TOFU BouncyCastle dependencies (JUnit, Mail, Activation)

rsksmart · Jul 19, 2018 · f2afd61 · f2afd61
1 parent a73f646
commit f2afd61
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/bouncycastle/1.59/Dockerfile b/bouncycastle/1.59/Dockerfile
@@ -12,6 +12,9 @@ RUN wget http://central.maven.org/maven2/javax/mail/javax.mail-api/1.6.1/javax.m
 RUN mkdir -p /opt/jaf
 RUN wget http://central.maven.org/maven2/javax/activation/activation/1.1.1/activation-1.1.1.jar -O /opt/jaf/activation.jar
 
+ADD dependencies_shasums.txt /
+RUN sha256sum --check /dependencies_shasums.txt
+
 RUN git clone https://github.com/bcgit/bc-java.git /code/bc-java
 
 WORKDIR /code/bc-java

diff --git a/bouncycastle/1.59/README.md b/bouncycastle/1.59/README.md
@@ -24,3 +24,12 @@ $ docker cp temp-container:/code/bc-java/build/artifacts/jdk1.5/jars/bclcrypto-j
 $ docker rm temp-container
 ```
 
+## Trust on first use (TOFU)
+
+BouncyCastle itself depends on three other dependencies (JUnit, Mail, Activation), which are downloaded from Maven Central.
+Since we haven't yet reproduced those builds, we are trusting current versions following the [TOFU model][tofu].
+We include a verification step which checks known hashes for these dependencies.
+The hashes are included in the `dependencies_shasums.txt` file.
+
+[tofu]: https://en.wikipedia.org/wiki/Trust_on_first_use
+
diff --git a/bouncycastle/1.59/dependencies_shasums.txt b/bouncycastle/1.59/dependencies_shasums.txt
@@ -0,0 +1,3 @@
+ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99  /opt/jaf/activation.jar
+269a37dfbb457854aaa8d2c387a07edd1c47e7ec02180753039c143d10fa9eb8  /opt/javamail/mail.jar
+59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a  /opt/junit/junit.jar