jar verification regression Oracle 8u141

Reto Merz reto.merz at abacus.ch
Wed Jul 19 15:01:29 UTC 2017


Our webstart app is also killed by this issue.
 
Tested with:
Java u141 b15 (FAIL)
Java u141 b32 (FAIL)
Java u131 b11 (OK)
 
Regards
Reto
 
 
Von: security-dev [mailto:security-dev-bounces at openjdk.java.net] Im Auftrag von Bernd
Gesendet: Mittwoch, 19. Juli 2017 14:01
An: security-dev at openjdk.java.net
Betreff: jar verification regression Oracle 8u141
 
Hello,
after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:

com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: http://localhost:10000/seeburger/app/commons-httpclient.jar
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)
    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

java.lang.SecurityException: digest missing for org/apache/commons/httpclient
    at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)
    at java.util.jar.JarVerifier.update(JarVerifier.java:211)
    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)
    at java.util.jar.JarFile.getInputStream(JarFile.java:464)
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)

If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131.
We signed that file ourself and I am not sure when the broken entry is generated, it looks like:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Built-By: oleg
Maven-Version: 1.1
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)

Name: org/apache/commons/httpclient/Header.class
SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=
...
Name: org/apache/commons/httpclient/methods/multipart/PartSource.class
SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=

Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation

Name: org/apache/commons/httpclient/methods/multipart/FilePart.class
SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=
...
This structure is created by JAR signer becaue the original apache artifact manifest looks like this:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)
Built-By: oleg
Maven-Version: 1.1

Name: org/apache/commons/httpclient
Extension-name: org.apache.commons.httpclient
Specification-Title: Jakarta Commons HttpClient
Specification-Vendor: Apache Software Foundation
Specification-Version: 3.1
Implementation-Title: org.apache.commons.httpclient
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 3.1
Implementation-Vendor-Id: org.apache
X-Compile-Source-JDK: 1.2
X-Compile-Target-JDK: 1.2
I think different jarsigner versions behave differently, some remove that section.
jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before.
 
Gruss
Bernd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170719/78bd3768/attachment.html>


More information about the security-dev mailing list