RFR: 8280409: JarFile::getInputStream can fail with NPE accessing ze.getName() [v4]
Lance Andersen
lancea at openjdk.java.net
Fri Feb 18 17:18:56 UTC 2022
On Fri, 18 Feb 2022 17:05:53 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> > > The updates changes to ZipFile/JarFile look okay. I don't have time to study the test too closely right now but it will need to include instructions on how to re-create the signed JAR that is stored in the byte array.
> >
> >
> > Those instructions are already in the comments for the constant `SIGNED_VALID_ENTRY_NAME`
>
> That's the keytool command to sign the JAR. What I meant is the complete steps to create the JAR file, sign it, and then create the byte array.
The `createByteArray` method which is at the bottom of the test class documents how the byte array can be made from a jar.
The signed jar is created using the steps defined in `SIGNED_VALID_ENTRY_NAME` from the jar derived from `VALID_ENTRY_NAME`
If you feel there is still something lacking for documentation, I can certainly make another pass clarify/add it, but I tried to cover the steps (but I also understand what might be obvious to me might not be as obvious as I thought).
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list