RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

[Eirik Bjorsnos]

On Fri, 13 Jan 2023 22:36:01 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>> 
>> The mentioned call sites needs updates to check and ignore such files.
>> 
>> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
>
> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
> 
>> 978:      * Returns true iff the entry resides directly in the META-INF/ directory
>> 979:      */
>> 980:     private boolean isInMetaInf(ZipEntry ze) {
> 
> Maybe move this method and the one in `JarVerifier` to a common place like `sun.security.util.SignatureFileVerifier`?

This duplicated check annoyed me also, but the existing checks have different behavior:

- JarVerifier.beginEntry normalizes the path to uppercase, them checks that it starts with "META-INF/" or "/META-INF/"
- JarSigner.sign0 does not normalize to uppercase , then checks that the path starts with "META-INF/"

Introducing a common method would need change behaviour of one of these methods. This change of behaviour would not be relevant to the bug being fixed in this PR.

Since I'm cautious of changing behaviour, I decided to keep the two methods.

-------------

PR: https://git.openjdk.org/jdk/pull/11976