux"
arch = "amd64"
url = "https://heroku-buildpacks-jvm.s3.us-east-1.amazonaws.com/openjdk/zulu/amd64/11.0.23.tar.gz"
checksum = "sha256:5b8b551785c4f23417c10feba5e0342af300f491cb7f4c62c7ed84fd37857960"
checksum = "sha256:7ab8f4ff3f1c675d8ca9a904f5d3657afcb59b6d852c4c1b2c5988a2854896cd"
metadata.distribution = "zulu"

[[artifacts]]
Expand Down
15 changes: 12 additions & 3 deletions buildpacks/jvm/src/errors.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use crate::openjdk_artifact::HerokuOpenJdkVersionRequirement;
use crate::{OpenJdkArtifactRequirementParseError, OpenJdkBuildpackError};
use buildpacks_jvm_shared::log::log_please_try_again_error;
use buildpacks_jvm_shared::log::{log_please_try_again, log_please_try_again_error};
use buildpacks_jvm_shared::system_properties::ReadSystemPropertiesError;
use indoc::formatdoc;
use libherokubuildpack::log::log_error;
Expand Down Expand Up @@ -64,9 +64,9 @@ pub(crate) fn on_error_jvm_buildpack(error: OpenJdkBuildpackError) {
"Could not copy the contents of the application's JDK overlay.",
error,
),
OpenJdkBuildpackError::CannotOpenOpenJdkTarball(error) => log_please_try_again_error(
OpenJdkBuildpackError::CannotReadOpenJdkTarball(error) => log_please_try_again_error(
"Unexpected IO error",
"Could not open downloaded OpenJDK tarball file.",
"Could not read downloaded OpenJDK tarball file.",
error,
),
OpenJdkBuildpackError::CannotDecompressOpenJdkTarball(error) => log_please_try_again_error(
Expand Down Expand Up @@ -120,6 +120,15 @@ pub(crate) fn on_error_jvm_buildpack(error: OpenJdkBuildpackError) {
Details: {error}
", error = error },
),
OpenJdkBuildpackError::OpenJdkTarballChecksumError { expected, actual } => log_please_try_again(
"Corrupted OpenJDK download",
formatdoc! {"
The validation of the downloaded OpenJDK distribution failed due to a checksum mismatch.
Expected: {expected}
Actual: {actual}
", expected = hex::encode(expected), actual = hex::encode(actual) }
)
}
}
19 changes: 18 additions & 1 deletion buildpacks/jvm/src/layers/openjdk.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
use crate::openjdk_artifact::OpenJdkArtifactMetadata;
use crate::openjdk_version::OpenJdkVersion;
use crate::util::digest;
use crate::{
util, OpenJdkBuildpack, OpenJdkBuildpackError, JAVA_TOOL_OPTIONS_ENV_VAR_DELIMITER,
JAVA_TOOL_OPTIONS_ENV_VAR_NAME, JDK_OVERLAY_DIR_NAME,
Expand Down Expand Up @@ -57,7 +58,23 @@ impl<'a> Layer for OpenJdkLayer<'a> {
.map_err(OpenJdkBuildpackError::OpenJdkDownloadError)?;

std::fs::File::open(&path)
.map_err(OpenJdkBuildpackError::CannotOpenOpenJdkTarball)
.map_err(OpenJdkBuildpackError::CannotReadOpenJdkTarball)
.and_then(|file| {
digest::<Sha256>(file).map_err(OpenJdkBuildpackError::CannotReadOpenJdkTarball)
})
.and_then(|downloaded_file_digest| {
if downloaded_file_digest.as_slice() == self.artifact.checksum.value {
Ok(())
} else {
Err(OpenJdkBuildpackError::OpenJdkTarballChecksumError {
expected: self.artifact.checksum.value.clone(),
actual: downloaded_file_digest.to_vec(),
})
}
})?;

std::fs::File::open(&path)
.map_err(OpenJdkBuildpackError::CannotReadOpenJdkTarball)
.and_then(|mut file| {
libherokubuildpack::tar::decompress_tarball(&mut file, layer_path)
.map_err(OpenJdkBuildpackError::CannotDecompressOpenJdkTarball)
Expand Down
3 changes: 2 additions & 1 deletion buildpacks/jvm/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ enum OpenJdkBuildpackError {
UnsupportedOpenJdkVersion(OpenJdkArtifactRequirement),
OpenJdkDownloadError(DownloadError),
CannotCreateOpenJdkTempDir(std::io::Error),
CannotOpenOpenJdkTarball(std::io::Error),
CannotReadOpenJdkTarball(std::io::Error),
OpenJdkTarballChecksumError { expected: Vec<u8>, actual: Vec<u8> },
CannotDecompressOpenJdkTarball(std::io::Error),
ReadSystemPropertiesError(ReadSystemPropertiesError),
OpenJdkArtifactRequirementParseError(OpenJdkArtifactRequirementParseError),
Expand Down
22 changes: 22 additions & 0 deletions buildpacks/jvm/src/util.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,28 @@
use sha2::digest::{FixedOutput, Output, Update};
use std::fs::DirEntry;
use std::io::Read;
use std::path::{Path, PathBuf};

pub(crate) fn digest<D>(mut input: impl Read) -> Result<Output<D>, std::io::Error>
where
D: Default + Update + FixedOutput,
{
let mut digest = D::default();

let mut buffer = [0x00; 1024];
loop {
let bytes_read = input.read(&mut buffer)?;

if bytes_read > 0 {
digest.update(&buffer[..bytes_read]);
} else {
break;
}
}

Ok(digest.finalize_fixed())
}

pub(crate) fn list_directory_contents<P: AsRef<Path>>(path: P) -> std::io::Result<Vec<PathBuf>> {
std::fs::read_dir(path.as_ref())
.and_then(Iterator::collect::<std::io::Result<Vec<DirEntry>>>)
Expand Down

0 comments on commit 022828c

Please sign in to comment.