RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v7]

Eirik Bjorsnos duke at openjdk.org
Wed Jan 18 09:47:29 UTC 2023


> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
> 
> The mentioned call sites needs updates to check and ignore such files.
> 
> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.

Eirik Bjorsnos has updated the pull request incrementally with four additional commits since the last revision:

 - Introduce SignatureFileVerifier.isInMetaInf as a common method to replace duplicated logic in JarVerifier, JarSigner and SignatureFileVerifier.isSigningRelated.
   
   This introduces two subtle behavioural changes:
   
   - JarSigner is relaxed to ignore case when checking isInMetaInf, meaning "meta-inf/" files will now be moved to the beginning of the signed JAR
   - JarVerifier is tightened to reject /META-INF/ as not in META-INF/. This is believed to have little impact, since ZipFile.Source.isMetaName already rejects such paths.
 - jarsigner -verify should also ignore unrelated signature files
 - Style: Added whitespace separators between keyword and left parenthesis for try,while,if.Removed final accessors for some local variables.
 - Replacing File.createTempFile with Path.of lets jtreg handle retention of JARs created during the test

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/11976/files
  - new: https://git.openjdk.org/jdk/pull/11976/files/808d1f41..eadcc2c0

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=06
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=05-06

  Stats: 114 lines in 5 files changed: 48 ins; 24 del; 42 mod
  Patch: https://git.openjdk.org/jdk/pull/11976.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/11976/head:pull/11976

PR: https://git.openjdk.org/jdk/pull/11976



More information about the security-dev mailing list