Fwd: CR 7004035 Updated, P4 java/classes_secu signed jar with only META-INF/* inside is not verifiable

Weijun Wang weijun.wang at oracle.com
Fri Dec 3 01:35:26 PST 2010

Hi Sean

Please review my code changes:


After this change, MANIFEST.MF's getSigners() and getCertificates() will 
be not null. Since every signer of the jar file has a hash of the 
manifest header, I regard all of them as signers of MANIFEST.MF.

The code changes also include a small change to JarSigner:

When -verbose:grouped is specified, jar entries with similar characters 
are grouped together. However, I still don't want to group a .SF (or 
.RSA) file and a normal unsigned entry (say, a class file added after 
jar signed) together. Thus I substitute the first letter of the label 
with "-" to distinguish between signature-related entries and the 
others. Now that MANIFEST can also be signed, its first letter is "s". 
Therefore I simply prefix the "-" before the label.

concisejarsigner.sh test is also updated, since the number of signed 
files is changed.


-------- Original Message --------
Subject: CR 7004035 Updated, P4 java/classes_secu signed jar with only 
META-INF/* inside is not verifiable
Date: Fri, 3 Dec 2010 02:20:53 -0700 (MST)
From: weijun.wang at oracle.com
To: judy.gao at sun.com, mala.bankal at sun.com, scteam at sun.com, 
bill.situ at oracle.com, amy.lu at oracle.com, weijun.wang at oracle.com, 
xuelei.fan at oracle.com

                         Sun Confidential: Internal only

*Synopsis*: signed jar with only META-INF/* inside is not verifiable

CrPrint: http://bt2ws.central.sun.com/CrPrint?id=7004035
Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=7004035

CR 7004035 changed on Dec 3 2010 by weijun.wang at oracle.com

=== Field ============ === New Value ============= === Old Value 

Is a Security Vulner.. N                           Y 

Keyword                                            security 

====================== =========================== 

*Change Request ID*: 7004035

*Synopsis*: signed jar with only META-INF/* inside is not verifiable

   Product: java
   Category: java
   Subcategory: classes_security
   Type: Defect
   Status: 3-Accepted
   Priority: 4-Low
   Introduced In Release:
   Introduced In Build:
   Responsible Manager: frances.ho at oracle.com
   Responsible Engineer: weijun.wang at oracle.com
   Initial Evaluator: jsn-sec-bugs at sun.com

=== *Description* 
If a jar file has only META-INF/MANIFEST.SF, then after signing it, the 
output jarfile is not verifiable. That is to say, running "jarsigner 
-verify the.jar" shows "jar is unsigned. (signatures missing or not 

How to reproduce it:

echo "Key: Value" > manifest
jar cvfm the.jar manifest
jarsigner the.jar me
jarsigner -verify the.jar

* Use the "jar m" trick to create a jar file with no "normal" entry.

*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com

=== *Public Comments* 

=== *Comments* 

=== *Evaluation* 
The reason is that during the verification of the jarfile, the JarEntry 
for the MANIFEST.MF is treated differently from other entries, and its 
signers (or certificates) is not assigned. When JarSigner see no entry 
with any signer, it believes the file is not signed.

*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com

=== *Suggested Fix* 
Also assign signers to MANIFEST.MF. Since every SF includes a 
*-Digest-Manifest-Main-Attributes digest and it;s always verified 
against the MANIFEST.MF headers, we believe the signers for MANIFEST.MF 
should includes all signers in the file.

*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com

=== *Workaround* 

=== *Justification* 

=== *Additional Details* 
         Targeted Release:
         Commit To Fix In Build:
         Fixed In Build:
         Integrated In Build:
         Verified In Build:
   See Also:
   Duplicate of:
   Interest List:
   Program Management:
   Root Cause:
   Is a Security Vulnerability?: No
   Fix Affects Documentation: No
   Fix Affects Localization: No
   Reported by:

=== *History* 
         Date Submitted: 2010-12-02 04:26:50 GMT+00:00
         Submitted By: weijun.wang at oracle.com

         Status Changed    Date Updated                  Updated By
         3-Accepted        2010-12-02 09:33:41 GMT+00:00 
weijun.wang at oracle.com

=== *Solution* 

=== *Service Request* 
         ID: 1-720970607
         Account Name: JavaSoft
         Customer Contact:
         Customer Contact Role: D-Development
         Customer Contact Type: I-Internal (SMI) Customer
         Impact: Limited
         Functionality: Secondary
         Severity: 4
         Product Name: java
         Product Release: 7
         Product Build:
         Operating System: generic
         Hardware: generic
         Reference Number:
         Sun Contact: weijun.wang at oracle.com
         Status: Open
         Source: BugTraq2
         Submitted By: weijun.wang at oracle.com
         Submitted Date: 2010-12-02 04:26:52 GMT+00:00

=== *Activity* 

=== *Multiple Release (MR) Cluster* - 0 

=== *Escalations* 

More information about the security-dev mailing list