code review request: 7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build

Weijun Wang weijun.wang at oracle.com
Thu Mar 24 13:12:59 UTC 2011


Hi Sean

This is a regression made by my former treat-MANIFEST.MF-as-signed code 
change. Webrev here:

    http://cr.openjdk.java.net/~weijun/7023056/webrev.00/

For the reason, see the evaluation below.

=== *Description* ================================================
Running a Maven build of Glassfish sources fails using JDK 7.

java.lang.NullPointerException
	at java.util.Hashtable.remove(Hashtable.java:474)
	at 
sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:226)

=== *Evaluation* =================================================
This is a regression made by
7004035: signed jar with only META-INF/* inside is not verifiable.

The jar verification has always been done in two steps:

   1. verify the signature of SF file against its BLOCK file. This 
generates a map of entry name vs its possible signers, saved in 
sigFileSigners. This is performed only once for each SF file.

   2. verify the digest of each entry. Each time an entry gets verified, 
its possible signers are moved to verified signers, saved in another map 
-- verifiedSigners. For each entry, this step should be performed 
exactly once, by looking at if it has a digest line and if it's still 
inside sigFileSigners.

Since 7004035, the MANIFEST.MF file is treated as signed. But it's a 
very special signed entry:

    it has no digest line in itself or any SF file

Therefore, in step 2 above for this file, we ignore the skip flag and 
always try the move (well, it has to be moved once to be treated as 
signed). This triggers an inconsistency: a name argument for 
ManifestEntryVerifier.verify() method is set to null to trigger the skip 
flag, but we ignore it, and then there comes a stage when this argument 
is used, and NPE.

Solution: MANIFEST.MF is special so we treat it specially, by moving its 
possible signers to verifiedSigners as soon as the META-INF entries are 
processed, that is, in the JarFile.doneWithMeta() method. Back to 
ManifestEntryVerifier.verify(), we'll keep revert to the old behavior to 
always honoring the skip flag. In fact, this flag will be always true 
for the MANIFEST.MF entry.

Thanks
Max




More information about the security-dev mailing list