RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v6]
Weijun Wang
weijun at openjdk.org
Tue Jan 17 16:14:34 UTC 2023
On Sat, 14 Jan 2023 12:14:54 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
>> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
>>
>>> 978: * Returns true iff the entry resides directly in the META-INF/ directory
>>> 979: */
>>> 980: private boolean isInMetaInf(ZipEntry ze) {
>>
>> Maybe move this method and the one in `JarVerifier` to a common place like `sun.security.util.SignatureFileVerifier`?
>
> This duplicated check annoyed me also, but the existing checks have different behavior:
>
> - JarVerifier.beginEntry normalizes the path to uppercase, them checks that it starts with "META-INF/" or "/META-INF/"
> - JarSigner.sign0 does not normalize to uppercase , then checks that the path starts with "META-INF/"
>
> Introducing a common method would need change behaviour of one of these methods. This change of behaviour would not be relevant to the bug being fixed in this PR.
>
> Since I'm cautious of changing behaviour, I decided to keep the two methods.
While `JarSigner` has not normalize to uppercase, the check is the same. As for `/META-INF/`, it must be very broken now since `JarFile::maybeInstantiateVerifier` is using `JUZFA.getManifestName(this,true)` to read the manifest and `ZipFile` will not see the signature-related files. We can probably clean these up in a different PR.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list