ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Sean Mullan
sean.mullan at oracle.com
Fri Jan 13 17:17:18 UTC 2023
Off hand it seems like a bug to me, can you file one? The jar
specification says that the SF file resides in the META-INF directory
and says nothing about subdirectories.
--Sean
On 1/13/23 6:40 AM, Eirik Bjørsnøs wrote:
> Thanks for forwarding me to the right list, Alan
>
> For context, I posted a follow-up on the core-libs-dev thread yesterday
> showing that some other methods have the same problem:
>
> https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html <https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html>
>
> And here's a draft PR for a fix, including a test which provokes the
> various code paths:
>
> https://github.com/openjdk/jdk/pull/11976
> <https://github.com/openjdk/jdk/pull/11976>
>
> Cheers,
> Eirik.
>
>
> On Fri, Jan 13, 2023 at 9:32 AM Alan Bateman <Alan.Bateman at oracle.com
> <mailto:Alan.Bateman at oracle.com>> wrote:
>
>
> Forwarding to security-dev as that is where issues around signed
> JARs are usually discussed.
>
> -Alan.
>
>
> On 10/01/2023 17:00, Eirik Bjørsnøs wrote:
>> Hi,
>>
>> ZipFile.isSignatureRelated currently returns true for paths such
>> as the following:
>>
>> META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA
>>
>> While this path does start with "META-INF/" and ends with ".DSA",
>> the file does not live in the META-INF/ directory _directly_, but
>> rather several directories below.
>>
>> This causes such .DSA files to be incorrectly (?) included in the
>> verification of META-INF/MANIFEST.MF in
>> JarFile.initializeVerifier, which then fails with:
>>
>> Exception in thread "main" java.lang.SecurityException:
>> Invalid signature file digest for Manifest main attributes
>> at
>> java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:340)
>> at
>> java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:282)
>> at
>> java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:327)
>> at
>> java.base/java.util.jar.JarVerifier.update(JarVerifier.java:239)
>> at
>> java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:760)
>> at
>> java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1058)
>> at
>> java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72)
>> at
>> java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:883)
>> at
>> java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848)
>> at
>> java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
>> at
>> java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
>> at
>> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
>> at
>> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
>> at
>> java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
>>
>>
>> A few questions:
>>
>> 1: Where Is the exact location of signature related files specified?
>>
>> 2: Is the current behaviour indeed incorrect?
>>
>> 3: Should ZipFile.isSignatureRelated be updated such that it only
>> matches signature related files which reside exactly in "META-INF/" ?
>>
>> The context for this is that I'm making a fat jar Maven plugin
>> which embeds dependency jars by "unpacking" them into
>> subdirectories of META-INF/libraries/.
>>
>> Cheers,
>> Eirik.
>
More information about the security-dev
mailing list