RFR: 8159393 - jlink should print a warning that a signed modular JAR will be treated as unsigned
Jim Laskey (Oracle)
james.laskey at oracle.com
Mon Nov 7 13:26:21 UTC 2016
Revising to
String name = entry.name().toUpperCase(Locale.ENGLISH);
return name.startsWith("META-INF/") && name.indexOf('/', 9) == -1 && (
name.endsWith(".SF") ||
name.endsWith(".DSA") ||
name.endsWith(".RSA") ||
name.endsWith(".EC") ||
name.startsWith("META-INF/SIG-")
);
> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.laskey at oracle.com> wrote:
>
> Right. From SignatureFileVerifier.java
>
>
> /**
> * Utility method used by JarVerifier and JarSigner
> * to determine the signature file names and PKCS7 block
> * files names that are supported
> *
> * @param s file name
> * @return true if the input file name is a supported
> * Signature File or PKCS7 block file name
> */
> public static boolean isBlockOrSF(String s) {
> // we currently only support DSA and RSA PKCS7 blocks
> return s.endsWith(".SF")
> || s.endsWith(".DSA")
> || s.endsWith(".RSA")
> || s.endsWith(".EC");
> }
>
> /**
> * Yet another utility method used by JarVerifier and JarSigner
> * to determine what files are signature related, which includes
> * the MANIFEST, SF files, known signature block files, and other
> * unknown signature related files (those starting with SIG- with
> * an optional [A-Z0-9]{1,3} extension right inside META-INF).
> *
> * @param name file name
> * @return true if the input file name is signature related
> */
> public static boolean isSigningRelated(String name) {
> name = name.toUpperCase(Locale.ENGLISH);
> if (!name.startsWith("META-INF/")) {
> return false;
> }
> name = name.substring(9);
> if (name.indexOf('/') != -1) {
> return false;
> }
> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
> return true;
> } else if (name.startsWith("SIG-")) {
> // check filename extension
> // see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
> // for what filename extensions are legal
> int extIndex = name.lastIndexOf('.');
> if (extIndex != -1) {
> String ext = name.substring(extIndex + 1);
> // validate length first
> if (ext.length() > 3 || ext.length() < 1) {
> return false;
> }
> // then check chars, must be in [a-zA-Z0-9] per the jar spec
> for (int index = 0; index < ext.length(); index++) {
> char cc = ext.charAt(index);
> // chars are promoted to uppercase so skip lowercase checks
> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) {
> return false;
> }
> }
> }
> return true; // no extension is OK
> }
> return false;
> }
>
>
>
>
>
>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>>
>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
>>
>>> Thank you. Regarding SIG- I was just followed the spec.
>>>
>> I hope Sean or Max can jump in on this, the other question is .EC as I believe the JDK allows this when signing too.
>>
>> -Alan
>
More information about the jigsaw-dev
mailing list