RFR: 8280409: JarFile::getInputStream can fail with NPE accessing ze.getName() [v4]

Lance Andersen lancea at openjdk.java.net
Fri Feb 18 17:18:56 UTC 2022


On Fri, 18 Feb 2022 17:05:53 GMT, Alan Bateman <alanb at openjdk.org> wrote:

> > > The updates changes to ZipFile/JarFile look okay. I don't have time to study the test too closely right now but it will need to include instructions on how to re-create the signed JAR that is stored in the byte array.
> > 
> > 
> > Those instructions are already in the comments for the constant `SIGNED_VALID_ENTRY_NAME`
> 
> That's the keytool command to sign the JAR. What I meant is the complete steps to create the JAR file, sign it, and then create the byte array.


The `createByteArray` method which is at the bottom of the test class documents how the byte array  can be made from a jar.

The signed jar is created using the steps defined in `SIGNED_VALID_ENTRY_NAME` from the jar   derived from `VALID_ENTRY_NAME`

If you feel there is still something lacking for documentation, I can certainly make another pass  clarify/add it, but I tried to cover the steps (but I also understand what might be obvious to me might not be as obvious as I thought).

-------------

PR: https://git.openjdk.java.net/jdk/pull/7348



More information about the security-dev mailing list