jar verification regression Oracle 8u141

Bernd ecki at zusammenkunft.net
Wed Jul 19 12:01:02 UTC 2017


Hello,

after upgrading Java Web Start to 8u141 an application fails to start with
a JAR verification error:

com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert
werden in Ressource:
http://localhost:10000/seeburger/app/commons-httpclient.jar
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown
Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)
    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

java.lang.SecurityException: digest missing for
org/apache/commons/httpclient
    at
sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)
    at java.util.jar.JarVerifier.update(JarVerifier.java:211)
    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)
    at java.util.jar.JarFile.getInputStream(JarFile.java:464)
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown
Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)


If I use jarsigner -verify (from 8u141) on that file it does not show a
problem. The file also worked with 8u131.

We signed that file ourself and I am not sure when the broken entry is
generated, it looks like:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Built-By: oleg
Maven-Version: 1.1
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)

Name: org/apache/commons/httpclient/Header.class
SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=
...
Name: org/apache/commons/httpclient/methods/multipart/PartSource.class
SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=

Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation

Name: org/apache/commons/httpclient/methods/multipart/FilePart.class
SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=
...

This structure is created by JAR signer becaue the original apache artifact
manifest looks like this:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)
Built-By: oleg
Maven-Version: 1.1

Name: org/apache/commons/httpclient
Extension-name: org.apache.commons.httpclient
Specification-Title: Jakarta Commons HttpClient
Specification-Vendor: Apache Software Foundation
Specification-Version: 3.1
Implementation-Title: org.apache.commons.httpclient
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 3.1
Implementation-Vendor-Id: org.apache
X-Compile-Source-JDK: 1.2
X-Compile-Target-JDK: 1.2

I think different jarsigner versions behave differently, some remove that
section.

jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe
sections like that like before.

Gruss
Bernd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170719/07d88529/attachment.htm>


More information about the security-dev mailing list