Re: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

Fri, 13 Jan 2023 12:48:24 -0800

Sure, no problem. I filed https://bugs.openjdk.org/browse/JDK-8300140 for this issue. 

Thanks,
Sean

On 1/13/23 12:22 PM, Eirik Bjørsnøs wrote:

Sean,

I'm not an Author (yet! :), so I can't log in to JBS and create issues.
I guess the title and description of the draft PR could serve as a starting point for a bug. 

Note that the Jar File Specification does explicitly say:
"Note that if such files are located in META-INF subdirectories, they are not considered signature-related" 

Thanks,
Eirik.
On Fri, Jan 13, 2023 at 6:17 PM Sean Mullan <sean.mul...@oracle.com <mailto:sean.mul...@oracle.com>> wrote: 

    Off hand it seems like a bug to me, can you file one? The jar
    specification says that the SF file resides in the META-INF directory
    and says nothing about subdirectories.

    --Sean

    On 1/13/23 6:40 AM, Eirik Bjørsnøs wrote:
     > Thanks for forwarding me to the right list, Alan
     >
     > For context, I posted a follow-up on the core-libs-dev thread
    yesterday
     > showing that some other methods have the same problem:
     >
     >
    https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html 
<https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html> 
<https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html 
<https://mail.openjdk.org/pipermail/core-libs-dev/2023-January/098656.html>>
     >
     > And here's a draft PR for a fix, including a test which provokes the
     > various code paths:
     >
     > https://github.com/openjdk/jdk/pull/11976
    <https://github.com/openjdk/jdk/pull/11976>
     > <https://github.com/openjdk/jdk/pull/11976
    <https://github.com/openjdk/jdk/pull/11976>>
     >
     > Cheers,
     > Eirik.
     >
     >
     > On Fri, Jan 13, 2023 at 9:32 AM Alan Bateman
    <alan.bate...@oracle.com <mailto:alan.bate...@oracle.com>
     > <mailto:alan.bate...@oracle.com
    <mailto:alan.bate...@oracle.com>>> wrote:
     >
     >
     >     Forwarding to security-dev as that is where issues around signed
     >     JARs are usually discussed.
     >
     >     -Alan.
     >
     >
     >     On 10/01/2023 17:00, Eirik Bjørsnøs wrote:
     >>     Hi,
     >>
     >>     ZipFile.isSignatureRelated currently returns true for paths such
     >>     as the following:
     >>
>>  META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA 
     >>
     >>     While this path does start with "META-INF/" and ends with
    ".DSA",
     >>     the file does not live in the META-INF/ directory
    _directly_, but
     >>     rather several directories below.
     >>
     >>     This causes such .DSA files to be incorrectly (?) included
    in the
     >>     verification of META-INF/MANIFEST.MF in
     >>     JarFile.initializeVerifier, which then fails with:
     >>
     >>         Exception in thread "main" java.lang.SecurityException:
     >>         Invalid signature file digest for Manifest main attributes
     >>         at
>>  java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:340) 
     >>         at
>>  java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:282) 
     >>         at
>>  java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:327) 
     >>         at
>>  java.base/java.util.jar.JarVerifier.update(JarVerifier.java:239) 
     >>         at
>>  java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:760) 
     >>         at
>>  java.base/java.util.jar.JarFile.ensureInitialization(JarFile.java:1058) 
     >>         at
>>  java.base/java.util.jar.JavaUtilJarAccessImpl.ensureInitialization(JavaUtilJarAccessImpl.java:72) 
     >>         at
>>  java.base/jdk.internal.loader.URLClassPath$JarLoader$2.getManifest(URLClassPath.java:883) 
     >>         at
>>  java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:848) 
     >>         at
>>  java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760) 
     >>         at
>>  java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681) 
     >>         at
>>  java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639) 
     >>         at
>>  java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) 
     >>         at
>>  java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) 
     >>
     >>
     >>     A few questions:
     >>
     >>     1: Where Is the exact location of signature related files
    specified?
     >>
     >>     2: Is the current behaviour indeed incorrect?
     >>
     >>     3: Should ZipFile.isSignatureRelated be updated such that it
    only
     >>     matches signature related files which reside exactly in
    "META-INF/" ?
     >>
     >>     The context for this is that I'm making a fat jar Maven plugin
     >>     which embeds dependency jars by "unpacking" them into
     >>     subdirectories of META-INF/libraries/.
     >>
     >>     Cheers,
     >>     Eirik.
     >

Reply via email to