ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Eirik Bjørsnøs
eirbjo at gmail.com
Thu Jan 12 19:05:27 UTC 2023
>
> ZipFile.isSignatureRelated currently returns true for paths such as the
> following:
>
>
> META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA
>
I found a couple more call sites of SignatureFileVerifier.isBlockOrSF which
incorrectly treat [SF,DSA,RSA,EC] files as signature related even when they
reside in subdirectories of META-INF/:
o JarVerifier.beginEntry incorrectly sets up verification
o JarSigner.sign0 incorrectly identifies a jar as already signed, even when
it is not
I have made a draft PR which updates these call sites to require files to
reside directly in META-INF/ before they are considered signature related:
https://github.com/openjdk/jdk/pull/11976
The PR includes a new test which verifies that subdirectory signature files
are indeed ignored by the updated code
Feedback on this PR is welcome!
A few questions:
>
> 1: Where Is the exact location of signature related files specified?
>
I'm assuming the JAR File Specification is the normative source here [1]
> 2: Is the current behaviour indeed incorrect?
>
The spec says: "Note that if such files are located in META-INF
subdirectories, they are not considered signature-related"
> 3: Should ZipFile.isSignatureRelated be updated such that it only matches
> signature related files which reside exactly in "META-INF/" ?
>
I guess there is a risk that jar files may exist which are signed with
signature files in subdirectories. If such files exist, they are not
produced with jarsigner and they are not according to the spec.
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20230112/8efb2da9/attachment.htm>
More information about the core-libs-dev
mailing list