RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Weijun Wang
weijun at openjdk.org
Fri Jan 13 22:40:12 UTC 2023
On Thu, 12 Jan 2023 18:44:26 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
Just some comments before the end of week.
src/java.base/share/classes/java/util/zip/ZipFile.java line 1748:
> 1746: .isBlockOrSF(new String(name, off, len, UTF_8.INSTANCE)
> 1747: .toUpperCase(Locale.ENGLISH)));
> 1748:
How about updating `SignatureFileVerifier.isBlockOrSF` so that it only returns true for files inside `META-INF/`. This way it's consistent to this method.
src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
> 978: * Returns true iff the entry resides directly in the META-INF/ directory
> 979: */
> 980: private boolean isInMetaInf(ZipEntry ze) {
Maybe move this method and the one in `JarVerifier` to a common place like `sun.security.util.SignatureFileVerifier`?
test/jdk/java/util/jar/JarFile/VerifyUnrelatedSignatureFiles.java line 61:
> 59: File j = createJarFile();
> 60: File s = signJarFile(j, "signed");
> 61: File m = moveSignatureRelated(s);
Try sign it again to a different file. Let's see if the moved files are also signed.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list