Fwd: CR 7004035 Updated, P4 java/classes_secu signed jar with only META-INF/* inside is not verifiable
Weijun Wang
weijun.wang at oracle.com
Fri Dec 3 09:35:26 UTC 2010
Hi Sean
Please review my code changes:
http://cr.openjdk.java.net/~weijun/7004035/webrev.00/
After this change, MANIFEST.MF's getSigners() and getCertificates() will
be not null. Since every signer of the jar file has a hash of the
manifest header, I regard all of them as signers of MANIFEST.MF.
The code changes also include a small change to JarSigner:
When -verbose:grouped is specified, jar entries with similar characters
are grouped together. However, I still don't want to group a .SF (or
.RSA) file and a normal unsigned entry (say, a class file added after
jar signed) together. Thus I substitute the first letter of the label
with "-" to distinguish between signature-related entries and the
others. Now that MANIFEST can also be signed, its first letter is "s".
Therefore I simply prefix the "-" before the label.
concisejarsigner.sh test is also updated, since the number of signed
files is changed.
Thanks
Max
-------- Original Message --------
Subject: CR 7004035 Updated, P4 java/classes_secu signed jar with only
META-INF/* inside is not verifiable
Date: Fri, 3 Dec 2010 02:20:53 -0700 (MST)
From: weijun.wang at oracle.com
To: judy.gao at sun.com, mala.bankal at sun.com, scteam at sun.com,
bill.situ at oracle.com, amy.lu at oracle.com, weijun.wang at oracle.com,
xuelei.fan at oracle.com
Sun Confidential: Internal only
*Synopsis*: signed jar with only META-INF/* inside is not verifiable
Bugster:
http://bt2ws.central.sun.com/loadcr.jnlp?jnlp_url=http://bugster.central.sun.com/&arg=7004035
CrPrint: http://bt2ws.central.sun.com/CrPrint?id=7004035
Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=7004035
CR 7004035 changed on Dec 3 2010 by weijun.wang at oracle.com
=== Field ============ === New Value ============= === Old Value
=============
Is a Security Vulner.. N Y
Keyword security
====================== ===========================
===========================
*Change Request ID*: 7004035
*Synopsis*: signed jar with only META-INF/* inside is not verifiable
Product: java
Category: java
Subcategory: classes_security
Type: Defect
Subtype:
Status: 3-Accepted
Substatus:
Priority: 4-Low
Introduced In Release:
Introduced In Build:
Responsible Manager: frances.ho at oracle.com
Responsible Engineer: weijun.wang at oracle.com
Initial Evaluator: jsn-sec-bugs at sun.com
Keywords:
=== *Description*
============================================================
If a jar file has only META-INF/MANIFEST.SF, then after signing it, the
output jarfile is not verifiable. That is to say, running "jarsigner
-verify the.jar" shows "jar is unsigned. (signatures missing or not
parsable)".
How to reproduce it:
echo "Key: Value" > manifest
jar cvfm the.jar manifest
jarsigner the.jar me
jarsigner -verify the.jar
* Use the "jar m" trick to create a jar file with no "normal" entry.
*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com
=== *Public Comments*
========================================================
=== *Comments*
===============================================================
=== *Evaluation*
=============================================================
The reason is that during the verification of the jarfile, the JarEntry
for the MANIFEST.MF is treated differently from other entries, and its
signers (or certificates) is not assigned. When JarSigner see no entry
with any signer, it believes the file is not signed.
*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com
=== *Suggested Fix*
==========================================================
Also assign signers to MANIFEST.MF. Since every SF includes a
*-Digest-Manifest-Main-Attributes digest and it;s always verified
against the MANIFEST.MF headers, we believe the signers for MANIFEST.MF
should includes all signers in the file.
*** (#1 of 1): 2010-12-02 04:26:51 GMT+00:00 weijun.wang at oracle.com
=== *Workaround*
=============================================================
=== *Justification*
==========================================================
=== *Additional Details*
=====================================================
Targeted Release:
Commit To Fix In Build:
Fixed In Build:
Integrated In Build:
Verified In Build:
See Also:
Duplicate of:
Hooks:
Hook1:
Hook2:
Hook3:
Hook4:
Hook5:
Hook6:
Interest List:
Program Management:
Root Cause:
Is a Security Vulnerability?: No
Fix Affects Documentation: No
Fix Affects Localization: No
Reported by:
=== *History*
================================================================
Date Submitted: 2010-12-02 04:26:50 GMT+00:00
Submitted By: weijun.wang at oracle.com
Status Changed Date Updated Updated By
3-Accepted 2010-12-02 09:33:41 GMT+00:00
weijun.wang at oracle.com
=== *Solution*
===============================================================
=== *Service Request*
========================================================
ID: 1-720970607
Customer:
Account Name: JavaSoft
Customer Contact:
Customer Contact Role: D-Development
Customer Contact Type: I-Internal (SMI) Customer
Impact: Limited
Functionality: Secondary
Severity: 4
Synopsis:
Product Name: java
Product Release: 7
Product Build:
Operating System: generic
Hardware: generic
Reference Number:
Sun Contact: weijun.wang at oracle.com
Status: Open
Source: BugTraq2
Reproducible:
Submitted By: weijun.wang at oracle.com
Submitted Date: 2010-12-02 04:26:52 GMT+00:00
Description:
=== *Activity*
===============================================================
=== *Multiple Release (MR) Cluster* - 0
======================================
=== *Escalations*
============================================================
More information about the security-dev
mailing list